Aug 14, 2014 Download and install the vCenter Certificate Automation Tool from VMware. This is also found in the vCenter install media for vSphere 5.5. I prefer to create my certificate requests right from the VMware vCenter Server, so I install both the SSL Automation Tool and OpenSSL directly on the vCenter Server. It is unclear what prevents the program to generate the SSL keys. Maybe she lacks access to any servers that are involved in key generation? Commented 1 day ago by BlackHackerYT. The machine SSL certificate is used by the reverse proxy service on every management node, Platform Services Controller, and embedded deployment. Each machine must have a machine SSL certificate for secure communication with other services.
Setup Failed To Generate The Ssl Keys Vmware Server
The machine SSL certificate is used by the reverse proxy service on every management node, Platform Services Controller, and embedded deployment. Each machine must have a machine SSL certificate for secure communication with other services. You can replace the certificate on each node with a custom certificate.
Before you start, you need a CSR for each machine in your environment. You can generate the CSR using vSphere Certificate Manager or explicitly.
- To generate the CSR using vSphere Certificate Manager, see Generate Certificate Signing Requests with vSphere Certificate Manager (Custom Certificates).
- To generate the CSR explicitly, request a certificate for each machine from your third-party or enterprise CA. The certificate must meet the following requirements:
- Key size: 2048 bits or more (PEM encoded)
- CRT format
- x509 version 3
- SubjectAltName must contain DNS Name=<machine_FQDN>.
- Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment
Do not use CRL Distribution Points, Authority Information Access, or Certificate Template Information in any custom certificates.
See also VMware Knowledge Base article 2112014, Obtaining vSphere certificates from a Microsoft Certificate Authority.
- Start vSphere Certificate Manager and select option 1.
- Select option 2 to start certificate replacement and respond to the prompts. vSphere Certificate Manager prompts you for the following information:
- Password for [email protected].
- Valid Machine SSL custom certificate (.crt file).
- Valid Machine SSL custom key (.key file).
- Valid signing certificate for the custom machine SSL certificate (.crt file).
- If you are running the command on a management node in a multi-node deployment, IP address of the Platform Services Controller.
If you are upgrading from a vSphere 5.x environment, you might have to replace the vCenter Single Sign-On certificate inside vmdir. See Replace the VMware Directory Service Certificate in Mixed Mode Environments.
You can replace the default VMCA-signed ESXi certificates from the ESXi Shell.
- If you want to use third-party CA-signed certificates, generate the certificate request, send it to the certificate authority, and store the certificates on each ESXi host.
- If necessary, enable the ESXi Shell or enable SSH traffic from the vSphere Web Client.
- All file transfers and other communications occur over a secure HTTPS session. The user who is used to authenticate the session must have the privilege Host.Config.AdvancedConfig on the host.
Procedure
- Log in to the ESXi Shell, either directly from the DCUI or from an SSH client, as a user with administrator privileges.
- In the directory /etc/vmware/ssl, rename the existing certificates using the following commands.
- Copy the certificates that you want to use to /etc/vmware/ssl.
- Rename the new certificate and key to rui.crt and rui.key.
- Restart the host after you install the new certificate. Alternatively, you can put the host into maintenance mode, install the new certificate, use the Direct Console User Interface (DCUI) to restart the management agents, and set the host to exit maintenance mode.
Update the vCenter Server TRUSTED_ROOTS store.