Replace Just Expired Self-Signed vCenter SSL Certificate – Part 1 of 3: Creating

Prologue – Part 0

The ‘Self-Signed Story’ has started two years ago, exactly in Aug, 2014. At that time we were using a vCenter certificate (rui.crt), which had only 512 bits RSA public key. This was comming from an old vSphere 4.0 installation, from 2011. In 2014 we had the version vCenter Server 5.5.0b. I have upgraded the vCenter Server to the 5.5 U1c, but with the 5.5 U1 the JRE has been also updated. The new JRE 1.7.0_45  version doesn’t support any more the certificates which are weaker than 1024 bits. So because of we had 512 bits cert, in the Web Client I had an empty inventory and a lot addition errors.

The solution was the following: I had to create stronger self-signed certificate for the vCenter and replace it. I wrote about this issue in Aug, 2014, check this post for the details. (It’s Hungarian, but the error messages are English 😀 )

I am planning 3 posts about this topic. The first is about creating request and self-signed certificate for the vCenter server, in the second we will replace them (plus troubleshooting…) and in the last third post we will check the other components.

So what is the problem?

The self-signed certificate for the vCenter was valid for two years, in my case exactly from 27th of Aug, 2014 to 27th of Aug, 2016. I know that you have already figured out what was the situation: the certificate has expired: So I cannot even login into the old .net based vSphere Client, or I get an empty inventory in the Web Client. Additionally, I got some error messages:


And the recent tasks view:


I have also tried to connect to the vCenter with PowerCLI:


Here is the point: “… such as a value that indicates an expired certificate..” No doubt, it has to be replaced.

Creating certificate request and obtain vCenter SSL certificate

If you do not have already, you need a Root CA. E.g. after installing the Active Directory Certificate Services (installation steps) and the Certification Authority Web Enrollment Support (installation steps) on a Windows server you can submit certificate requests. But before, you also need a special Certificate Template only for VMware. The easiest way is to modify the default Microsoft CA Web Server template settings to meet the VMware certificate requirements. There is a good post here how to do that.

The next step is to download the vCenter Certificate Automation Tool 5.5 (VMware SSL Certificate Automation Tool) and install it. There is also a good KB about this with the name Deploying and using the SSL Certificate Automation Tool 5.5 (2057340).

Now we need to generate a certificate request for the vCenter Server. This procedure is documented under the KB: Generating certificates for use with the VMware SSL Certificate Automation Tool (2044696) In highlights:

  1. Start the ssl-updater.bat and select the option 2, then 3.
  2. Answer all of the questions
  3. At the end you will get the rui.csr and rui.key files.


Then we can obtain the certificate from the Microsoft CA using the request. For this procedure the same KB can be useful. Steps:

  • Open the MSCA at http://MSCAservername/CertSrv/
  • Click on the “Request a certificate” link.


  • Click “advanced certificate request”, copy the content of the rui.csr file to the “saved request” box. Select the “Certificate template” – in our case the name of the modified Web Server template is the “VMware-SSL”


  • Press “Submit”, select “Base 64 encoded” and download the certificate


  • Save as rui.crt. You can open and verify; it should be valid for plus two years


  • On the home page click on “Download a CA Certificate,…” link. Save the certificate chain as cachain.p7b. 
  • Open it and export the certificate, Select “Base-64 encoded X.509 (.CER)”, save as Root64.cer


  • Install the root certificate into the “Trusted Root Certificate Authorities > Local Computer”


  • Create the chain.pem file. Copy content of the followings into a new empty file:
    • rui.crt -> chain.pem
    • Root64.cer -> chain.pem, so like in the example (KB). Assuming that Intermediate certificate is not used:
Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa <-----Certificate
GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Root Certificate

So now we have all of the needed files, the chain.pem and the rui.key. In the next part we will replace the expired vCenter certificates!

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

5 Responses to Replace Just Expired Self-Signed vCenter SSL Certificate – Part 1 of 3: Creating

  1. Pingback: Replace Just Expired Self-Signed vCenter SSL Certificate – Part 2 of 3: Replacing | vThing

  2. Precious says:

    Great tutorial! Thanks for this piece.

  3. Shankar says:

    Great Tutorial. Do you have the filan Part 3 tutorial? Thanks

    • Thank you. no, that part is still missing. basically you have to verify all of the connections between the 3rd party components and the vCenter. that means downloading new cert from vCenter, or just checking and approve it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.