Insall/Renew SSL cert vCenter Server

Insall/Renew SSL cert vCenter Server

Backup the contents of : C:\Users\All Users\VMWare\VMWare VirtualCenter\SSL

Stop the following services:

• VMware VirtualCenter Management Webservices
• VMWare VirtualCenter Server

To extract the private and public keys from the pfx you can use openssl and the following commands:

Step 1. openssl pkcs12 -in xxxx.pfx -out rui.crt -nokeys -clcerts

Step 2. openssl pkcs12 -in xxxx.pfx -nocerts -out privatekey.pem

Step 3. openssl rsa -in privatekey.pem -out rui.key

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

NB: the rui.pfx key should have the testpassword set as per article

You will now have the 3 files required to replace the self signed certificate in vcenter.

Copy the SSL private key, public key and pfx files that have been issued by Certificate Authority to:

• Private Key = rui.key
• Public Key = rui.crt
• PFX = rui.pfx

C:\Users\All Users\VMWare\VMWare VirtualCenter\SSL

1. Open the command prompt.
2. Change to the directory where vCenter Server is installed. The default location is
C:\Program Files\VMware\Infrastructure\VirtualCenter Server.
3. Run this command to reset the database password:
vpxd.exe -p
4. When prompted, enter the new password.

Note: This command rehashes the passwords for the database users from the ODBC connection.

Start the following services:

• VMware VirtualCenter Management Webservices
• VMWare VirtualCenter Server

NB: If the services do not restart then there is either a missing file or the public and private key do not match.

Restore the backed up public and private key files to rollback.

Test the certificate by opening a browser to the following address:
http://<FQDN of vSphere vCenter Server>


Note: After changing the SSL certificate, all hosts managed by vCenter Server must be re-authenticated.

To do so, use the VI Client to disconnect and then reconnect the hosts

Check if the following articles applies to your environment – vCenter Server Service Status plug-in cannot be enabled (1013472) –

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s