Implementing CA signed SSL certificates with vSphere 5.x – Part 1- Introduction

Why certificates?

Almost all vSphere components, like ESXi, vCenter Server, vSphere Update Manager make use of SSL certificates. However, the certificates installed during the installation process are signed by VMware and are not verifiable and are not signed by a trusted certificate authority (CA).

SSL-01-01Figure 1

Also the vSphere Hardening Guide (for all components) recommends not using the default self-signed certificates for ESXi communication for all three profiles, because;
Using the default self-signed certificates leaves the SSL connection open to Man-in-The-Middle (MiTM) attacks. Replace default self-signed certificates with those from a trusted CA, either commercial or organizational.

The vSphere Hardening Guides recommends the following assessment procedure and if you need to replace SSL certificates points to a useful KB.

Connect to each ESX/ESXi host with an internet browser,
https:// <hostname>/. View the details of the SSL certificate; determine if it is issued by a trusted CA, either commercial or organizational. To change SSL certificates refer to KB “
Implementing CA signed SSL certificates with vSphere 5.x (2034833)”.

See figure 1, for a result.

The vSphere Hardening Guide points to the very useful KB 2034833, but it also becomes clear that it’s one of many KB s on implementing SSL certificates, and there are even more KB s not mentioned.
So, I was very curious how this would work out in a common vSphere Cluster.


Before you start, you have to determine the following:

  • Version(s) of vSphere components (vCenter Server, ESXi, etc.) 5.0, 5.1, 5.5 or 6.x.
  • vCenter Server (Windows) or the vCenter Server Appliance.
  • Commercial CA or internal Windows CA.

Determine which versions of the vSphere components are running in your environment, the instructions for replacing certificates vary from version to version, see the already mentioned KB 2034833 or KB “Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5 (2037581)”.

Under the hood the traditional vCenter Server and the vCenter Server Appliance are very different products. So are the procedures for replacing the certificates.

Depending on the Company policy, you can replace the default certificates with certificates from a commercial CA or an organizational CA. Both procedures have some differences.

Time for a test

At this moment, my test environment (still running on default certificates) consists of the following components:

  • ESXi servers 5.5
  • vCenter Server Appliance 5.5
  • vSphere Update Manager 5.5
  • vRealize Orchestrator Appliance / vCenter Orchestrator Appliance 5.5

It is my intention to replace the default certificates with new certificates signed by my own organizational CA.

Before we start, it is also important to follow the correct order, especially in case of a Windows vCenter Server:

  • vCenter Single Sign-On
  • vCenter Inventory Service
  • vCenter Server
  • vSphere Web Client and Logbrowser
  • vSphere Auto Deploy
  • vSphere Update Manager
  • vCenter Orchestrator Appliance
  • ESXi hosts

The vCenter Server Appliance combines the first 5 components, but before we start replacing the vCenter Server Appliance certificates, we need to do some preparations.

BTW, the Knowledge Base Articles are – as usual – of good quality, it is not my intention to copy-and-paste each and every step, but to present an overview and highlight the important steps.

To make life a little bit easier, VMware has released the SSL Certificate Automation Tool, to automate some parts of the process below. However, I will start the “traditional” way, and will discuss this tool later.

This post is part in a series about vSphere hardening. See also:

Part 1 vSphere Hardening, Introduction

Part 2 vSphere Hardening, Available Tools

Part 3 vCenter Configuration Manager – Installation

Part 4 vCenter Configuration Manager – Configuration

Part 5 vCenter Configuration Manager – The Videos

Part 6 vCenter Configuration Manager – First Run

As always, I thank you for reading and I welcome your comments.

One Response to Implementing CA signed SSL certificates with vSphere 5.x – Part 1- Introduction

  1. […] we discussed the replacement of SSL certificates in the vCenter Server Appliance. Following our planning, next on the list is the vSphere Update Manager and the vCenter Orchestrator […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: