Implementing CA signed SSL certificates with vSphere 5.x – Part 4 – VUM and vCO/vRO

In the previous post, we discussed the replacement of SSL certificates in the vCenter Server Appliance. Following our planning, next on the list is the vSphere Update Manager and the vCenter Orchestrator Appliance.

vSphere Update Manager

Our guide is “Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5 (2037581)”.

One important note from this KB: “You can replace only the SSL certificates that Update Manager uses for communication between the Update Manager server and client components.
You cannot replace the SSL certificates that Update Manager uses on port 9087 when importing offline bundles or upgrade release files.

KB 2037581 resumes at the point where we ended in Part 2, and created the required SSL certificates.


  • Assuming the VUM is a VM, create a snapshot before you start working.
  • If you haven’t already done this, import the root certificate Root64.cer into the “Trusted Root Certification Authorities” Windows certificate store. This ensures that the certificate server is trusted from now on.
    Figure 1
  • Backup the current certificates, location: C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL directory.
    Figure 2
  • Copy the new certificate files to this directory replacing the current ones. If you are following my blog posts, the certificates are located in C:\certs\UpdateManager.
  • Stop the vSphere Update Manager Service and the vSphere Update Manager UFA services from the services control manager.
  • Launch the exe application, located in C:\Program Files (x86)\VMware\Infrastructure\Update Manager.
    While using the VCSA, the VUM is always separated, so use the IP address or hostname of the vCSA. Use the credentials Update Manager uses to connect to the VCSA.
    Figure 3
  • Click the SSL Certificate Link.
  • Select the Followed and verified the steps.
  • Click Apply.
    Figure 4
  • Click OK when prompted with message “Restart the VMware vSphere Update Manager service to apply the setting”.
  • Restart the vSphere Update Manager Service and the vSphere Update Manager UFA services.

vRealize Orchestrator Appliance / vCenter Orchestrator Appliance 5.5

While connecting to the vCenter Orchestrator Configuration, using
htpps : //<hostname_or_IP_of_the_vCO>:8283 , you can verify that the default certificate has been signed by VMware.
Figure 5

Important: In case you have recently replaced the vCenter Server SSL certificates, you will encounter trouble after logging into the vCenter Orchestrator Configuration interface. The vCO Configuration interface uses a secure connection to communicate with vCenter Server. After replacing the vCenter Server SSL certificates, you need to import the new SL certificate, following this procedure:

  1. Log in to the Orchestrator configuration interface as user vmware.
  2. Click Network.
  3. In the right pane, click the SSL Certificate.
  4. Load the vCenter Server SSL certificate in Orchestrator from a URL or a file.
    Figure 6
  5. Click Import.
    A message confirming that the import is successful appears.
    Figure 7 – Note, old certificates are still there.

Now it’s time to replace the default SSL certificate. Installing and Configuring VMware vCenter Orchestrator, chapter 10 “Configuration Use Cases and Troubleshooting”, section “Changing SSL Certificates” provides the basics.

However, I recommend switching to this excellent post written by Spas Kaloferov.  In his post “How to change the SSL certificate of a vCO Appliance”, Spas Kaloferov presents two scenarios for replacing the default SSL certificates. In the second scenario, the existing keystore will also be replaced by a new one.

As always, I thank you for reading. This is the third post in a series about implementing CA signed SSL certificates in a vSphere 5.x environment.

Part 1 – Introduction.

Part 2 – Obtaining Certificates.

Part 3 – Implementing CA signed SSL certificates for the vCenter Server Appliance

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: