VMware

Regenerating Expired vCenter SSL Certificates

Renewing SSL Certificates during vSphere 5.0 to 5.5 Upgrade

During an upgrade from vSphere 5.0 to 5.5, you may encounter a message that the SSL certificate for this product is expired. This issue arises due to the fact that the out-of-the-box self-signed certificates are valid for only two years (for VirtualCenter 2.5) or 10 years (since vCenter 4.x), depending on the version. To continue with the installation, you need to renew the certificates.

KB1009092 provides detailed instructions on how to renew the certificates, and I will not repeat what is already written there. However, I would like to highlight a few important points that you should be aware of before proceeding.

Firstly, it is essential to note that you cannot use the ESXi busybox to renew the certificates. The necessary OpenSSL binary is not included, and KB1009092 recommends using OpenSSL on Windows. I simply used my Linux root server, but you can also use a small Linux VM.

Secondly, it is crucial to understand that the deployment of CA-signed certificates is planned. You need a CA (this can be your own CA) and the vCenter Certificate Automation Tool to make the deployment of your own certificates much more manageable. There are several excellent posts on this topic, such as Derek Seaman’s four-part series and Craig Kilborn’s posting, which provide valuable insights into the usage of the vCenter Certificate Automation Tool.

Lastly, dealing with certificates can be challenging for unexperienced administrators. It is essential to understand how certificates work, the job of a CA, and how everything works together before proceeding. As a trusted advisor, it is crucial to take your time and not rush into deploying a CA without fully understanding the requirements and implications.

In conclusion, renewing the SSL certificates during an upgrade from vSphere 5.0 to 5.5 is a straightforward process once you understand the requirements and have the necessary tools and knowledge. Remember to take your time, plan carefully, and deploy CA-signed certificates for better security and management.