vCenter Certificates for Update Manager

Steps to replace self signed certificates. For more details see KB [1023011]

You can replace the default certificates used by Update Manager with custom self signed certificates.

1)    On an ESX 3.5 host or an ESX 4.0.x, create a text file named rui.cfg. In the file, include the following configuration settings:

# Conf file used to generate SSL certificates.
[ req ]
default_bits = 1024
default_keyfile = rui.key
distinguished_name = req_distinguished_name
# Don't encrypt the key
encrypt_key = no
prompt = no
string_mask = nombstr

[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = Area_Name
0.organizationName = Company_Name
emailAddress = x@y.com
commonName = [NAME_OF_SERVER_THAT_WILL_HAVE_CERTIFICATE]

Modify all entries according to the specifics of your environment. You must fill in a commonName.

2) On the ESX host generate certificate and key.

Create the self signed certificate (rui.key and rui.crt) by running the following command:

openssl req –nodes –new –x509 –keyout rui.key –out rui.crt –days 3650 -config rui.cfg

3) On the ESX host, generate a .pfx file.

The rui.pfx file is a concatenation of the system's certificate and private key, exported in the PFX format.
To create the rui.pfx file, run the following commands (each line is a separate command):

touch vum-serv.key.crt     //To create new file ‘vum-serv.key.crt’
cp rui.crt vum-serv.key.crt
cat rui.key >> vum-serv.key.crt
openssl pkcs12 -export -in ./vum-serv.key.crt -name "rui" -out ./mycert.p12
mv mycert.p12  rui.pfx

4) On the Windows machine where the Update Manager server is installed, stop the VMware vCenter Update Manager service.

5) Backup and replace the certificates.

Copy rui.crt, rui.key, and rui.pfx from the ESX host to the machine where Update Manager is installed. Backup the files rui.crt, rui.key, and rui.pfx, located in the [VUM_Installation_Directory]\SSL folder and replace the old rui.crt, rui.key and rui.pfx with the files that you created.

0