vCenter 4 and ESX 4 Now Use 10 Year Default SSL Certificate
August 14th, 2009 | 
Author: 
In my previous post 730 Days Later I pointed out the default VirtualCenter SSL certificate was only good for 2 years. If the untrusted certificate installed with vCenter and ESX was not replaced by the VI admin problems could arise when connecting with the VI Client or via the ESX 3.X web interface. Now with vSphere the default vCenter 4 and ESX 4 SSL certificate still needs to be changed, but it has been updated and is now good for 10 years giving admins a little more breathing room.
VMware has also updated it’s PDF on how to replace the cert. Be sure to download the new guide for Replacing VirtualCenter Server Certificates. Here is some brief info from the first paragraph of this document:
Certificates are automatically generated when you install vCenter Server and ESX/ESXi. These default certificates are not signed by a commercial certificate authority (CA) and may not provide strong security. You can replace default vCenter Server and ESX/ESXi certificates with certificates signed by a commercial CA.
This Technical Note includes the following topics:
“About vCenter Server Certificates” on page 1
“Pre?Trusting Server Certificates” on page 2
“Certificate Specifications” on page 2
“Certificate Locations” on page 2
“Replacing Default Server Certificates with Certificates Signed by a Commercial CA” on page 2
“Replacing Default Server Certificates with Self?Signed Certificates” on page 5
“Related Publications” on page 8NOTE If you have replaced the default vCenter Server or ESX/ESXi host certificates with certificates signed by a commercial CA, you do not need to perform the tasks in this document. You can configure server?certificate verification settings using the vSphere Client. See the Basic System Administration Guide for more information.
The vSphere Basic System Administration Guide can be found here.
VMware also has a couple of KB articles about best practices using SSL keys for communicating with VirtualCenter. Go here or here
An administrator can also decide to turn off the verification of SSL certificates. To do this go to the vCenter Settings from the vSphere Client and disable this feature in the SSL Settings section. This is also explained in the System Administration Guide mentioned previously.
Posted in 
Tags: 
Great post Rich. For me, SSL and certificates is one of the more dry subjects and it takes all of my energy to pay attention. Thanks for making it interesting.
One word of warning about removing SSL certificate checking – it's required for FT…
Thanks for the SSL FT tip @Mike_Laverick! I did not know this, but FT has so many pre reqs it doesn't surprise me!
Host SSL is a new hidden gem under vCenter Administrative settings. The FT requirement is not the default if I remember right.
Thanks for the SSL FT tip @Mike_Laverick! I did not know this, but FT has so many pre reqs it doesn't surprise me!
Host SSL is a new hidden gem under vCenter Administrative settings. The FT requirement is not the default if I remember right.