VM /ETC

In my previous post 730 Days Later I pointed out the default VirtualCenter SSL certificate was only good for 2 years. If the untrusted certificate installed with vCenter and ESX was not replaced by the VI admin problems could arise when connecting with the VI Client or via the ESX 3.X web interface. Now with vSphere the default vCenter 4 and ESX 4 SSL certificate still needs to be changed, but it has been updated and is now good for 10 years giving admins a little more breathing room.

VMware has also updated it’s PDF on how to replace the cert. Be sure to download the new guide for Replacing VirtualCenter Server Certificates. Here is some brief info from the first paragraph of this document:

Certificates are automatically generated when you install vCenter Server and ESX/ESXi. These default certificates are not signed by a commercial certificate authority (CA) and may not provide strong security. You can replace default vCenter Server and ESX/ESXi certificates with certificates signed by a commercial CA.

This Technical Note includes the following topics:
“About vCenter Server Certificates” on page 1
“Pre?Trusting Server Certificates” on page 2
“Certificate Specifications” on page 2
“Certificate Locations” on page 2
“Replacing Default Server Certificates with Certificates Signed by a Commercial CA” on page 2
“Replacing Default Server Certificates with Self?Signed Certificates” on page 5
“Related Publications” on page 8

NOTE   If you have replaced the default vCenter Server or ESX/ESXi host certificates with certificates signed by a commercial CA, you do not need to perform the tasks in this document. You can configure server?certificate verification settings using the vSphere Client. See the Basic System Administration Guide for more information.

The vSphere Basic System Administration Guide can be found here.

VMware also has a couple of KB articles about best practices using SSL keys for communicating with VirtualCenter. Go here or here

An administrator can also decide to turn off the verification of SSL certificates. To do this go to the vCenter Settings from the vSphere Client and disable this feature in the SSL Settings section. This is also explained in the System Administration Guide mentioned previously.

Related Posts

• 24 Hour Timeout Prevents Removing ESX vNetwork Distributed Switch (1)
• Design Challenges Of Virtualized vCenter With A vNetwork Distributed Switch (20)
• Don’t Hit Ctrl+Alt+Del On the ESX 4 Console (14)
• VMware VCB To Be Replaced by VADP. Does That Mean vDR Is The VMware Alternative? (18)
• Simply Automating Virtual Machine IP Addressing For Disaster Recovery Sites (without scripting) (18)
• VMware vSphere Client Navigation Keyboard Shortcuts (5)
• VMware Data Recovery 1.1 Release Supports File Level Restore (4)
• vCenter 2.5 Update 5 Provides HA Improvements to Allow up to 80 VMs per ESX/ESXi host (5)
• Recommended Reading (0)
• vSphere 4.0 Best Practices (9)