VirtualCenter CA Configuration – take 3

Updated: Thanks to Geert Baeke (in comments) for noticing my error – when creating a .pfx certificate file it is important to set the password as testpassword, otherwise sysprep encrypted passwords in your customization scripts will not work. The relevant sections has been modified. You learn something new every day

In the comments of the first article on the matter, Trevor said that he was getting a .pfx file of length 0KB.

I can confirm that I am reproducing the same issue – and it seems to be with a bug in the openssl compiled by the third party.

Here’s how to do it another way if the same problem occurs to you.

• Download and install Microsoft Visual C++ 2008 Redistributable Package (x86)
• Download openssl from here and install with all defaults
• Download openssl from here and install with all defaults (yes I know, it’s another version)
• Download and install perl from here, with all defaults

Obviously if the links expire, the versions are too old – just browse to the base FQDNs in the links and download the latest version of the software available.

• Edit the ca.pl file in C:\OpenSSL\bin so that this line:

$DAYS="-days 365"; # 1 year

is transformed to this:

$DAYS="-days 3650"; # 10 years

• Edit the openssl.cfg in C:\OpenSSL\bin by making the following changes:

default_days = 365 # how long to certify for

to

default_days = 3650 # how long to certify for

and add the bold text in the correct areas as referenced by the non-bold text:

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = NSW

localityName = Locality Name (eg, city)
localityName_default = Kingsford

0.organizationName = Organization Name (eg, company)
0.organizationName_default = Private Company

organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = IT&T

emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = raikhman@gmail.com

Also, make sure to edit to the correct values, all above settings that are boldened and italicised.

• Copy ca.pland openssl.cfg from C:\OpenSSL\bin to C:\Program Files\GnuWin32\bin
• Open a command prompt and cd to C:\OpenSSL\bin
• Run: C:\perl\bin\perl ca.pl -newca. When requested for the common name, just punch in “server”
• Copy the resulting C:\OpenSSL\bin\demoCA directory to C:\Program Files\GnuWin32\bin
• Uninstall OpenSSL (the one in Add/Remove Programs without a GnuWin32 moniker)
• Use the same command prompt that is still open and cd to C:\Program Files\GnuWin32\bin
• Run: openssl genrsa 1024 > rui.key
• Run: openssl req -new -key rui.key > rui.csr -config openssl.cfg. When it asks for the common name, type in the FQDN of the VirtualCenter server (eg. auconvc01.contoso.com.au)
• Run: openssl ca -out rui.crt -config openssl.cfg -infiles rui.csr
• Run: openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

At this point, you’ve created 3 files – rui.key, rui.crt and rui.pfx

Go into C:\Documents and Settings\All Users\Application Data\VMware\Infrastructure\VMware VirtualCenter Server\ and rename the SSL directory to SSL.old. Then create a directory called SSL. Copy the created files into this directory.

Next, open up the Microsoft Management Console (Start -> Run -> MMC) and open up the snap-in for Computer Account Certificates. Import the rui.crt certificate file into the Trusted Publishers container.

CD in the command prompt to the VMware VirtualCenter Server install directory and run vpxd -p. This will re-initialise the database on your SQL server with the new certificate. You will be asked for the DB password – input it.

Restart the VirtualCenter Service.

The problem is that now the ESX hosts don’t have the right certificate and are unable to communicate. Just disconnect them and reconnect them to re-enable HA/DRS/VMotion functionality.

All done