Home > CA SSL Certificates, Security, VMware > Virtual Infrastructure Navigator breaks when vCenter SSL Cert Changed

Virtual Infrastructure Navigator breaks when vCenter SSL Cert Changed

Like a lot of people I was quick to download and implement VMware vCenter Operations Manager 5 Enterprise when it became available. One of the great tools that is included in the suite is Virtual Infrastructure Navigator (VIN), which will discover and map all the dependencies and also DR protection status of VM’s in a linked mode group. However there is a bit of a gotcha if you want to use VIN and you also want to change the SSL Certs in vCenter and/or vSphere Web Client.

Simply put, if you install VIN prior to changing your SSL certs, it will cease to function and be completely broken. It will require that you delete the VIN instance and redeploy from scratch. Fortunately the rediscovery afterwards will fairly quickly get the inventory service mapping and dependencies back. But this is not great from an end user experience perspective. There is also no documented way to change the default self signed SSL cert on VIN itself. Given that VIN is a great tool for a secure environment to identify what services are where and connected to what I’m hoping it will work better in the future when SSL certificates are updated and that there is an easy process provided to update the VIN SSL cert.

If you want a way to fully manage the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere environments. 

This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.

  1. Nir
    March 5, 2012 at 9:00 pm

    Thanks Michael for bringing the SSL certs to the table.

    Indeed Navigator v1.0 finds hard times in coping with SSL certs changes, however v1.1 supports that kind of SSL changes. We plan releasing v1.1 GA version very soon.
    Meantime, v1.0 customers can work around SSL certs changes by running the following procedure.

    Here is how to do this using the vCenter client:

    1. Select the VM and make sure that it is powered off
    2. Click Edit Settings
    3. Click on the vServices tab
    4. Right click on the vCenter Extension vService dependency and select Edit option
    5. For Provider choose “”
    6. Click OK
    7. Click OK

    Repeat step 2-7 where you in step 6 choose “vCenter Extension vService”
    Next time the VM is powered on it’s OVF environment has been updated with the new vCenter certificate thumbprint.

    Please let me know how this works for you,

    Nir Oren-Giladi
    The vCenter Infrastructure Navigator Escalation Engineering team

    • March 5, 2012 at 9:15 pm

      Hi Nir, Thanks for taking the time to comment on this post. That information is very useful. Please let me know if a KB is published and I can update the article to point people to it. I look forward to seeing VIN 1.1.

    • March 6, 2012 at 5:00 pm

      Hi Nir, I can confirm I’ve just run through this process after updating my vCenter Server Certificates and it worked great.

  2. Nir
    March 6, 2012 at 8:36 pm

    Thanks for the feedback Michael.

    I believe you’ll be benefit from the new features and improvements we’ve integrated with v1.1.

    If this is OK, once we launch v2.0, I’ll contact you and hopefully you’ll be part of the beta program. I’ll be glad to have you on board and have your feedback.


  1. February 24, 2012 at 6:53 am

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: