Home > CA SSL Certificates, Security, VMware > Best Order for Changing SSL Certs in vSphere Environments

Best Order for Changing SSL Certs in vSphere Environments

During the process of working with customers changing their SSL default self-signed certs for CA signed SSL certs in their vSphere environments I found that the order they were changed made a difference. This was also the case when I ran through the same process in my lab environment. Here is the order that I found was the easiest when changing the SSL certs in the vSphere environments I’ve worked with.

Firstly I’d like to start by saying this is what I’ve found the easiest in the environments I’ve worked in. Your mileage may vary. I have tested this with vSphere 5, but it may also be applicable for earlier versions. I’d like to hear from you on your experience and if this has worked for you, or if you used a different order.

  1. ESXi Hosts
  2. vCenter Server
  3. vSphere Web Client
  4. Other Components, such as SRM, vCenter Operations Manger, VMware View, vShield etc

If you want a way to fully manage the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere environments. 

The reason I have found that this order is the easiest is because if you update the ESXi Hosts certs first with trusted CA certs they can be added into vCenter quicker. The hosts will also not become disconnected and require you to reconnect them when you change the vCenter SSL certificates. The reason why I have the vSphere Web Client listed before other components is because it will generally be installed on the same server as vCenter Server. Unless of course you have a very large number of vSphere Web Client users, which which case you will have split it out onto a separate server.

If you can update the SSL Certs on the ESXi Hosts before adding them into vCenter it will save you some time as you won’t have to fix the SSL thumbprints in the vCenter Database, which is due to be fixed in vSphere 5 Update 1  (refer to The Trouble with CA SSL Certificates and ESXi 5).

This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.

  1. Brandon
    March 7, 2012 at 2:30 am

    Mike, good articles on SSL stuff, especially as I am about to deploy a vSphere environment that requires them! Keep up the good blogging buddy!

  1. March 6, 2012 at 10:13 pm

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: