vCenter 4.0/4.1 VUM SSL Certificate How-To

Update 2/11/2011: VMware has re-published the article and limited the applicability to 4.1 U1 (released 2/10/2011), since it directs you to use the new VMware Update Manager Utility. The new procedure is easier to follow and uses a new tool that makes it debut in 4.1 U1. However, IMHO, it's still inadequate. So I wrote up the full procedure for VUM 4.1 U1 here.

Update 1/6/2011: VMware has retracted the public KB article that I referenced. There is no new ETA on a revised public version. However, the VMware techie said the basic steps should not change, so you can still follow the steps below.
--
A little over a year ago I posted a "hack" to reconfigure vCenter VUM 4.0 for a trusted SSL certificate. At that time VMware had no official guidance, and only a couple of days ago did VMware release an official KB article. In addition, "Abe" left some good comments a couple of months ago on my old blog post that came from an internal VMware KB article. The official article closely mirrors Abe's steps.

I have vCenter and VUM running on Server 2008 R2 and on the D drive, so just to come full circle I'll pull from Abe's comments and the KB article, substituting the different paths for my environment. It's really mind boggling that VMware doesn't develop some simple GUI program that would create the certificate requests, then import them to ESXi hosts, vCenter, and VUM. The very complicated and time consuming effort to update all of the SSL certificates is really frustrating. Microsoft and HP make it vastly easier to use trusted SSL certificates. VMware's process is the most convoluted and complicated that I know of.

These instructions work for vCenter 4.0 and 4.1 GA, BTW. For 4.1 U1, see my blog post here.

1. First you need to generate the trusted SSL certificates. To do this, follow steps 1 - 9 in my blogpost here.
2. Stop the VMware vCenter Update Manager service.
3. On your VUM server backup all the files in D:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL.
4. Copy rui.key, rui.crt, rui.pfx to the SSL directory in the previous step.
5. Open an elevated command prompt and CD to D:\Program Files (x86)\VMware\Infrastructure\Update Manager.
6. On one VERY long line type:

vciInstallUtils.exe -v localhost -p 80 -U {username} -P {password} -C "d:\Program Files (x86)\VMware\Infrastructure\Update Manager" -L "C:\Users\All Users\VMware\VMware Update Manager\Logs" -I "d:\Program Files(x86)\VMware\Infrastructure\Update Manager" --op install-keystore

7. Verify “Import and generation of certificate worked, install-keystore successful” is shown.
8. In the same command prompt type (as one line):

vciInstallUtils.exe -v localhost -p 80 -U {username} -P {password} -S "d:\Program Files (x86)\VMware\Infrastructure\Update Manager\extension.xml” -C "d:\Program Files (x86)\VMware\Infrastructure\Update Manager" -L "C:\Users\All Users\VMware\VMware Update Manager\Logs" --op extupdate

9. Verify “The extension registration succeeded” is shown.
10. Start the VMware vCenter Update Manager Service.
11. Close the vSphere client, if open. Launch the vSphere client and connect to vCenter.
12. From the home page click on vCenter Service Status and verify it is healthy.

And there you have it! The official method to update your VUM SSL certificates. Again, why it took VMware this frigging long to tell customers how to do this is mind blowing. In the DoD using trusted SSL certificates is a requirement, so the lack of official VMware guidance was a real problem. Now VMware needs to make it 10x easier and GUI driven. Maybe in vSphere 7.0.