Using the VMware vCenter Certificate Automation Tool: Part 2 (SSO and Inventory)

Continuing from Part 1 of my VMware vCenter Certificate Automation tool, we are finally at the point where we can review what the built-in planner advises we do, and then replace our certificates. If you missed Part 1, go back and execute all of the steps or you have a better chance of a pig flying by your window and waiving at you than getting new SSL certificates working.

1. In case things go Tango Uniform, I strongly urge you do a full backup of all vCenter databases (SSO, vCenter, and VUM), plus snapshot/backup your vCenter VM(s). If you hose up the certificate replacement process you may be left with a smoking vCenter hole. Backup before proceeding!

2. On your vCenter server run the ssl-updater.bat script. They have a built-in planner which tells you which steps to perform and in what order, depending on what services you want to update. To access the planner type 1.

3. Since we want to update all our services, I pressed 8.

The result of pressing 8, was the following text:

1. Go to the machine with Single Sign-On installed and - Update the Single Sign-On SSL certificate.
2. Go to the machine with Inventory Service installed and - Update Inventory Service trust to Single Sign-On.
3. Go to the machine with Inventory Service installed and - Update the Inventory  Service SSL certificate.
4. Go to the machine with vCenter Server installed and - Update vCenter Server trust to Single Sign-On.
5. Go to the machine with vCenter Server installed and - Update the vCenter Server SSL certificate.
6. Go to the machine with vCenter Server installed and - Update vCenter Server trust to Inventory Service.
7. Go to the machine with Inventory Service installed and - Update the Inventory  Service trust to vCenter Server.
8. Go to the machine with vCenter Orchestrator installed and - Update vCenter Or chestrator trust to Single Sign-On.
9. Go to the machine with vCenter Orchestrator installed and - Update vCenter Or chestrator trust to vCenter Server.
10. Go to the machine with vCenter Orchestrator installed and - Update the vCenter Orchestrator SSL certificate.
11. Go to the machine with vSphere Web Client installed and - Update vSphere Web  Client trust to Single Sign-On.
12. Go to the machine with vSphere Web Client installed and - Update vSphere Web  Client trust to Inventory Service.
13. Go to the machine with vSphere Web Client installed and - Update vSphere Web  Client trust to vCenter Server.
14. Go to the machine with vSphere Web Client installed and - Update the vSphere  Web Client SSL certificate.
15. Go to the machine with Log Browser installed and - Update the Log Browser trust to Single Sign-On.
16. Go to the machine with Log Browser installed and - Update the Log Browser SSL certificate.
17. Go to the machine with vSphere Update Manager installed and - Update the vSphere Update Manager SSL certificate.
18. Go to the machine with vSphere Update Manager installed and - Update vSphere Update Manager trust to vCenter Server.

As you can see, we have to perform 18 steps to fully update all SSL certificates. Due to the "Known Issues" with VUM and using a FQDN, I shall not be performing steps 17-18 since that is not a supported configuration.

4. Getting back to the main menu by pressing 9, I now want to start updating the SSL certificates in the prescribed order per the pre-planner. So I press 2 to start with SSO.

To perform the certificate update I press 1. At this point you can opt to sacrifice a chicken over your vCenter VM to appease the SSL gods and make this go smoother.

After pressing 1 it then asks me where my SSO SSL chain file is stored. And it also wants to know where the SSO private key is, as well. Since we previously configured the environment script, the paths and files it listed were correct. I then typed in my SSO master password (you do remember it, right?). My install did not involve load balancers, so I told the installer no.

At this point the black magic starts, and my heart was thumping hoping that my chicken sacrifice worked. And a minute later....all seems to be well. Chicken worked!

Step 1 of the pre-planning guide is complete. Check!

5. Now that the SSO certificate appears to be successfully updated, it's time to march on to the inventory service. So I press 3 to return to the main menu. On the main menu I press 3 to update the inventory service. I'm now presented with a plethora of options.

Per the pre-planning guide I need to select option 1. After 30 seconds of disk activity, I get a successful message.

Step 2 of the pre-planning guide is complete. Check! 16 left to go.

6. Slightly illogically the next step is to select option 3, per the pre-planning guide. Again, the certificate paths and files are pre-populated and are correct. Now it wants to know the SSO administrator user. If you aren't sure what this is, open the Web Client and login. If you can access and modify the Sign-On and Discovery settings, you probably have the right username. In my case this is "sysadmin", but it will surely be different for you.

A little whirring of my disk drive, and I get a successful message.

Step 3 of the pre-planning guide is complete. Check! 15 left to go.

Next up in Part 3 is continuing the march towards completing all 18 steps by updating the vCenter and Orchestrator certificates.