VMware Cloud Community
mark_chuman
Hot Shot
Hot Shot
‎02-13-2012 11:41 AM
Jump to solution

SSL Cert Replacement - vCenter 5/vCenter Inventory Service

Running into this problem during our new vCenter 5 infrastructure build out.  Wondering if anyone else has run into this before.

We create internally signed certs and use these certs for the virtual center service and for the inventory service.  I stop the vCenter service, replace the vCenter certs, reset the DB password and then start the vCenter service.  Works fine and am able to login to vCenter, but when I go to start the inventory service (certs for inventory service untouch) it fails.  I have worked with this in our lab and there the certs could be replaced separate of one another.  Any ideas are welcome.

Thanks

0 Kudos
1 Solution

Accepted Solutions
francoisloiseau
Contributor
Contributor
‎02-14-2012 10:01 AM
Jump to solution

when you did generate your own pfx, what was the password ?

It has to be "testpassword".

  openssl pkcs12 -export -in ./certs/rui.crt -inkey ./private/rui.key -name rui -passout pass:testpassword -out ./certs/rui.pfx

If not, the inventory service won't start.

View solution in original post

0 Kudos
7 Replies
maishsk
Expert
Expert
‎02-13-2012 01:14 PM
Jump to solution

Have you had a look at this post? Maybe this can assist?

http://longwhiteclouds.com/2012/02/07/the-trouble-with-ca-ssl-certificates-and-vcenter-5/

Maish

VMTN Moderator | vExpert

Author of VMware vSphere Design

@maishsk | My Blog

Maish Saidel-Keesing • @maishsk • http://technodrone.blogspot.com • VMTN Moderator • vExpert • Co-author of VMware vSphere Design
mark_chuman
Hot Shot
Hot Shot
‎02-14-2012 09:53 AM
Jump to solution

Thanks for the link (looking it over now), I didn't come accross it during my search for SSL replacement instructions.    

0 Kudos
francoisloiseau
Contributor
Contributor
‎02-14-2012 10:01 AM
Jump to solution

when you did generate your own pfx, what was the password ?

It has to be "testpassword".

  openssl pkcs12 -export -in ./certs/rui.crt -inkey ./private/rui.key -name rui -passout pass:testpassword -out ./certs/rui.pfx

If not, the inventory service won't start.

0 Kudos
mark_chuman
Hot Shot
Hot Shot
‎02-15-2012 11:27 AM
Jump to solution

Thanks for the help.

I am assuming that setting a password of testpassword is not critical at the "Create Certificate-Signing Requests" step below?

http://pubs.vmware.com/vsphere-50/topic/com.vmware.vsphere.solutions.doc_50/GUID-A5E242BE-8438-447C-...

0 Kudos
francoisloiseau
Contributor
Contributor
‎02-15-2012 11:52 AM
Jump to solution

nope, this step does not require a password as "testpassword". Only the keystore (pfx) need it

0 Kudos
mark_chuman
Hot Shot
Hot Shot
‎02-16-2012 05:22 AM
Jump to solution

FYI, this is extremely odd, but we have seen SSL certs work correctly with leaving out the password in our v5 environment.

0 Kudos