Bump.... anyone?! thoughts, suggestions?
To help clarify others:
ESXi hosts vSphere 5.1
documentation states: The SSL Certificate Automation Tool 5.5 works with your vSphere 5.5 environment only. If you need to replace the certificates on a vSphere 5.1 environment, see Deploying and using the SSL Certificate Automation Tool (2041600).
With my setup am I in a vSphere 5.1 enviro, or a vSphere 5.5 enviro??
Seems like the documentation could use some review...
You should definitely use SSL Automation Tool 5.5 for your vCenter and its services (Web Client, Inventory Service, etc...). About ESXi: I replaced host`s certs by my hands, not by the Tool .
Also ensure that you use SHA256RSA algorithm. Here is the instruction for ESXi VMware KB: Configuring CA signed certificates for ESXi 5.x hosts .
1 person found this helpful
i could recommend the following website.
I saved me a lot of time with implementing my certs.
Thanks for the info. I have since use the SSL automation tool 5.5, and ran the update planner, and all steps to update the certs using a internal MS based CA. And was successful, I'll hopefully read the documentation on getting the host certs updates as well.
One quick question on that is, will this effect vCenter connection to each host?
Should I create a domain based account to manage these hosts, and then tell vCenter the new AD credentials to use to manage these hosts, and will the vCenter server loose communication to the host when updating the certs on them?
Hopefully the artciles provided will shed some light on these questions.
1 person found this helpful
Zewwy, no AD accounts are not necessary, just provide root host`s credential when you will add ESXi to your vCenter, it will create vpxuser account to manage the new host (as usual) and already existing hosts will just rejoin the cluster. Actually i put hosts to vCenter after changing of certs, but you should not get any problem. Just ensure that you have the pssibility to manage the host directly, not through vCenter (in case of certs changing failure).
Also ye, Derek Seaman`s blog contains pretty much information, but it was not help me in certs change, because my vServices hosts on different vms (and his script is only for simple installation), however there is a lot useful information about vSphere installation so pay attention to it. You can check http://www.derekseaman.com/2013/12/vsphere-55-install-pt-19-esxi-ssl-certs.html about changing ESXi certs.
Hope it will help, i think SSL is a pretty painful story
you will get issues if you change the cert while your hosts are connected to your vcenter.
So first, disconnect the host, change the cert and reconnect the host to vcenter.
If you want to, you could create a ad group and add them to the host admin group. But you don't need that.
That's how I have them added now is via their hosts root account. And considering that the host connects to them fine with the self signed certs its not really that big a deal to me since I usually just manage them via vCenter now. But like in the event vCenter fails (or breaks cause I changed the hostname without redeploying new certs) Then I manage them directly using the 5.1 phat client.
So now I'm wondering is there any real benefit to me to re-issue the hosts certs...? Since I very rarely administer them directly..
Thanks for all the helps guys, it has been really insightful!
I would change ESXi certs in your place. You can avoid "man-in-the-middle" between vCenter and ESXi, not only between your client and ESXi, i think so. And also whats the point to replace certs not on all components of virtual infrastructure, but only on a few? There are not much problems with replacing ESXi certs, I would say it was easier for me to replace them than replace certs of vCenter services (inventory, etc). But it is just my opinion.