Script to replace vCentre 5.1 Single Sign On Certificates

Script to replace vCentre 5.1 Single Sign On Certificates

Anyone who has looked into replacing the vCentre Single Sign On certificates will know that doing this is a pain.  So, I have created a script which will hopefully improve things.  This simple batch file script will automate the procedure detailed in pages 12 - 14 of the "Replacing Default vCentre and ESXi Certificates" document http://www.vmware.com/files/pdf/techpaper/vsp_51_vcserver_esxi_certificates.pdf

This script assumes that you have just installed \ upgraded vCentre to 5.1 and have generated the required rui.key, rui.crt and rui.pfx certificate files required by vCentre to update SSO.  Also, it assumes that all vCentre components are installed in their default locations.

Create a directory to store the certificates (I recommend using a path without any spaces)

Copy rui.key, rui.crt and rui.pfx certificate files into this directory

Copy ReplaceSSOCerts.cmd into this directory

Open an elevated command prompt and browse to the directory above

Now run the script:

ReplaceSSOCerts.cmd %FQDNOFVCENTRE% %CERTDIR% %PASSWORD%

%PASSWORD% is the password used for the admin@System-Domain account

Below is an example of the script in action (Removed vCentre FQDN from output)

20575.png

If you have any improvements to the script then let me know and I will happily update it.

[Jurgen Van de Perre]

UPDATE 30/01/2013 - Updated the script to version 0.2 to comply with the SSL pointing to the Root64.cer in the properties file and the SSO using the Java KeyStore file.

The following things have changed:

  1. Changed the second parameter to KeyStore-Dir (looks for the root-trust.jks file)
  2. Added a fourth parameter to add the Root64.cer directory location
  3. Updated the Script usage with these parameters
  4. Changed the filetest to also look if the root-trust.jks file exists in the Certificate Directory
  5. Test if the script can locate the Root64.cer file
  6. Updated the properties file according to http://www.vmware.com/files/pdf/techpaper/vsp_51_vcserver_esxi_certificates.pdf (page 20) to use the JKS in the SSL parameter.
  7. Changed the ssocli configure-riat command to use the root-trust.jks

The command for v2 is "ReplaceSSOCerts.cmd <SSO Server FQDN> <Certificates directory containing root-trust.jks> <Admin-Passsword> <Root64.cer directory>"

This script should now be up to date with the latest instructions from vmware. I uploaded it as Replace SSOCertsv_2.cmd. I have tested it also in my lab environment and works perfectly:

openssl_29-big.png

openssl_30-big.png

Disclaimer:  This script has only been used in a limited lab environment and should not be used in a production environment without   prior testing

Attachments
ReplaceSSOCerts.cmd
ReplaceSSOCerts_v2.cmd
1_ReplaceSSOCerts_v2.cmd
1_ReplaceSSOCerts.cmd
0 Kudos
Comments
bobalob
‎11-08-2012 07:20 AM
‎11-08-2012 07:20 AM

Simplifies the process no end. Thanks!

DSeaman
‎01-27-2013 07:56 PM
‎01-27-2013 07:56 PM

The script needs to be updated to follow the latest VMware KB articles for replacing the SSO service. The script sets the "ssl" value to the incorrect certificate, among other issues. Until the script is updated, I would use the manual replacment method.

Jvdp
‎01-30-2013 12:20 PM
‎01-30-2013 12:20 PM

I have updated the script and entered the modifications in the document. v2 should be fully compliant with the new KB articles.

DSeaman
‎01-30-2013 08:21 PM
‎01-30-2013 08:21 PM

Excellent, thanks! I've put a link to this page in my Part 3 vCenter 5.1 Installation series. I used your first version and it was a great time saver!

http://derek858.blogspot.com/2012/09/vmware-vcenter-51-installation-part-3.html

skiser
‎01-31-2013 07:41 PM
‎01-31-2013 07:41 PM

Thank you for this script!!!  I did have one issue running it, though.  Line 144 of the v2 script references Root64.crt instead of Root64.cer (such as in line 116 and 130).  I changed that at it ran with no errors.

Thanks again!

Jvdp
‎02-01-2013 02:13 AM
‎02-01-2013 02:13 AM

You were absolutely right. I have uploaded the fully correct script on this page. Seems I mixed up the script I used for my lab and the one I created first 🙂 Thanks for the update! :smileyblush:

ealaqqad
‎04-05-2013 07:51 AM
‎04-05-2013 07:51 AM

While this script worked great at a time, VMware has just released  vCenter Certificate Automation Tool 1.0 which can help you replace vCenter, SSO, Web Client, vCO certificates with easy. You can download the tool at: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_1#drive...

I have just posted a brief post about it at: How to replace vCenter 5.1, SSO, Web Client, vCO Certificates

Many others as well have blogged about the tool, but if you don't have the time to read all of these make sure you at least read the following KB before using the tool: http://kb.vmware.com/kb/2041600

Hope this help & Enjoy the new tool! It will be nice if you can comment on when this script will be of a better use case than the vCenter Certificate Automation Tool, as I am sure there will be few cases for that as the tool is still not perfect and have some limitations & known issues as pointed out in the KB.

Regards,

Eiad Al-Aqqad

B: http://www.Virtualizationteam.com

B: http://www.TSMGuru.com

Version history
Revision #:
1 of 1
Last update:
‎10-03-2012 03:54 AM
Updated by:
Enthusiast
 
View Article History