Update vSphere 4.1U3 and 5.0 SSL Certs with your own Windows Domain CA Certificates using PowerShell

While it took quite awhile to figure out how to replace vSphere 5.1 and 5.1U1's SSL certs, converting that script to work with 4.1U3 and 5.0. It probably helps that SSO doesn't exist (or I couldn't find it -- I haven't used vCenter on a regular basis since about 2006, but I've learned quite a bit from these SSL replacement scripts in my lab environment.)

I was surprised to find that that vSphere 4.1 and 5.0 are far more architecturally similar than 5.0 and 5.1. The 5.0 script required just one extra line of code to adjust for a different registry entry, then it worked very well on 4.1U3.

So without further ado, you can download ReplaceSSL-vSphere41U3-50.ps1, modify the variables as necessary and run it on each of your farm servers. This script requires you to modify just 9 variables as seen in the snippet below:

# Place the certs on a network location if your farm is larger than one server $basedir = "\\fileserver\share\Certs"

# Enter your Windows Certificate Authority information below. # Make sure it responds to certutil and web requests. $rootCA = "dc.base.local" $rootCAName = "BASE-DC-CA" $email = "[email protected]" $org = "NetNerds" $city = "Kaplan" $state = "LA" $country = "US"

# Make sure you follow Derek Seaman's instructions # to create a new certificate template @ https://goo.gl/m98FE $certTemplate = "CertificateTemplate:VMware-SSL"

# Enter the path of your openssl.exe (0.x and 1.x are supported). # If you don't have OpenSSL already, the script will download it for you. $openssldir = "C:\OpenSSL-Win32"
If you are interested in the approximate steps taken, you can browse the vSphere 5.1 SSL replacement post. Just be aware that the SSO section does not apply.

All SSL Certificate Replacement Posts and Scripts in this Series

vSphere 4.1-5.0 SSL Generation and Replacement Post

Copyright 2003 -  Chrissy LeMaire. All Rights Reserved