Update vSphere 4.1U3 and 5.0 SSL Certs with your own Windows Domain CA Certificates using PowerShell

While it took quite awhile to figure out how to replace vSphere 5.1 and 5.1U1’s SSL certs, converting that script to work with 4.1U3 and 5.0. It probably helps that SSO doesn’t exist (or I couldn’t find it — I haven’t used vCenter on a regular basis since about 2006, but I’ve learned quite a bit from these SSL replacement scripts in my lab environment.)

I was surprised to find that that vSphere 4.1 and 5.0 are far more architecturally similar than 5.0 and 5.1. The 5.0 script required just one extra line of code to adjust for a different registry entry, then it worked very well on 4.1U3.

So without further ado, you can download ReplaceSSL-vSphere41U3-50.ps1, modify the variables as necessary and run it on each of your farm servers. This script requires you to modify just 9 variables as seen in the snippet below:

# Place the certs on a network location if your farm is larger than one server
$basedir = "\\fileserver\share\Certs"

# Enter your Windows Certificate Authority information below.
# Make sure it responds to certutil and web requests.
$rootCA = "dc.base.local"
$rootCAName = "BASE-DC-CA"
$email = "[email protected]"
$org = "NetNerds"
$city = "Kaplan"
$state = "LA"
$country = "US"

# Make sure you follow Derek Seaman's instructions
# to create a new certificate template @ http://goo.gl/m98FE
$certTemplate = "CertificateTemplate:VMware-SSL"

# Enter the path of your openssl.exe (0.x and 1.x are supported).
# If you don't have OpenSSL already, the script will download it for you.
$openssldir = "C:\OpenSSL-Win32"

If you are interested in the approximate steps taken, you can browse the vSphere 5.1 SSL replacement post. Just be aware that the SSO section does not apply.

All SSL Certificate Replacement Posts and Scripts in this Series

vSphere 4.1-5.0 SSL Generation and Replacement Post Script
vSphere 5.1 SSL Generation and Replacement Post Script
ESX Certificate Generation and Upload Post Script
NetApp Virtual Storage Console SSL Generation and Replacement Post Script
Site Recovery Manager SSL Generation and Replacement Post Script
VMware View Composer SSL Generation and Replacement Post Script
VMware Horizon View SSL Generation and Replacement Post Script

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in PowerShell, Security, VMware

Leave a Reply

Your email address will not be published. Required fields are marked *