VMware KB: Accessing a vCenter Server using Web access or vSphere C...

http://kb.vmware.com/selfservice/microsites/search.do?language=en_U...

Symptoms
Accessing vCenter Server using Web access or vSphere Client fails You see the error: Security Warning Certificate Warnings An untrusted SSL certificate is installed on "vCenter_FQDN" and secure communication cannot be gauranteed. Depending on your security policy, this issue might not represent a security concern. You may need to install a trusted SSL certificate on your server to prevent this warning from appearing. Click Ignore to continue using the current SSL certificate.

Resolution
This issue occurs if the self-signed certificate of the vCenter Server is not trusted or the FQDN or shortname of the vCenter Server changed after the initial installation. To resolve this issue, you must create a self-signed certificate for your vCenter Server. Note: If you are using custom or CA signed certificates, see Replacing vCenter Server Certificates (http://www.vmware.com
/pdf/vsp_4_vcserver_certificates.pdf) .

To create a self-signed certificate:

1. Download and install OpenSSL from http://gnuwin32.sourceforge.net/packages/openssl.htm (http://gnuwin32.sourceforge.net /packages/openssl.htm) .

Note: The preceding link was correct as of June 02, 2010. If you find the link is broken, provide feedback and a VMware employee will update the link.

2. Create a folder named openssl in C:\ 3. Open command prompt and navigate to C:\Program Files\GnuWin32\bin.
Note: You may need to run the command prompt as administrator in order for the below commands to work.

4. Run these commands to create the SSL certificates:

openssl genrsa 1024 > c:\openssl\rui.key

1 of 3

8/19/2012 8:43 PM

VMware KB: Accessing a vCenter Server using Web access or vSphere C...

http://kb.vmware.com/selfservice/microsites/search.do?language=en_U...

openssl req -new -key c:\openssl\rui.key > c:\openssl\rui.csr -config "C:\Program Files\GnuWin32\share\openssl.cnf" Note: Provide necessary information about the certificate, such as country, organization, name, and email ID and provide the FQDN or Netbios name in the Common Name field of the vCenter Server. You do not have to specify a passkey in this step. openssl x509 -req -days 730 -in c:\openssl\rui.csr -signkey c:\openssl\rui.key -out c:\openssl\rui.crt openssl pkcs12 -export -in c:\openssl\rui.crt -inkey c:\openssl\rui.key -passout pass:testpassword -out c:\openssl\rui.pfx

5. To replace the certificates on vCenter Server: a. Copy the existing rui.key, rui.crt, and rui.pfx files from C:\Documents and Settings\All
Users\Application Data\VMware\VMware VirtualCenter\SSL\ to a backup folder.

b. Copy the custom rui.key, rui.crt, and rui.pfx files to C:\Documents and Settings\All
Users\Application Data\VMware\VMware VirtualCenter\SSL\. Note: For Windows Server 2008, copy the files to C:\ProgramData\VMware\VMware VirtualCenter\SSL\

6. Stop the VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter services
(1003895) (http://kb.vmware.com/kb/1003895) .

7. To reset your database password, browse to the root directory of your vCenter Server installation, and run the
command: vpxd.exe p When prompted for your new password, enter your existing database password. When prompted to confirm your password, reenter the password.

8. Restart the VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter services
(1003895) (http://kb.vmware.com/kb/1003895) .

9. To install the certificate into the trusted root CAs on the vCenter Server: a. Double-click the rui.crt file located at C:\Documents and Settings\All Users\Application
Data\VMware\VMware VirtualCenter\SSL\.

b. Click Install Certificate and click Next and Next. c. Select Place all certificates in the following store. d. Select the Trusted Root Certification Authorities certificate store. e. Click OK, Next, Finish, and Yes. 10. Log in to vCenter Server using your new certificate. 11. If your ESX hosts are showing as disconnected, right-click on the host, follow the prompts, and connect the host using
the root credentials.

Request a Product Feature

2 of 3

8/19/2012 8:43 PM

VMware KB: Accessing a vCenter Server using Web access or vSphere C...

http://kb.vmware.com/selfservice/microsites/search.do?language=en_U...

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature (http://www.vmware.com/contact/contactus.html?department=prod_request) page. Permalink to: Accessing a vCenter Server using Web access or vSphere Client fails with an SSL certificate error
(http://kb.vmware.com/kb/1021514)

Read our blog (http://blogs.vmware.com/kb/)

/vmwarekb)

Watch KBTV (http://blogs.vmware.com/kbtv/)

Follow us (http://www.twitter.com

Request New Content (http://www.vmware.com/landing_pages/knowledgebase-content-request.html)

1 (javascript:void( rate(1,this) )) 2 (javascript:void( rate(2,this) )) 3 (javascript:void( rate(3,this) )) 4 (javascript:void( rate(4,this) )) 5 (javascript:void( rate(5,this) ))
5 Ratings

Actions Bookmark Document (javascript:addBookmark(actionBoxUtil.docURL, actionBoxUtil.docTitle);) Email Document (javascript:emailDoc(actionBoxUtil.extId, actionBoxUtil.sliceId, actionBoxUtil.docTitle, actionBoxUtil.cpplayer, actionBoxUtil.bb Print Document (javascript:window.print()) Subscribe to Document (/selfservice/microsites/microsite.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1021514&
format=rss) (http://www.addthis.com/bookmark.php?v=250&username=xa-4b5f42f36e60a29e)

KB: 1021514 Updated: Jun 7, 2012 Product(s): VMware vCenter Server Product Version(s): VMware vCenter Server 4.0.x

3 of 3

8/19/2012 8:43 PM