Re: replace SSL certificates with AutoDeploy (vCenter 5.1)

Thanks to information provided by Derek’s blog and jhanekom’s post I’ve put together the steps to use a Microsoft Enterprise Subordinate CA to issue new certificate to AutoDeployed hosts and steps to replace the AutoDeploy vCenter plug-in certificate.

Test lab environment:

VM1 – Windows 2008R2 SP1, Domain Controller, Microsoft Root CA

VM2 - Windows 2008R2 SP1, vCenter 5.1b, Microsoft Subordinate CA

1. Install Enterprise MS Root CA on DC VM1
2. Install Enterprise Subordinate CA on vCenter VM2
3. Install openssl on vCenter VM2 and add openssl\bin folder to System path
4. Backup the Subordinate CA private and public key
   • Make sure you select Private key and CA certificate checkbox
   • Remember the password, will be used later
   • Output file should be a <SubCA>.p12 file
5. Extract the public and private
   • openssl.exe pkcs12 -in SubCA.p12 -clcerts -nokeys -out rbd-ca.crt
   • openssl.exe pkcs12 -in SubCA.p12 -nocerts -nodes | openssl.exe rsa > rbd-ca.key
6. Install VMware AutoDeploy
7. Stop vmware-autodeploy-waiter service
8. Backup the following files: (Do not delete the rbd-ca.srl file)
   • C:\ProgramData\VMware\VMware vSphere Auto Deploy\ssl\ rbd-ca.crt
   • C:\ProgramData\VMware\VMware vSphere Auto Deploy\ssl\ rbd-ca.key
   • C:\ProgramData\VMware\VMware vSphere Auto Deploy\ssl\ rui.crt
   • C:\ProgramData\VMware\VMware vSphere Auto Deploy\ssl\ rui.key
9. Replace rbd-ca.crt and rbd-ca.key from step 5
10. If you have generated a CA signed vCenter certificate based on Derek's blog replace the rui.crt and rui.key then run the following command per jhanekom’s post.  Note: I had to add the –f to force registration.
    • D:\Program Files (x86)\VMware\VMware vSphere Auto Deploy\autodeploy-register.exe" -R -a <vCenter_FQDN>  -u <vCenter_Admin_Acct> -w <password> -s "C:\ProgramData\VMware\VMware vSphere Auto Deploy\vmconfig-autodeploy.xml" –f
11. Start vmware-autodeploy-waiter service
12. Browse to https://<vCenter_FQDN>:6501/vmw/rbd/tramp to verify CA signed vCenter certificate.  This verifies step 10 above.
13. Complete the AutoDeploy setup per VMware documentation (DHCP, TFTP, PowerCLI, VIB’s etc.)
14. AutoDeploy an ESXi host and verify the host certificate was generated by the SubCA. This verifies steps 1-9 above.
    • Browser to https://<ESXi_host_fqdn>
    • Check the certificate for the host found here:

                    C:\ProgramData\VMware\VMware vSphere Auto Deploy\ssl\<ESXi_host>\rui.crt