Changing vSphere Web Client certificate
So, you upgrades to VMware vSphere 5 and installed the Web Client. Welcome to the club. Now it’s time to change the SSL certificate from self-signed to something recognized as trusted by your browser. In my case there is already a valid wildcard certificate for *.domain.tld so let’s use this one.
First, find your private key, the certificate file and the chain-certificate. I’m using Linux myself, but openssl is available for windows to. Let’s copy them together in a working directory.
mba:demo randy$ ls -lha total 24 drwxr-xr-x 5 rtenhave staff 170B Aug 20 13:05 . drwxr-xr-x 6 rtenhave staff 204B Aug 20 13:04 .. -rw-r--r-- 1 rtenhave staff 3.8K Aug 20 13:04 DigiCertCA.crt -rw-r--r-- 1 rtenhave staff 2.4K Aug 20 13:04 star_domain.tld.crt -rwxr-xr-x 1 rtenhave staff 1.6K Aug 20 13:04 star_domain.tld.key
As you can see we have three files. Let’s create one file that can be used on Windows by the Tomcat Java server that’s being used by the vSphere Web Client. We need to create a so-called PCKS#12 certificate bundle that will include the private key, the certificate and the chain-file. We use OpenSSL to achieve this.
openssl pkcs12 -export -out star_domain.tld.pfx -inkey star_domain.tld.key -in star_domain.tld.crt -certfile DigiCertCA.crt
The application will ask for a passphrase. The default passphrase in use by Tomcat is testpassword. You can find that one on your vCenter server in the file tomcat-server.xml located in the folder C:\Program Files\VMware\Infrastructure\vSphereWebClient\DMServer\config. You can change it or leaf it. That’s up to you. Since the Tomcat configuration file is readable by all users and the password is stored in plain-tekst changing it does not really make sense. I’ll skip the security part and why they (VMware) should use the keyring for that. Maybe another time…
Now transfer the files to your vCenter server and place them in the folder C:\Program Files\VMware\Infrastructure\vSphereWebClient\DMServer\config\ssl. I’d suggest to take a back-up of the old certificated first.
New restart the services and your new certificate is available.