Today VMware announced their first stab at helping customers manage the SSL certificate replacement challenge that we face with vSphere 5.1: VMware vCenter Certificate Automation Tool v1.0. For anyone that has followed my 15-part series on vSphere 5.1 installation, you will know the certificate portions are quite a challenge and a source of major headaches and hair loss.
The new tool is called vCenter Certificate Automation 1.0, and will replace the certificates for:
- vCenter Server
- vCenter Single Sign On
- vCenter inventory service
- vSphere web client
- vCenter log browser
- VMware Update Manager
- vCenter Orchestrator
VMware has a KB article which goes into great detail about how to use the tool and the known issues. It’s critical you read the Know Issues section, as there’s a long list of issues to be aware of. One of the biggies to me is the unsupported case of registering VUM to vCenter using the FQDN. This is standard practice in all of my configurations, so for now v1.0 of this tool won’t be a complete solution. There are also some roll-back issues as well, so just to be safe I would make sure you have a complete backup your server and related databases, in case things go sideways.
It’s great to see VMware try and ease the pain they’ve created in the methodology they’ve employed to use SSL certificates. I hope in future versions that under the covers they do some major re-work of the SSL architecture to not require such complex and tedious steps or specialized tools to implement what I consider basic modern security. The Horizon View team got certificates “right” starting with 5.0.
You can find a four part series on using the tool in the real world here. I encourage everyone to check out that series, so you can get a feeling for how the process works.