vSphere 5 SSL Certificates – Mass Generation

I have been doing a lot of work with SSL certificates on vSphere, EMC storage and brocade switches over the last few weeks. Of course the most certificates needed to be generated are for the vSphere environment.  To get started I read through VMware KB 2015421 and that gave me the rundown on the steps I needed to take:

  1. Download and install OpenSSL
  2. Modify the openssl.cfg file with parameters for the vmhost/vcenter
  3. Generate the certificate signing request (.csr) and private key
  4. Use the certificate signing request to get a public certificate (third-party CA or internal CA)
  5. Replace the self-signed certificate and private key with the private key and certificate from steps 3 and 4

The aforementioned knowledge base article doesn’t hit on all the required steps, or any gotchas.  I came across a blog post on Michael Webster’s blog that contained some gotchas and common mistakes people make when implementing SSL certificates on vSphere 5 – check it out. A really great tutorial by Julian Wood goes through the entire process from setting up your own root CA, to generating and replacing the SSL certificates for vCenter.

I started to go through this in my environment and began the process of generating the certificate signing requests. This got monotonous REALLY fast…so I decided to write a PowerCLI script to automate this part of the process. 

Here is the script:

Before this will work you must have a proper sample configuration contained within the openssl.cfg file.  Get the sample configuration here. Copy the contents and replace whatever is in openssl.cfg.

A few notes about the script:

  • This script assumes your DNS infrastructure is solid.  All your hosts must have A records and reverse records in DNS to properly generate the signing request
  • Line 6 is where you set the location of where you want the certificate signing requests to be stored.  For some reason the script errors out if there is a space in the path (haven’t had time to troubleshoot) so DON’T USE A SPACE
  • Don’t connect to vCenter through PowerCLI with an IP address or the certificate signing request for vCenter won’t generate properly
  • Uncomment out lines 98 and 166 if you want the script to delete the configuration files when it’s done.  I left this commented out so you can view the configuration files to ensure all of the information is accurate. CHECK AT LEAST ONE OF THESE TO MAKE SURE EVERYTHING (commonName, subjectAltName) IS CORRECT

This is a bit of information to consume so let me sum up the steps in order to run the script and successfully generate certificate signing requests:

  1. Read through the VMware KBs as well as Michael Webster’s blog post
  2. Download OpenSSL – choose the right version for your system, 32bit or 64bit
  3. After install replace the contents of the openssl.cfg file with a sample vsphere configuration
  4. Use PowerCLI to connect to your vCenter instance using the NETBIOS name or FQDN
  5. Modify generate-ssl.ps1 (copy and save as generate-ssl.ps1)
    • $openssldir – set the openssl directory
    • $rootdir – set the directory where you want the certificate signing request to be stored
    • Modify information for the signing request for your environment
      • $country
      • $state
      • $local
      • $orgname
      • $orgunit
      • $email
  6. Run generate-ssl.ps1


I’ve ran this in a few different environments and have been successful. If you have any issues with it please don’t hesitate to contact me and I’ll work with you to get it going properly. SSL certificates aren’t the sexiest thing in the world, but after a few drinks…..happy vSphere SSL’ing!

Comments 1

  1. Pingback: Automate generation of vSphere Certificate | Ionut Nica

Leave a Reply

Your email address will not be published. Required fields are marked *