Today we are going to install a custom, CA-signed certificate for our new instance of vROps.
VMware published information about the certificate requirements (in short: .pem file, full certificate chain required), as well as a procedure to update the certificate. However this procedure is limited (it does not configure the certificate, for instance), so we are going to develop this part a little bit. As in previous articles, we are using a Microsoft-based certificate authority.
In part 3, we finished the setup of our appliance. But if we really want a polished installation we still have a “little” thing to do: replace the self-signed certificates by certificates signed by our internal Certificate Authority.
Let’s be honest: replacing certificates for the vSphere platform has always been a mess (to say the least) ! But thanks to the great work of Michael Webster and Derek Seaman, things got better! First, they produced clear procedures to replace the certificates. Then Derek went a step further and wrote a powershell script that automates the first part of the process (certificate generation).
In parallel, VMware greatly improved its own documentation (… maybe with the support of the two guys above ), and even has a tool which can update certificates on some VMware products… But not the vCSA!
Let’s sum it up: we are still waiting for the perfect tool, but in the meantime, there are clear (but lenghty ) procedures to update the certificates. And so… Let’s do it!