VMware vSphere

 View Only
Back to Library

Script to replace vCentre 5.1 Single Sign On Certificates 

Oct 03, 2012 10:54 AM

Anyone who has looked into replacing the vCentre Single Sign On certificates will know that doing this is a pain.  So, I have created a script which will hopefully improve things.  This simple batch file script will automate the procedure detailed in pages 12 - 14 of the "Replacing Default vCentre and ESXi Certificates" document http://www.vmware.com/files/pdf/techpaper/vsp_51_vcserver_esxi_certificates.pdf

This script assumes that you have just installed \ upgraded vCentre to 5.1 and have generated the required rui.key, rui.crt and rui.pfx certificate files required by vCentre to update SSO.  Also, it assumes that all vCentre components are installed in their default locations.

Create a directory to store the certificates (I recommend using a path without any spaces)

Copy rui.key, rui.crt and rui.pfx certificate files into this directory

Copy ReplaceSSOCerts.cmd into this directory

Open an elevated command prompt and browse to the directory above

Now run the script:

ReplaceSSOCerts.cmd %FQDNOFVCENTRE% %CERTDIR% %PASSWORD%

%PASSWORD% is the password used for the admin@System-Domain account

Below is an example of the script in action (Removed vCentre FQDN from output)

If you have any improvements to the script then let me know and I will happily update it.

[Jurgen Van de Perre]

UPDATE 30/01/2013 - Updated the script to version 0.2 to comply with the SSL pointing to the Root64.cer in the properties file and the SSO using the Java KeyStore file.

The following things have changed:

  1. Changed the second parameter to KeyStore-Dir (looks for the root-trust.jks file)
  2. Added a fourth parameter to add the Root64.cer directory location
  3. Updated the Script usage with these parameters
  4. Changed the filetest to also look if the root-trust.jks file exists in the Certificate Directory
  5. Test if the script can locate the Root64.cer file
  6. Updated the properties file according to http://www.vmware.com/files/pdf/techpaper/vsp_51_vcserver_esxi_certificates.pdf (page 20) to use the JKS in the SSL parameter.
  7. Changed the ssocli configure-riat command to use the root-trust.jks

The command for v2 is "ReplaceSSOCerts.cmd <SSO Server FQDN> <Certificates directory containing root-trust.jks> <Admin-Passsword> <Root64.cer directory>"

This script should now be up to date with the latest instructions from vmware. I uploaded it as Replace SSOCertsv_2.cmd. I have tested it also in my lab environment and works perfectly:

Disclaimer:  This script has only been used in a limited lab environment and should not be used in a production environment without   prior testing

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

ealaqqad
Apr 05, 2013 02:51 PM

While this script worked great at a time, VMware has just released  vCenter Certificate Automation Tool 1.0 which can help you replace vCenter, SSO, Web Client, vCO certificates with easy. You can download the tool at: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_1#drivers_tools

I have just posted a brief post about it at: How to replace vCenter 5.1, SSO, Web Client, vCO Certificates

Many others as well have blogged about the tool, but if you don't have the time to read all of these make sure you at least read the following KB before using the tool: http://kb.vmware.com/kb/2041600

Hope this help & Enjoy the new tool! It will be nice if you can comment on when this script will be of a better use case than the vCenter Certificate Automation Tool, as I am sure there will be few cases for that as the tool is still not perfect and have some limitations & known issues as pointed out in the KB.

Regards,

Eiad Al-Aqqad

B: http://www.Virtualizationteam.com

B: http://www.TSMGuru.com

Jvdp
Feb 01, 2013 10:13 AM

You were absolutely right. I have uploaded the fully correct script on this page. Seems I mixed up the script I used for my lab and the one I created first :-) Thanks for the update! :smileyblush:

skiser
Feb 01, 2013 03:41 AM

Thank you for this script!!!  I did have one issue running it, though.  Line 144 of the v2 script references Root64.crt instead of Root64.cer (such as in line 116 and 130).  I changed that at it ran with no errors.

Thanks again!

DSeaman
Jan 31, 2013 04:21 AM

Excellent, thanks! I've put a link to this page in my Part 3 vCenter 5.1 Installation series. I used your first version and it was a great time saver!

http://derek858.blogspot.com/2012/09/vmware-vcenter-51-installation-part-3.html

Jvdp
Jan 30, 2013 08:20 PM

I have updated the script and entered the modifications in the document. v2 should be fully compliant with the new KB articles.

DSeaman
Jan 28, 2013 03:56 AM

The script needs to be updated to follow the latest VMware KB articles for replacing the SSO service. The script sets the "ssl" value to the incorrect certificate, among other issues. Until the script is updated, I would use the manual replacment method.

bobalob
Nov 08, 2012 03:20 PM

Simplifies the process no end. Thanks!

Related Entries and Links

No Related Resource entered.