You can use OpenSSL to create keys and certificates and a root Certificate Authority (CA).

VMware products implement the OpenSSL libraries and toolkits to generate the default certificates that vSphere creates during the installation process. VMware recommends that you install certificates that are signed by a commercial Certificate Authority (CA). However, you have the option to use OpenSSL to create keys and certificates and a root CA, if appropriate. You can download OpenSSL from http://www.openssl.org.

The examples are run from a Windows host machine and assume that the OpenSSL home directory is c:\openssl\bin.

Inside the openssl\bin directory, you can create subdirectories to contain your keys, certificates, and other files. The syntax examples that appear assume a flat directory structure.

The instructions assume that a single, self-signed root CA is used to sign all certificate signing requests (CSRs).

To create your own root CA and keys, secure the host system that you use to create local root CA certificate and its private key. The private key associated with the root CA must remain private.

VMware recommends creating keys, CSRs, and other security-related artifacts on trusted, air-gapped physical hardware over which you have complete control. VMware also recommends using a hardware RNG (random-number generator) to generate random numbers that have the appropriate characteristics (sufficient degree of entropy, for example) for cryptographic purposes.

1

VMware products implement the OpenSSL libraries and toolkits to generate the default certificates that are created during installation process. You can use OpenSSL to create certificate-signing requests (CSRs).

2

To replace the default certificates with certificates signed by your own local CA, you must create a root CA.

3

You must generate a certificate-signing request (CSR) for each system that requires a replacement certificate.

4

If you choose to install self-signed certificates, you can create them using OpenSSL.

5

The rui.pfx file is a concatenation of the system’s certificate and private key, exported in the PFX format. The file is copied to the subdirectory on the vCenter Server system.

6

The replacement certificate reencrypts all host passwords and the database password by using the new certificate.