替换 VMware vCenter Server Appliance 5.5 证书

1. 修改主机的IP、域名、主机名符合新证书的要求,将Certificate regeneration enabled改为Yes,Reboot vCenter,再将Certificate regeneration enabled改为No。

2. 停止服务:

service vmware-stsd stop
service vmware-vpxd stop


service vmware-rbd-watchdog stop
rm /var/vmware/vpxd/autodeploy_registered

2. 把证书、私钥、证书链传到ssl/vpxd下面,文件名分别为:证书rui.crt,私钥rui.key,证书链cachain.pem,内容为证书链的逆序文件最后应该为自签名的RootCA,合并证书和证书链

cd
mkdir ssl
mkdir ssl/vpxd
mkdir ssl/inventoryservice
mkdir ssl/logbrowser
mkdir ssl/autodeploy
cd ssl/vpxd
……
cat rui.crt cachain.pem > chain.pem

3. 替换vpxd证书

cd
cd ssl/vpxd
/usr/sbin/vpxd_servicecfg certificate change chain.pem rui.key

返回VC_CFG_RESULT = 0 表示成功,如果非0请看这里

4. 替换vCenter Inventory Service证书

service vmware-stsd start
cd /etc/vmware-sso/register-hooks.d
./02-inventoryservice --mode uninstall --ls-server https://server.domain.com:7444/lookupservice/sdk
cd
cp ssl/vpxd/* ssl/inventoryservice/
cd ssl/inventoryservice/
openssl pkcs12 -export -out rui.pfx -in chain.pem -inkey rui.key -name rui -passout pass:testpassword
cp rui.key /usr/lib/vmware-vpx/inventoryservice/ssl
cp rui.crt /usr/lib/vmware-vpx/inventoryservice/ssl
cp rui.pfx /usr/lib/vmware-vpx/inventoryservice/ssl
cd /usr/lib/vmware-vpx/inventoryservice/ssl/
chmod 400 rui.key rui.pfx
chmod 644 rui.crt
cd /etc/vmware-sso/register-hooks.d
./02-inventoryservice --mode install --ls-server https://server.domain.com:7444/lookupservice/sdk --user administrator@vSphere.local --password sso_administrator_password
rm /var/vmware/vpxd/inventoryservice_registered
service vmware-inventoryservice stop
service vmware-vpxd stop
service vmware-inventoryservice start
service vmware-vpxd start

5. 替换VMware Log Browser service证书

cd /etc/vmware-sso/register-hooks.d
./09-vmware-logbrowser --mode uninstall --ls-server https://server.domain.com:7444/lookupservice/sdk
cd
cp ssl/vpxd/* ssl/logbrowser/
cd ssl/logbrowser/
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
cp rui.key /usr/lib/vmware-logbrowser/conf
cp rui.crt /usr/lib/vmware-logbrowser/conf
cp rui.pfx /usr/lib/vmware-logbrowser/conf
cd /usr/lib/vmware-logbrowser/conf
chmod 400 rui.key rui.pfx
chmod 644 rui.crt
cd /etc/vmware-sso/register-hooks.d
./09-vmware-logbrowser --mode install --ls-server https://server.domain.com:7444/lookupservice/sdk --user administrator@vSphere.local --password sso_administrator_password
service vmware-logbrowser stop
service vmware-logbrowser start

6. 替换vSphere Auto Deploy证书

cd
cp ssl/vpxd/* ssl/autodeploy/
cp ssl/autodeploy/rui.crt /etc/vmware-rbd/ssl/waiter.crt
cp ssl/autodeploy/rui.key /etc/vmware-rbd/ssl/waiter.key
cd /etc/vmware-rbd/ssl/
chmod 644 waiter.crt
chmod 400 waiter.key
chown deploy:deploy waiter.crt waiter.key
service vmware-rbd-watchdog stop
rm /var/vmware/vpxd/autodeploy_registered
service vmware-vpxd restart

7. Reboot vCenter