Let's see if I can help out some more here. I have a feeling this is going to become a blog posting when I get the time, but I started from scratch with a new VCMA and went through the process:
- Import the appliance
- Configure the IP address and hostname (stuff the hostname into /etc/HOSTNAME and configure a lookup in /etc/hosts or DNS)
- (I rebooted here since I was trying to keep things clean -- don't know if it is required)
- Assume you follow the directions to get a CSR generated and use that to get a CER issued (Base64 encoded).
- Copy that CER to the VCMA
- Login as root to the VCMA and change to a directory wher the .cer and .key files live
NOTE: make sure you convert the line endings to UNIX from DOS if you issued the certs from Windows.
awk is fantastic for this:
# awk '{sub(/\r$/,"");print}' vcma01.cer_FROM_WINDOWS >vcma01.cer_FOR_UNIX
From here, you need to do a couple of things. You can use the web UI or the CLI, whichever works for you.
- Accept the EULA
vpxd_servicecfg eula accept
- Initialize the database -- I'm using the embedded one
vpxd_servicecfg db write embedded
- Swap out the certificates
vpxd_servicecfg certificate change vcma01.cer vcma01.key
Each of the above 3 returned VC_CFG_RESULT=0 and things looked pretty good. Checking the fingerprints of my CER and the two at the following locations showed a successful swap (fingerprints matched):
# /usr/bin/openssl x509 -fingerprint -noout -in /opt/vmware/etc/lighttpd/server.pem
# /usr/bin/openssl x509 -fingerprint -noout -in /etc/vmware-vpx/ssl/rui.crt
Next was to start up the vCenter services (again, you can also use the web UI):
# /usr/sbin/vpxd_servicecfg service start
Another result of VC_CFG_RESULT=0
So far, so good.
Let me know if this works for you...
UPDATE: I have tested the VCMA's HTTPS web page, vSphere client authentication, and PowerCLI. I have not been presented with the 'untrusted certificate' warnings in any of those cases.
NOTE: it may or may not be obvious to people that your root CA's (and any intermediate issuing CA's) certificates need to be in the proper place on your client(s) in order for the chain of trust to be recognized properly.
Message was edited by: DougBaer