Before you run the vCenter Certificate Automation Tool, verify that you are running on one of the supported operating systems and verify that you have the correct platform, that the certificates meet requirement, and that your system setup meets requirements.

Review the Known Issues listed in VMware Knowledge Base Article 2057340.

Supported Platforms

The tool has been tested on the following Windows operating systems.

  • Windows 2008 R2 SP1

  • Windows 2012 Standard

  • Windows 2012 R2

Tool and Product Versions

Different versions of the tool are supported with different versions of vSphere.

  • Version 1.0 of the tool is supported with vSphere 5.1

  • Version 1.0.1 of the tool is supported with vSphere 5.1 Update 1

  • Version 5.5 of the tool is supported with vSphere 5.5

Certificate Requirements

You can obtain the CA-signed certificates before you run the tool, or you can have the tool generate the certificate requests for you. Before you run the tool to replace certificates, make sure that certificates meet the following requirements:

  • The SSL certificate for each vSphere component has a unique base DN.

  • The certificates and private keys meet these requirements:

    • Private key algorithm: RSA

    • Private key length >= 1024

    • Private key standard: PKCS#1 or PKCS#8

    • Private key storage: PEM

  • Recommended certificate signature algorithm:

    • sha256WithRSAEncryption 1.2.840.113549.1.1.11

    • sha384WithRSAEncryption 1.2.840.113549.1.1.12

    • sha512WithRSAEncryption 1.2.840.113549.1.1.13

    Note:

    The algorithms md2WithRSAEncryption 1.2.840.113549.1.1.2, md5WithRSAEncryption 1.2.840.113549.1.1.4 , and sha1WithRSAEncryption 1.2.840.113549.1.1.5 are not recommended. The algorithm RSASSA-PSS with OID 1.2.840.113549.1.1.10 is not supported.

  • The certificate chain format meets these requirements:

    • Single PEM file that does not contain any comments.

    • The file starts with the header of the first certificate, that is, -----BEGIN CERTIFICATE------.

    • Self-signed certificates are ordered from the leaf to the root.

    • No extra certificates are in the file.

    • The certificate chain is complete.

  • The path or file name for certificates and keys does not contain any of the following special characters:

    • ^ (caret)

    • % (percent)

    • & (ampersand)

    • ; (semicolon)

    • ) (closing parenthesis)

    The tool exits, throws an exception, or reports that certificate or key files are not found if it encounters those characters.

System Requirements

Install all vCenter components, obtain administrator permissions, and shut down dependent solutions, as follows:

  • Verify that all vCenter components that require certificate updates are installed and running, and that you have access to the server for each component.

  • Verify that you have administrative privileges on the server or servers that you are running the tool on. Although nonadministrator users can download and launch the tool, all operations fail without the proper permissions.

  • Shut down the following dependent solutions that are running in the environment:

    • VMware Site Recovery Manager

    • vSphere Data Recovery

    • vCloud Director

    • Any third-party solution which might be connecting to vCenter Server