I have recently had a couple of acquaintances remark that they could not get communication between the XenDesktop DDC and VMWare VirtualCenter to work over HTTPS when using a Microsoft Enterprise CA. I had recently spent time on-site with a financial customer that required SSL communication and they had worked through it for over six weeks without any luck. Finally, they found an obscure reference for resetting the VirtualCenter password that fixed the issue. Today I just wanted blog this process so others did not have to spend six weeks to trying to figure this out too.
I will say up front I am not VMWare certified and do not claim to know everything about VMWare. Also, lest I be cited for plagiarism, I will tell you that the majority of these steps come verbatim from the SOE Team Blog which were the steps followed by the customer.
Here are the steps from the blog, with the addition of steps 20 & 21, which reset the database password on VirtualCenter and were the steps that finally let the DDC communicate with Virtual Center over HTTPS.
||Enabling SSL communication with VMWare VirtualCenter and a Microsoft Enterprise CA
1. Download and install OpenSSL (http://www.openssl.org) onto a PC in your domain
2. Navigate to OpenSSL\bin folder
3. Run the command “openssl req -new -nodes -out mycsr.csr -config openssl.cfg”
4. Follow the prompts. When asked to enter “Common Name (eg, YOUR name)” enter the FQDN (vci.domain.com) of the VirtualCenter server.
5. Once complete, there are 2 files created in OpenSSL\bin folder: mycsr.csr and privkey.pem
6. Browse to your Enterprise CA web interface. eg http://enterpriseCA.domain.com/certsrv
7. Select “Request a certificate”
8. Select “advanced certificate request”
9. Select “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”
10. Open mycsr.csr (should be in your OpenSSL\bin folder) in Notepad, copy and paste the contents in the “Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7):” text field
11. Change the Certificate Template to “Web Server”
12. Click Submit
13. Once the certificate has been successfully issued, select “Base 64 encoded” then “Download certificate”
14. Save certnew.cer to a convenient location.
15. Browse to the folder on your VirtualCenter server: “C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL”
16. Backup existing files to another location just in case.
17. Copy certnew.cer file and privkey.pem to this folder (both files will be in your OpenSSL\bin folder)
18. Rename certnew.cer file to rui.crt
19. Rename privkey.pem to rui.key
20. From a command-prompt in the VMWare VirtualCenter Server install directory run vpxd -p to re-initialize the database on the SQL server with the new certificate.
21. Input the Database Password as requested by vpxd -p.
22. Restart VirtualCenter
23. Browse to the FQDN of the VCI. (https://vci.domain.com) and verify certificate is correct and working.
I believe most of these steps are documented elsewhere as well in VMWare documentation. I am not sure about all the effects of resetting the database password but for the most part it worked fine for us. We were only using VirtualCenter for XenDesktop and had one issue where the saved customization routines required the password be re-entered. Other than that, no other strange things happened after we reset the password. Good Luck!
If you found this information useful and would like to be notified of future blog posts, please follow me on Twitter @pwilson98 or visit my XenDesktop on Microsoft website.