Automate Free SSL Certificate Replacement for vCenter 7

In the past, I’ve posted some guides for replacing the default self-signed vCenter certificate with a free, trusted Let’s Encrypt 90 Day certificate. I recently started to look into generating the free SSL using an ACME client and stumbled across this PowerShell module Posh-ACME (Credit to Ryan Bolger – https://github.com/rmbolger for this module). I decided to develop this easy-to-use PowerShell script Install-vCenterSSL.ps1 which generates certificates and then formats and replaces the default certificate directly to a vCenter server with minimal effort.


Prerequisites

  • Download my Install-vCenterSSL.ps1 Script, can be found on my Github page here.
  • The script requires internet access to generate the certificate.
  • Ability to create a DNS TXT record to validate domain ownership.
  • vCenter account with administrator privileges.
  • Highly recommended to take a snapshot or backup of your vCenter server.

Step 1 – Update Script Variables

Download the script but, before running it, update the parameters at the top of the script.


Step 2 – Entering vCenter Credentials

Enter vCenter credentials when prompted.


Step 3 – DNS Challenge Validation

This is really the only manual step that’s required. When prompted, you will need to create the following TXT record on DNS provider.

Alternatively, you can automate the DNS Challenge Validation to by using one of the many supported plugins found here on Ryan Bolger’s Github repository.

Example Creating TXT DNS Record

Step 4 – DNS Propagation Timer

Press any key to continue and the 2 minute sleep timer will start, waiting for DNS to propagate.


Step 5 – vCenter Certificate Validation

Once your domain ownership is confirmed, the certificates will be generated, converted and installed directly to your vCenter using the Rest API. After this operation completes, the services using the certificate will be restarted for the new certificate to take effect.


Optional Step – Use Previously Generated SSL

If you have previously generated an SSL that is valid, the script should detect it and provide the option to reuse it.


Thanks for reading, and, I hope you found this useful, feel free to comment below. If you found any bugs please raise an issue here.

12 comments Add yours
  1. thanks. its GREAT !!!!
    7 4ever.
    the more i see of big brother/ the more i am glad i was an orphan…just one more shot/ ooppsdate.

  2. Hi,
    thanks for this great script. i get the bellow error when run the script:
    _________________________________________________
    Failed to Replace Certificate, Terminating Script
    At line:1 char:1
    + .\Install-vCenterSSL.ps1
    + ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-vCenterSSL.ps1

    Status: A system exception was caught.

    The request body has been saved to $global:helpme
    ________________________________________________

  3. This is great!! Now just need it to be able to run as a scheduled task. 🙂 When the 90 days is up, do you have to update the txt record? Or does it stay static?

  4. Hi!
    The script worked fine on the installation of the certificate the first time.
    Now the cert is expired and I wanted to replace it with a fresh and new one.

    What I got is similar to the previous posting:

    C:\Users\Administrator\Desktop\install.ps1 : Failed to Replace Certificate, Terminating Script
    In Zeile:1 Zeichen:1
    + .\install.ps1
    + ~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,install.ps1

    Status: A system exception was caught.
    {“error_type”:”ERROR”,”messages”:[{“args”:[“create trusted root chain failed : AFD Native Error Occured: 11″],”default_message”:”Exception found (create trusted root chain failed : AFD Native Error Occured: 11)”,”id”:”com.vmware.certificatemanagement.error”}]}
    The request body has been saved to $global:helpme

    Any ideas how to fix it?

  5. Addon to my last posting:

    after using /usr/lib/vmware-vmca/bin/certificate-manager on vSphere and choosing option 3 I was able to use the script and create a new certificate with Letsencrypt and everything is running good and smooth again. Maybe this might help to examine the issue.

    Cheers

  6. Hello,
    Thank you for sharing such a cool script
    Happy Holidays !

    Please excuse my noob question
    but i can’t even connect to a vmWare PowerCli
    i get an error when i try to connect to vcenter from MacOS : Connect-VIServer -Server IP
    Permission to perform this operation was denied. Required privileges: ‘Folder-group-d1’ : ‘System.View’
    do i need to create a user and set some privileges ?

    thx

Leave a Reply