Automate Free SSL Certificate Replacement for vCenter 7

In the past, I’ve posted some guides for replacing the default self-signed vCenter certificate with a free, trusted Let’s Encrypt 90 Day certificate. I recently started to look into generating the free SSL using an ACME client and stumbled across this PowerShell module Posh-ACME (Credit to Ryan Bolger – https://github.com/rmbolger for this module). I decided to develop this easy-to-use PowerShell script Install-vCenterSSL.ps1 which generates certificates and then formats and replaces the default certificate directly to a vCenter server with minimal effort.


Prerequisites

  • Download my Install-vCenterSSL.ps1 Script, can be found on my Github page here.
  • The script requires internet access to generate the certificate.
  • Ability to create a DNS TXT record to validate domain ownership.
  • vCenter account with administrator privileges.
  • Highly recommended to take a snapshot or backup of your vCenter server.

Step 1 – Update Script Variables

Download the script but, before running it, update the parameters at the top of the script.


Step 2 – Entering vCenter Credentials

Enter vCenter credentials when prompted.


Step 3 – DNS Challenge Validation

This is really the only manual step that’s required. When prompted, you will need to create the following TXT record on DNS provider.

Alternatively, you can automate the DNS Challenge Validation to by using one of the many supported plugins found here on Ryan Bolger’s Github repository.

Example Creating TXT DNS Record

Step 4 – DNS Propagation Timer

Press any key to continue and the 2 minute sleep timer will start, waiting for DNS to propagate.


Step 5 – vCenter Certificate Validation

Once your domain ownership is confirmed, the certificates will be generated, converted and installed directly to your vCenter using the Rest API. After this operation completes, the services using the certificate will be restarted for the new certificate to take effect.


Optional Step – Use Previously Generated SSL

If you have previously generated an SSL that is valid, the script should detect it and provide the option to reuse it.


Thanks for reading, and, I hope you found this useful, feel free to comment below. If you found any bugs please raise an issue here.

One comment Add yours

Leave a Reply