Hi everyone , I sure that the matter in the subject was discussed several times in the past but I need your assistance because I have odd question / query that I must clarify.
I am running learning lab which I run at home , the lab environment include the following:
All in one installation of vCenter.
this means that the following sub systems are running on the same machine (in my case we are talking about virtual machine).
Inventory Service
SSO
vCenter
Web Client
Update Manager
Log Browser
The Lab environment doesn't have CA Server (Certificate Authority Server).
I would like to change the SSL certificate (the default one) with Self-signed certificate which I will generate with OpenSSL version 0.9.8
The questions are:
1) because we are talking about All In One scenario
The question is: is it possible to only replace the SSL certificate which belong to vCenter Service ? this means that I will stay with the default certificates of (Inventory Service , SSO , Web Client , Update Manager , Log Browser). But I will generate only Private Key and Public Key which will be used only by the vCenter Service.
2) I have found in the HTML documentation of version 5.0 (I know that I am using version 5.1 but this is what I have found officialy supported) an article with the subject "Replace Default Server Certificates with Self-Signed Certificates" (the documentation is available on the following URL: http://pubs.vmware.com/vsphere-50/index.jsp#com.vmware.vsphere.solutions.doc_50/GUID-887DEF31-9815-450B-9C1C-1B14C82A6D13.html)
The question is: I couldn't understand if I do required to generate new Local Root CA certificate and import it in the level of the Operating System (in my case we are talking about Windows Server 2008 R2 X64) or this phase of generating new Local Root CA certificate and importing it is only required for importing into the clients side (means the clients computers where I run vSphere client and connect through it to the vCenter Server) ? please note that I am using OpenSSL and not CA Server.
3) Assuming that I do need to generate new Local Root CA certificate. But , as mentioned above , I still use the default certificates for the services (Inventory Service , SSO , Web Client , Update Manager , Log Browser).
The question is , when I import the new Local Root CA certificate into the OS level , will it also remove the old Root CA certificate which is being used by the default certificates which I still use them ? or when I import the new Local Root CA certificate then the old one will be removed automatically ?
4) In the documentation (which reside on the following URL: (http://pubs.vmware.com/vsphere-50/index.jsp#com.vmware.vsphere.solutions.doc_50/GUID-887DEF31-9815-450B-9C1C-1B14C82A6D13.html) it's mentioned the creation of PFX file , is this phase is mendatory ? is it not enough to generate only the Private Key and the Public Key ? Do I must to also generate the PFX file ?
thanks everyone ,
My questions are because there is not enouph information regarding Self-signed certificate through OpenSSL for vSphere while only replacing only one service and not all Services.