Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

VMware's vCenter Certificate Automation Tool is too little, too late

VMware's vCenter Certificate Automation Tool aims to fix a perennial pain point for many admins, but one expert isn't satisfied with the new product.

The VMware vCenter certificate problem has bothered me since I first opened the vSphere client. I was used to seeing pop-up warnings from my browser telling me a website was not "100% kosher," but I was not used to getting such pop-ups from a Windows application. The hassle of replacing and managing SSL certificates is familiar to most VMware administrators and, until recently, VMware expended very little effort to help improve the process.

The reasons for validating the identity of the Web server you are connecting to are obvious and defined as a security best practice. Man-in-the-middle attacks can compromise your entire virtual infrastructure, so your SSL certificates should be valid and adhere to your corporate policy.

VMware has always used a Web server as the mechanism to provide the application programing interface access to your virtual environment. There are always two major components that need to be updated: The ESX(i) hosts and the vCenter Server (the management layer).

The process for replacing ESX(i) certificates has been almost identical through the years. It gets more complicated when starting on the task for vCenter. 

VMware SSL Warning


Over the years, VMware has introduced more and more functionality into vCenter -- Update Manager, Heath Status and Inventory Service, to name just a few examples. All of these components have a Web interface and, because they are integrated with the vSphere client, if you are using a non-trusted Web certificate, you will be presented with that annoying popup a number of times.

The vCenter certificate problem continued and became even worse with version 5.0 and 5.1. More services were added (vSphere Single Sign-On), and additional Web interfaces made it even more complicated. VMware continued to supply appliances for all components, which all have Web servers and need SSL certificates. However, VMware neglected to provide a tool to manage all of these certificates.

The last straw for me was when VMware published "Implementing CA signed SSL certificates with vSphere 5.1 (2034833)." This Knowledge Base resource includes seven different documents, with over 100 steps needed to "get rid of those annoying popups." These documents were compiled approximately two months after the product was generally available and, in the interim, a number of bloggers tried to fill the void and fix the lack of proper information (and, in some cases, completely wrong information) on how to correctly deploy SSL certificates.

But the problem is not with one version, or with how we should update the certificate of one product or another. Every VMware product today uses a Web interface. As VMware adds more products, the list just gets longer and longer. I, for one, would like to have my SSL certificates valid and properly signed. So, instead of providing a document for every single product, why not provide an automated way to deliver this? 

VMware made the first step with their introduction of the vCenter Certificate Automation Tool 1.0. It is a step (and only a step) in the right direction, but I would hardly consider this an optimal solution. Calling this an automation tool -- even as it requires so many manual steps -- is a misnomer.

All certificates have to be created manually before you start with the tools. That itself is a major and tedious task that the vCenter Certificate Automation Tool does nothing to help with. The tool is a mix and match of scripts, Perl and batch.

This only addresses the vCenter components, not the ESXi hosts, nor the supporting products around it.

I do know of another approach to the problem, currently in private beta -- vCert Manager, under development by VMware partner Virtual System Solutions -- that will hopefully fix this painful process. VCert Manager is supposed to supply a comprehensive and robust solution not only for vCenter, but also for all your ESXi hosts and all the supporting products.

VMware should have made it a priority to create a decent tool of its own and address this a long time ago.

The vCenter Certificate Automation Tool is not a comprehensive solution and doesn't solve the problem. It is merely a Band-Aid for a very painful problem that many admins have been battling for years.

I would hope that VMware would invest more effort to solve this problem once and for all, either by producing a proper tool of its own or by providing support to its partners to do so.

This was last published in May 2013

Dig Deeper on VMware management tools



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think of the vCenter Certification Automation Tool?
Complexity is the enemy of adoption. vmWare needs to make this a priority for their dev team. Knowing their approach to solving problems I imagine them purchasing the 3rd party developed tool in Q4 if they haven't got an internal solution yet. This is no longer an undisputed industry, and with the water turning rapidly red product improvement is crucial to survival.
hyperV is becoming a better choice.
I agree with your view on the certificate automation tool being a little too late, and maybe just a small step, not a complete solution, but it's better than nothing. I myself replaced the certificates of the 5.1 install at the company I work for and used this work flow to automate even more of the steps in the replacement process.
It's not perfect, as the author merely automates certificate generation and gives some general guidance on how to make your life easier with the automation tool from Vmware, but it is yet another step forward. I totally agree that if some systems administrator can do it, a team of developers can make it sing, so VMware should have put more effort into it.
Does not work and provides non-helping error messages
It is crap anyways.
Time to solve a problem of growing importance
it's time VMWare addressed the problem, they really should have developed a solution for all of vSphere by now.
vcenter certification tool is not a user friendly and is tideous process
I am agree, VMware should be have a better - easyer cert Integration!
The CAT provides the mechanism to replace the certificates, however an understanding of the process involved is still required (and rightfully so). The later release further refines this process, which can be completed from start to finish in less than an hour.