I recently upgraded my ESXi 5.0 hosts to ESXi 5.1 and they all kept the CA-signed SSL certificates I previously installed. I did a fresh install of vCenter 5.1 Server where the same box ran SSO, Inventory Services, vCenter Server, and Update Manager. After install, everything was working perfectly except that none of the vCenter services were using my CA-signed SSL certificate - only the ESXi 5.1 hosts had these.
So I followed the directions in the Replacing Default vCenter 5.1 and ESXi Certificates PDF found at http://www.vmware.com/resources/techresources/10318. The document is terrible. For example, page 10 lists the three default locations for SSL certificates on Windows 2008. None of these paths are correct. The first has a typo of an extra space between "Program" and "Data" and the other two say "Program Files" when they should have been "ProgramData". This is just the beginning of the problems.
If you follow the directions to the letter, you'll break vCenter. I got frustrated and thought I'd give the vCenter 5.1 Appliance a shot. With respect to CA-signed SSL certificates, it was worse. The vCenter 5.1 Appliance can't even auto-generate a new SSL certificate if you change the hostname (turn on auto-certificate generation, change hostname and reboot). It gives a 653 error during the boot up process and keeps the original certificate. Don't even bother trying the steps on page 18 in the aforementioned guide - you'll just get the same 653 error.
It seems to me that VMware has not done any testing around CA-signed SSL certificate installation on vCenter 5.1. It's amazing to me that SSL certificate installation is so tedious for vCenter and ESXi when vShield Manager 5.1 has a very simple process that works well (and is similar to the SSL certificate installation process on DRACs, RSAs, iLOs, various firewalls, etc.).
I did a lot of Google searches and found various blogs on SSL certificate installation but many were based on pre-5.1 GA products. If you have had any success installing CA-signed SSL certificates with vCenter Server or Appliance 5.1 GA, please let me know how you got around some of these issues. Please indicate whether your vCenter Server or Appliance was running on an ESXi 5.1 GA host as well. Please don't respond regarding vCenter 5.0 - I didn't have any issues with it and SSL certificates (other than that it was more tedious that it had to be).
Thanks in advance,
Nate
