So you have decided to migrate your Windows vCenter to the vCenter 6.5 appliance, you download the 6.5 installer, extracted the migration assistant on your vCenter and ran it. After entering your suitably complex SSO administrator password and waiting for the assistant to run you are presented with the following error;
You then spend some time googling this and reading forums, blogs and VMware support articles on how to replace the certificates and you go round and round in circles with no clear idea of where exactly it is you should start and no one blog/forum/KB that walks you through it, well this one probably won’t either….or it might…
What I have attempted to do here is provide single thread to hopefully get people through this error without pulling hair, teeth and nails out ( I have done all 3).
Let’s start with the scenario, I am going to be specific with this as there are so many combinations that could lead to other results.
- Windows vCenter Server all in one install ie SSO, Inventory Service , Update Manager etc all on the one windows server.
- Database is MS SQL on a different server.
- You have a service account that is used to run the VMware services and this same account connects to the SQL DB.
- Ensure you have
- SSO Admin username and password
- Ensure the password is simple, no special characters
- Service account password if used
- vCenter server DB password
- Download 6.5 vCenter installer ISO to gain access to the migration assistant
- Download and extract the vCenter certificate replacement tool (it was here)
- Create a folder and sub folders to create the cert requests
- c:\certs\sso and c:\certs\vcenter
- I am assuming you know how to get around windows, basic command line like CD, DIR etc
If not already complete do the following;
Copy the entire “migration-assistant” folder from the vCenter 6.5 installer ISO to your current windows vCenter server.
Run the “Vmware-Migration-Assistant.exe” as administrator (right click run as administrator)
Follow the prompts
- Enter your SSO Administrator password
- Enter your service account password if prompted
Wait for migration assistant to run …you may have time to drink a coffee/tea/beer/yourchoice..
If you receive an error about the user account not having “Replace a process level token” complete this,
- Open Local security policy on your vCenter server
- Expand local policies
- Click User rights assignments
- In right had pane scroll down (or press R key on your keyboard)
- Select Replace a process level token
- Right click select properties
- Click Add User or Group..
- Enter the Username and click check name
- Click ok
- Click ok
Exit from current Migration assistant and wait for it to close
Run migration assistant again.
You now may receive an error regarding the vCenter and SSO system name blah blah as pictured…
You could now choose to just deploy a new vCenter 6.5 appliance and pull your hosts to it, honestly if you are running standard vSwitches and have no products integrated with your vCenter this is by far the easiest option.
If you have distributed switches you can do a new appliance but the DVS migration to a new vCenter is not straight forward (at the time I wrote this that is) so using the migration method takes care of this for you with no downtime to VMs (I have done it there was 0 down time to the 500 VMs in the environment).
Take a snapshot of the vCenter server, if you are running a physical vCenter I would ask why, you prob have some justification, in my opinion there is no justification for this, P-V it now move on.
Begin Certificate Generation and Replacement
The cert replacement with the above error only requires the SSO Cert and vCenter Cert to be replaced, that’s it don’t worry about others.
If you have not already done it download the VMware certificate replacement tool kit for 5.5, extract this to a base level folder.
Open a command prompt in admin mode (right click run as admin, image below of non admin and admin mode command prompt)
Change Directory (cd) to the path you extracted the cert tool too, ie c:\certtool
Type ssl-update.bat (if you are in an admin command prompt you should not get an error) you will get the Main menu, get used to this
Select option 1, this gives the plan required to complete the update
Type 1,3 ( this selects the SSO and vCenter server certs replacement plan)
Screen shot or copy this plan out to a notepad or something similar.
Press 9 to get back to the main menu
Press 2 ( this will run through generating new certificate signing requests)
Press 1 for SSO
Enter required info ( the tool is pretty good and will give you default options where required, the key is to ensure that each Distinguished name on each diff cert type, SSO, vCenter are unique, the tool gives you a default DN for these so easiest way is to not edit this part and just press “enter”)
When asked were to save the certificate enter the locations you created earlier for SSO c:\certs\sso
Do the same for option 3 for the vCenter cert and just change the export location to c:\certs\vcenter. The files will all be named the same for each SSO and vCenter so don’t try and save in the same folder.
Press 9 to return to main menu
Now I don’t mind how you want to take those certificate signing requests and sign them use a windows CA if you want I have not covered doing that I have just used the openssl install that is already installed as part of the vCenter install, you find this in your installation folder, could be C: could be D: could E: or any other letter of the alphabet that the installing admin chose to use. (Man I typed “install” a few times)
Create the Certificates
We are now going to create the actual certificates from the created CSRs
Open a new command window as administrator
Change dir to c:\certs\sso folder (note in screen shots i was using D:\ sorry poor form)(depending on your vcenter install directory the following path may be diff)
Type the following
”c:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe” req -nodes -new -x509 -keyout rui.key -out rui.crt -days 3650 -config csr_openssl.cfg
If this completes this should give you and rui.crt file in the SSO folder, open this certificate and just check it looks ok (ok you may not know what it should look like, just check that if it is the SSO cert that the OU is something like vCenterSSO-SERVERNAME and if vcenter cert it is just the vCenter-SERVERNAME)
Change the file extension to pem (if you cannot see the file extension you may need to edit the folder view properties to allow this)
Compete the same command from the c:\certs\vcenter folder
Change the resulting rui.crt to rui.pem
(just a note here I have had the resulting certificates get both the .crt and .cert extension, no idea why, not even going to go there!)
Updating the Certificates
Now go back to your ssl-updater.bat command window (if you have not already now is the time to snapshot your vCenter vm, if it is a vm, if it is not why is it not a vm??!!!!)
SNAPSHOT THE VCENTER ( it will save your life)
Select 3 – update Single Sign-on
Select 1 – Update the SSO SSL Certificate (sorry no screen shots from here on)
Follow the prompts here providing the path to the rui.pem and rui.key in the c:\certs\sso folder ie “c:\certs\sso\rui.pem” and “c:\certs\sso\rui.key”
This should complete without errors, if you got all the info correct, SSO Admin password etc.
Complete the steps from the plan created earlier to update the Infrastructure service with SSO and vCenter with SSO etc.
You will get prompted through these for various things, SSO admin user and password and location of the SSO cert, the SSO cert location will pre-populate, just check it is correct and then press enter.
Cross your fingers take a swig of your favorite beverage…
Follow steps through to vCenter certificate update, option 5, option 2
Again follow the prompts and provide the paths to the c:\certs\vcenter files as required “c:\certs\vcenter\rui.pem” and “c:\certs\vcenter\rui.key”
Enter required vCenter admin name (this can be your SSO Admin)
SSO Admin username/password
Default DB password ( this should be the account password used to connect to your SQL DB, if it ain’t take note of the warning, I kid you not take a snapshot)
Again swig a drink have strong one…
(I hit a snag here with the vCenter user not be able to connect to vCenter, tried with web client and could also not log in, I had to re-reg the web client with SSO (not in the step list) and also the vCenter with inventory service, once confirmed that both web client and thick client were working again I re-ran the vCenter SSL cert update and this all worked.)
If successful follow the remaining steps from the plan created earlier to re-reg all the components, note if you are not running log browser that will fail.
You will get prompted through these for various things, SSO admin user and password and location of the SSO cert, the SSO cert location will pre populate, just check it is correct and then press enter.
Migration Assistant Check
You should now be able to run the migration assistant and not be bugged by the certificate mismatch name issue. You will still get a message about the certificate not being v3 as below, don’t worry be happy migration will continue and it will replace the certificate with another one anyway.
Continue on with your migration.
Little tip with update manager, just uninstall it and re-setup once on 6.5, its embedded there won’t be much in your old update manager you need, don’t shoot me if there is.
SSL Certificate post Migration
Little point on this you should change the v6.5 ssl certs to proper signed certs anyway, either with you internal CA or a 3rd party, everyone loves green ticks in their browsers.
Enjoy the 6.5 web client and the HTML 5 Client too.