Obtaining Server Certificates

Obtaining Server Certificates

VMware products use standard X.509 version 3 (X.509v3) certificates to encrypt session information sent over SSL connections between server and client systems. When a client application initiates an SSL session with the server, the server sends its certificate to the client application, which checks the X.509 certificate against a list of known Certificate Authorities (CAs) to verify the authenticity of the certificate. The client then uses the server’s public key contained in the X.509 certificate to generate a random symmetric key, which it uses to encrypt all subsequent communications.

The installers for ESX, ESXi, and vCenter Server create server certificates during the process of installation. For ESX and ESXi systems, the certificate name matches the DNS name of the server. For vCenter Server systems, the certificate name is VMware. Because these certificates are not signed by an official root CA, you must obtain the server certificate from each server that you plan to target with your client application and store it locally.

For example, if you are creating a client application to run against the vCenter Server and an ESX system in standalone mode, you must obtain both the vCenter Server certificate and the ESX certificate. If your application is aimed solely at the vCenter Server that might manage any number of ESX systems, you must obtain the certificate only from the vCenter Server.

You can obtain the certificates in one of the following ways:

■

Developers working on the Microsoft Windows platform can use the certificate-handling capabilities of the vSphere Client from the development workstation to connect to each ESX, ESXi, or vCenter Server and accept the certificate into the local cache and export the certificate. See Obtain Certificates by Using the vSphere Client.

■

Developers with access privileges on the target server systems can use a secure shell client utility (SCP, WinSCP, or SSH) to connect directly to the ESX, ESXi, or vCenter Server and copy the certificates directly from the server to the development platform. See Obtaining Certificates by Connecting Directly to Server Systems for details.

Obtain Certificates by Using the vSphere Client

To use the vSphere Client to obtain certificates, you must install the vSphere Client on your development workstation. The vSphere Client uses the native Microsoft credential-handling mechanisms to allow you to accept the certificate and export it as a local file.

To obtain server certificates using vSphere Client

1

Create a directory named VMware-Certs (at the root level) for the certificates. Several of the vSphere Web Services SDK batch files assume this path as the location of the keystore and fail if you do not use this path.

C:\VMware-Certs

2

Install the vSphere Client on the development workstation.

3

Start the vSphere Client and navigate to the ESX, ESXi, or vCenter Server Web server.

A security warning message box appears regarding the certifying authority for the certificate.

4

Click View Certificate to display the Certificate properties page.

5

Click the Details tab.

6

Click Copy to File to start the Certificate Export wizard.

7

Select DER encoded binary X.509, the default, and click Next.

8

Click Browse... and navigate to the C:\VMware-Certs subdirectory.

9

Enter a name for the certificate that identifies the server to which it belongs.

C:\VMware-Certs\servername.cer

After you obtain the certificate from each target server, follow the other setup steps appropriate for your programing language. For C# developers, see Setting Up for C# Development. For Java developers, see Set Up for Java Development.

Obtaining Certificates by Connecting Directly to Server Systems

Developers who have appropriate privileges to directly connect to the target server can obtain a server certificate directly from the server. You must have administrative privileges on the ESX or vCenter Server, and you must have access to the necessary subdirectory.

To obtain server certificates using secure shell client application

1

From the development workstation, create a directory in which to store certificates of servers to target during development:

~\vmware-certs\

2

Connect to the ESX system using an SSL client from the development workstation.

Remote connections to the ESX service console as root are effectively disabled, so you must connect as another user with privileges on the server to obtain the certificate.

3

Locate the server certificate on the target server.

Server

Directory Location for Certificate

Certificate

ESX 5

/etc/vmware/ssl/

rui.crt

vCenter Server 5

C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\

rui.crt

4

Copy the certificates from the server to the certificate subdirectory of the development workstation, using a unique filename for the certificate if you are copying multiple default certificates from multiple ESX systems.

5

Import the server-certificate into the certificate store following the specific instructions for your programming language (Java, C#).

Server	Directory Location for Certificate	Certificate
ESX 5	/etc/vmware/ssl/	rui.crt
vCenter Server 5	C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\	rui.crt

Help us improve this information. Send feedback to [email protected].