Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Configuring CA signed certificates for vCenter Server 5.1 (2035005)

Purpose

This article guides you through the configuration of Certificate Authority (CA) certificates for a vCenter Server 5.1. VMware has released a tool to automate much of the described process below.  Please see Deploying and using the SSL Certificate Automation tool (2041600) before following the steps in the article. 
 
In the case that you are unable to use the tool this article helps you eliminate common causes for problems during certificate implementation, including configuration steps and details, and helps avoid common misconfigurations in the implementation of custom certificates in your environment.
 
Note: This article is specifically for vSphere 5.1. If you are using vSphere 5.0, see Implementing CA signed SSL Certificates with vSphere 5.0 (2015383).

Resolution

Note: This article is part of a resolution path. See Implementing CA signed SSL certificates with vSphere 5.1 (2034833) before following the steps in this article.

Creating CA assigned certificates for vCenter Server is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
  • Creating the certificate request
  • Getting the certificate
  • Installation and configuration of the certificate in vCenter Server
These steps must be followed to ensure successful implementation of a custom certificate for vCenter Server. Before attempting these steps ensure that:

Installation and configuration of the certificate in vCenter Server

After the certificate has been created, follow these steps to complete the installation and configuration of the certificate in vCenter Server:
  1. Log in to vCenter Server as an administrator.
  2. If you have not already imported it, double-click on the c:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
  3. Backup the certificates for the VMware vCenter Server.
    • For Windows 2008, the following locations are typical for vSphere 5.1:

      C:\ProgramData\VMware\VMware VirtualCenter\SSL

    • For Windows 2003, the following locations are typical for vSphere 5.1:

      C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL

  5. Copy the new certificate files into the above folder. If you are following this resolution path, the proper certificate is in c:\certs\vCenter
  6. Open rui.crt in a text editor and validate that the first line of the file begins with -----BEGIN CERTIFICATE-----.  If there is any text prior to this, remove it.  The code that validates the certificate may fail in Step 5 if there is additional text.
  7. Go to https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 on the vCenter Server and load the certificates for the configuration by using the Managed Object Browser.
  8. Click continue if you are prompted with a certificate warning.
  9. Enter a vCenter Server administrator username and password when prompted.
  10. Click reloadSslCertificate.
  11. Click Invoke Method. If successful, the window shows this message: Method Invocation Result: void.
  12. Close both windows.
  13. Open a command prompt on vCenter Server and change to the isregtool directory. By default, this is C:\Program Files\VMware\Infrastructure\VirtualCenter Server\isregtool.
  14. Run this command to register the vCenter Server to the inventory service:

    Important:  This fails on the vCenter 5.1 GA build if you have not followed the procedure in Step 7 of Configuring CA signed certificates for the Inventory service in vCenter 5.1 (2035009) before registering the Inventory service to Single Sign On. 

    register-is.bat vCenter Server URL Inventory Service URL SSO Lookup Service URL

    Where these URLs are the typical URL (modify if ports are different):
    • vCenter Server URL is https://<server.domain.com>/sdk
    • Inventory Service URL is https://<server.domain.com>:10443/
    • SSO Lookup Service URL is https://<server.domain.com>:7444/lookupservice/sdk

      If the command is successful, you see a message similar to:



      Note: If the return code is not 0 0, an error has likely occurred in the command. Review the text to see the error. The most common error is a mistyped URL in one of the three services.

  16. Change to the vCenter Server directory. By default, this is C:\Program Files\VMware\Infrastructure\VirtualCenter Server\.
  17. Run this command:

    vpxd -p

  18. Type the password for the vCenter Server database user to encrypt the password with the new certificate.
  19. Restart the VMware VirtualCenter Server service from the service control manager (services.msc)
  20. Restart the VMware vSphere Profile Driven Storage Service.
  21. After the initial restart of the services, wait for 5 minutes. If the VMware vSphere Profile Driven Storage service stops during this time, restart it.
  22. Navigate to https://vcenterserver.domain.com/ and validate the certificate.
The configuration of the custom certificates is now complete for vCenter Server. Next, continue to install the custom certificates for the vSphere Web Client. For more information, see Implementing CA signed SSL certificates with vSphere 5.1 (2034833).

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 4 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 4 Ratings
Actions
KB: