The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
Configuring CA signed certificates for vCenter Server 5.1 (2035005)
Note: This article is specifically for vSphere 5.1. If you are using vSphere 5.5, see Configuring CA signed certificates for vCenter Server 5.5 (2061973). If you are using vSphere 5.0, see Implementing CA signed SSL Certificates with vSphere 5.0 (2015383).
This article guides you through the configuration of Certificate Authority (CA) certificates for a vCenter Server 5.1. VMware has released a tool to automate much of the described process below. See Deploying and using the SSL Certificate Automation Tool 1.0.x (2041600) before following the steps in this article.
In the case that you are unable to use the tool, this article helps you eliminate common causes for problems during certificate implementation, including configuration steps and details, and helps avoid common misconfigurations in the implementation of custom certificates in your environment.
Note: This article is part of a resolution path. See Implementing CA signed SSL certificates with vSphere 5.x (2034833) before following the steps in this article.
Creating CA assigned certificates for vCenter Server is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
- Creating the certificate request
- Getting the certificate
- Installation and configuration of the certificate in vCenter Server
These steps must be followed to ensure successful implementation of a custom certificate for vCenter Server. Before attempting these steps ensure that:
- You have a vSphere 5.1 Environment
- All certificates and corresponding files are already generated per the workflow in Implementing CA signed SSL certificates with vSphere 5.x (2034833).
Installation and configuration of the certificate in vCenter Server
After the certificate has been created, follow these steps to complete the installation and configuration of the certificate in vCenter Server:
- Log in to vCenter Server as an administrator.
- If you have not already imported it, double-click the c:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
- Backup the rui.crt, rui.key, and the rui.pfx certificates for vCenter Server.
By default, the certificates are located at:
- In Windows 2008 - C:\ProgramData\VMware\VMware VirtualCenter\SSL
- In Windows 2003 - C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL
- Copy the new certificates (from c:\certs\vCenter, if you are following this resolution path) to the SSL directory for your operating system listed in Step 3.
- Open rui.crt in a text editor and validate that the first line of the file begins with -----BEGIN CERTIFICATE-----. If there is any text prior to this, remove it. The code that validates the certificate may fail in Step 5 if there is additional text.
- Go to https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 on the vCenter Server and load the certificates for the configuration by using the Managed Object Browser (MOB).
Note: If the Managed Object Browser of the vCenter Server has been disabled per the VMWare vSphere Hardening Guide, this prevents access and display the error: 503 Service Unavailable. To resolve this issue, see vCenter Server Managed Object Browser (MOB) reports a 503 Service Unavailable error (2042554).
- Click continue if you are prompted with a certificate warning.
- Enter a vCenter Server administrator username and password when prompted.
- Click reloadSslCertificate.
- Click Invoke Method. If successful, the window shows this message: Method Invocation Result: void.
- Close both windows.
- Open a command prompt on vCenter Server and change to the isregtool directory. By default, this is C:\Program Files\VMware\Infrastructure\VirtualCenter Server\isregtool.
- Run this command to register the vCenter Server to the inventory service:
register-is.bat vCenter_Server_URL Inventory_Service_URL SSO_Lookup_Service_URL
Where these URLs are the typical URL (modify if ports are different):
- vCenter_Server_URL is https://server.domain.com/sdk
- Inventory_Service_URL is https://server.domain.com:10443/
- SSO_Lookup_Service_URL is https://server.domain.com:7444/lookupservice/sdk
If the command is successful, you see a message similar to:
Note: If the return code is not 0 0, an error has likely occurred in the command. Review the text to see the error. The most common error is a mistyped URL in one of the three services.
- Change to the vCenter Server directory. By default, this is C:\Program Files\VMware\Infrastructure\VirtualCenter Server\.
- Run this command:
- Type the password for the vCenter Server database user to encrypt the password with the new certificate.
- Restart the VMware VirtualCenter Server service from the service control manager (services.msc)
- Restart the VMware vSphere Profile Driven Storage Service.
- After the initial restart of the services, wait for 5 minutes. If the VMware vSphere Profile Driven Storage service stops during this time, restart it.
- Navigate to https://vcenterserver.domain.com/ and validate the certificate.
The configuration of the custom certificates is now complete for vCenter Server. Next, continue to install the custom certificates for the vSphere Web Client. For more information, see Implementing CA signed SSL certificates with vSphere 5.x (2034833).
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.