The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
Configuring CA signed certificates for vCenter Server 5.1 (2035005)
Note: This article is specifically for vSphere 5.1. If you are using vSphere 5.5, see Configuring CA signed certificates for vCenter Server 5.5 (2061973). If you are using vSphere 5.0, see Implementing CA signed SSL Certificates with vSphere 5.0 (2015383).
This article guides you through the configuration of Certificate Authority (CA) certificates for a vCenter Server 5.1. VMware has released a tool to automate much of the described process below. See Deploying and using the SSL Certificate Automation Tool 1.0.x (2041600) before following the steps in this article.
In the case that you are unable to use the tool, this article helps you eliminate common causes for problems during certificate implementation, including configuration steps and details, and helps avoid common misconfigurations in the implementation of custom certificates in your environment.
Note: This article is part of a resolution path. See Implementing CA signed SSL certificates with vSphere 5.x (2034833) before following the steps in this article.
Creating CA assigned certificates for vCenter Server is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
- Creating the certificate request
- Getting the certificate
- Installation and configuration of the certificate in vCenter Server
These steps must be followed to ensure successful implementation of a custom certificate for vCenter Server. Before attempting these steps ensure that:
- You have a vSphere 5.1 Environment
- All certificates and corresponding files are already generated per the workflow in Implementing CA signed SSL certificates with vSphere 5.x (2034833).
Installation and configuration of the certificate in vCenter Server
After the certificate has been created, follow these steps to complete the installation and configuration of the certificate in vCenter Server:
- Log in to vCenter Server as an administrator.
- If you have not already imported it, double-click the c:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
- Backup the certificates for the VMware vCenter Server.
- For Windows 2008:
- For Windows 2003:
C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL
- For Windows 2008:
- Copy the new certificate files into the above folder. If you are following this resolution path, the proper certificate is in c:\certs\vCenter.
- Open rui.crt in a text editor and validate that the first line of the file begins with -----BEGIN CERTIFICATE-----. If there is any text prior to this, remove it. The code that validates the certificate may fail in Step 5 if there is additional text.
- Go to https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 on the vCenter Server and load the certificates for the configuration by using the Managed Object Browser.
- Click continue if you are prompted with a certificate warning.
- Enter a vCenter Server administrator username and password when prompted.
- Click reloadSslCertificate.
- Click Invoke Method. If successful, the window shows this message: Method Invocation Result: void.
- Close both windows.
- Open a command prompt on vCenter Server and change to the isregtool directory. By default, this is C:\Program Files\VMware\Infrastructure\VirtualCenter Server\isregtool.
- Run this command to register the vCenter Server to the inventory service:
register-is.bat vCenter_Server_URL Inventory_Service_URL SSO_ Lookup_Service_URL
Where these URLs are the typical URL (modify if ports are different):
- vCenter_Server_URL is https://server.domain.com/sdk
- Inventory_Service_URL is https://server.domain.com:10443/
- SSO_Lookup_Service_URL is https://server.domain.com:7444/lookupservice/sdk
If the command is successful, you see a message similar to:
Note: If the return code is not 0 0, an error has likely occurred in the command. Review the text to see the error. The most common error is a mistyped URL in one of the three services.
The configuration of the custom certificates is now complete for vCenter Server. Next, continue to install the custom certificates for the vSphere Web Client. For more information, see Implementing CA signed SSL certificates with vSphere 5.x (2034833).
- Implementing CA signed SSL certificates with vSphere 5.0
- Implementing CA signed SSL certificates with vSphere 5.x
- Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.x
- Deploying and using the SSL Certificate Automation Tool 1.0.x
- Configuring CA signed certificates for vCenter Server 5.5
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.