Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.1 (2035009)

Purpose

This article guides you through the configuration of Certificate Authority (CA) certificates for the vSphere 5.1 Inventory Service. VMware has released a tool to automate much of the described process below.  Please see Deploying and using the SSL Certificate Automation tool (2041600) before following the steps in the article. 
 
In the case that you are unable to use the tool this article helps you eliminate common causes for problems during certificate implementation, including configuration steps and details, and helps avoid common misconfigurations in the implementation of custom certificates in your environment.
 
Note: This article is specifically for vSphere 5.1. If you are using vSphere 5.0, see Implementing CA signed SSL Certificates with vSphere 5.0 (2015383).

Resolution

Note: This article is part of a resolution path. See Implementing CA signed SSL certificates with vSphere 5.1 (2034833) before following the steps in this article.
 
Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
  • Creating the certificate request
  • Getting the certificate
  • Installation and configuration of the certificate in the Inventory Service
These steps must be followed to ensure successful implementation of a custom certificate for vCenter server. Before attempting these steps ensure that:

Installation and configuration of the certificate for the Inventory Service

When the SSO certificates have been replaced, you can replace the Inventory Service certificates.
 
To complete the installation and configuration of the certificate for the Inventory Service:
  1. Log in to the Inventory Service server as an administrator.
  2. If you have not already imported it, double click on the c:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
  3. Open a command prompt to the Inventory Service\scripts directory. The default directory is C:\Program Files\VMware\Infrastructure\Inventory Service\scripts.
  4. Unregister the Inventory Service from vCenter Single Sign On by running the command:

    unregister-sso.bat Lookup Service URL SSO administrator user SSO administrator password

    Note: Where Lookup Service URL is https://ssoserver.domain.com:7444/lookupservice/sdk. Change the port if needed.

    If the command is successful, the output appears similar to:
  5. Stop the VMware vCenter Inventory Service.
  6. Navigate to the Inventory Service certificate directory and backup the certificates. By default, this is C:\ProgramData\VMware\Infrastructure\Inventory Service\ssl\.
  7. Copy the new certificate files, rui.crt, rui.key, and rui.pfx to this directory. If you are following this resolution path, the new certificates are in c:\certs\InventoryService\.
  8. Start the vCenter Inventory Service.
  9. If running the vCenter Inventory Service, which is included with vCenter Server 5.1 release build, you must modify the register-sso.bat file to ensure that the registration has proper permissions. Open the register-sso.bat file in a text editor and verify/change this command from:

    set COMMAND="%PATH_ROOT%/sso/regTool.cmd" registerSolution --ls-url %1 --username "%2" --password "%3" --install-props "%PATH_ROOT%/conf/sso.ini"

    To:

    set COMMAND="%PATH_ROOT%/sso/regTool.cmd" registerSolution --ls-url %1 --username "%2" --password "%3" --install-props "%PATH_ROOT%/conf/sso.ini" --role read

  10. Register the vSphere Inventory Service to vCenter Single Sign On by running the command:

    register-sso.bat Lookup Service URL SSO administrator user SSO administrator password

    Where the Lookup Service URL is https://ssoserver.domain.com:7444/lookupservice/sdk. Change the port if needed.

    If the command is successful, the output appears similar to:
  11. Verify that the VMware vCenter Inventory service is still running.  If it is not running, start it.

  12. Browse to https://InventoryService.domain.com:10443/. You will receive a 400 Bad request page, but you will be able to check that the certificate is being properly used.
The configuration of the custom certificates for the Inventory Service is now complete. Next, continue to install the custom certificates for the vCenter Server Service. For more information see, Implementing CA signed SSL certificates with vSphere 5.1 (2034833).

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 6 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 6 Ratings
Actions
KB: