Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Configuring CA signed SSL certificates for the vSphere Web Client and Log Browser in vCenter Server 5.1 (2035010)

Purpose

This article guides you through the configuration of Certificate Authority (CA) certificates for the vSphere 5.1 Web Client and the Log Browser. VMware has released a tool to automate much of the described process below.  Please see Deploying and using the SSL Certificate Automation tool (2041600) before following the steps in the article. 
 
In the case that you are unable to use the tool this article helps you eliminate common causes for problems during certificate implementation, including configuration steps and details, and helps avoid common misconfigurations in the implementation of custom certificates in your environment.

Note: This article is specifically for vSphere 5.1. If you are using vSphere 5.0, see Implementing CA signed SSL certificates with vSphere 5.0 (2015383).

Resolution

Note: This article is part of a resolution path. See Implementing CA signed SSL certificates with vSphere 5.1 (2034833) before following the steps in this article.

Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
  • Creating the certificate request
  • Getting the certificate
  • Installation and configuration of the certificate in the vSphere Web Client and the Log Browser
These steps must be followed to ensure successful implementation of a custom certificate for the vCenter server. Before attempting these steps, ensure that:

Installing and configuring the certificate for the vSphere Web Client and the Log Browser


After the certificate has been created, follow these steps to complete the installation and configuration of the certificate for the Web Client:

  1. Log into the vSphere Web Client server as an administrator.
  2. If you have not already imported it, double click on the C:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
  3. Stop the VMware vSphere Web Client service from the service control manager (services.msc).
  4. Stop the VMware Log Browser Service from service control manager (services.msc).
  5. Back up the current certificates (rui.crt, rui.key, rui.pfx) for the vSphere Web Client. By default, the certificates are located in:

    Windows 2008: C:\ProgramData\VMware\vSphere Web Client\ssl\

    Windows 2003: C:\Documents and Settings\All Users\Application Data\VMware\vSphere Web Client\ssl

  6. Copy the new certificate files to this directory. If you are following this resolution path, the certificates are located in C:\certs\WebClient.
  7. Back up the current certificates for the Log Browser. By default, the certificates are located in:

    C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf

  8. Copy the new certificate files (rui.crt, rui.key, rui.pfx) to this directory. If you are following this resolution path, the certificates are located in C:\certs\logbrowser.
  9. From the command prompt, run:

    set JAVA_HOME=c:\Program Files\VMware\Infrastructure\JRE

  10. Navigate to the SsoRegTool directory. The default location for this directory is:

    C:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool\

  11. Unregister the vSphere Web Client Service from SSO by running the command:

    Note: The unregisterService command from within the regTool.cmd file is case sensitive.

    regTool.cmd unregisterService -si "Installation_Directory\vSphereWebClient\serviceId" -d https://SSOServer.domain.com:7444/lookupservice/sdk -u admin@System-Domain -p password

    Where:
    • Installation_Directory by default is C:\Program Files\VMware\Infrastructure
    • password is the admin@system-domain password

    If the command is successful, the output appears similar to:



  12. Register the VMware vSphere Web Client back to vCenter Single Sign On:

    Note: The registerService command from within the regTool.cmd file is case sensitive.

    • On Windows 2008, run the command:

      regTool.cmd registerService --cert "C:\ProgramData\VMware\vSphere Web Client\ssl" --ls-url https://SSOServer.domain.com:7444/lookupservice/sdk --username admin@System-Domain --password password --dir "Installation_Directory\vSphereWebClient\SsoRegTool\sso_conf" --ip "*.*" --serviceId-file "Installation_Directory\vSphereWebClient\serviceId"

    • On Windows 2003, run the command:

      regTool.cmd registerService --cert "C:\Documents and Settings\All Users\Application Data\VMware\vSphere Web Client\ssl" --ls-url https:// SSOServer.domain.com:7444/lookupservice/sdk --username admin@System-Domain --password password --dir "Installation_Directory\vSphereWebClient\SsoRegTool\sso_conf" --ip "*.*" --serviceId-file "Installation_Directory\vSphereWebClient\serviceId"

    Where:
    • Installation_Directory by default is C:\Program Files\VMware\Infrastructure
    • password is the admin@system-domain password

    If the command is successful, the output appears similar to:



  13. Open the Installation_Directory\vSphereWebClient\serviceId file in a text editor and remove the two old service lines. In this example, the old lines end in :9 and :10 (shown in the screenshot from step 11) and the new lines end with :14 and :15 (shown in the screenshot from step 12). There should only be the two lines in the file corresponding to the registered services in the screenshot in step 12.

    After editing, the file looks similar to:



  14. Start the VMware vSphere Web Client service from the service control manager. It may take about 5 minutes to initialize fully.
  15. Start the VMware vSphere Log Browser service from the service control manager.
  16. To test that the certificate is valid, log into the vSphere Web Client and check that the Inventory is accessible and that the certificate is properly installed.
  17. If they are not on separate servers or you cannot restart the server, stop and start the services in this order:
    • Stop the VMware Log Browser service.
    • Stop the VMware vSphere Web Client service
    • Stop the VMware VirtualCenter Server service
    • Stop the VMware vCenter Inventory service
    • Stop the vCenter Single Sign On service
    • Start the vCenter Single Sign On service
    • Start the VMware vCenter Inventory service
    • Start the VMware VirtualCenter Server service and the VMware VirtualCenter Management WebServices servic
    • Start the VMware vSphere Web Client service.
    • Start the VMware Log Browser service.
  18. Wait 5 minutes for the services to start completely.
  19. Log in and check that the Log Browser is functioning correctly.

    Note: If the service is not fully started, you will not see the option for the Log browser. Log out and log back in after a few minutes. It is available after it has completely loaded.

The configuration of the custom certificates for the vSphere Web Client and the Log Browser is now complete. Next, continue to install the custom certificates for vSphere Update Manager. For more information, see Implementing CA signed SSL certificates with vSphere 5.1 (2034833).

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 4 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 4 Ratings
Actions
KB: