• If you are using vSphere 5.1, see Configuring certificates signed by a Certificate Authority (CA) for vCenter Server Appliance 5.1 (2036744).
• If you are using vSphere 6.0, see Implementing CA signed SSL certificates in vSphere 6.0 (2111219)

Note: These section references the password testpassword. This is the password to be used and is not intended to be a variable.

Managing CA-signed certificates for the vCenter Server Appliance is a complex task. In many organizations, it is required to maintain proper security for regulatory requirements.


Note: The use of wildcard certificates are not supported with vCenter Server and its related services. Each service must have its own unique certificate.

These workflows are required for successful implementation:

• Generating the certificate requests
• Getting the certificates
• Installation and configuration of the certificates for all of the components

Perform these steps to ensure the successful implementation of a custom certificate for vCenter Server Appliance. Before attempting these steps, ensure that:

• You have a vSphere 5.5 environment.
• The environment is using the vCenter Server Appliance 5.5. 
  
  Note: vCenter Server Appliance 5.5 Update 3e does not support the Log Browser feature. For more information, see VMware vCenter Server 5.5 Update 3e Release Notes.
   
• WinSCP (or any other type of SCP client) is installed for moving of the files to the vCenter Server Appliance.
• OpenSSL v0.9.8 is installed. For instructions on installing OpenSSL, see Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment (2015387).
  
  Note: Ensure that you perform the configuration of OpenSSL for the vCenter Server Appliance as provided in this article. Do not perform the configuration steps in Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment (2015387).

Requirements for the certificates used by vCenter Server Appliance

• Key Length – The key length currently must be a maximum of 2048 bytes. Before proceeding, confirm from key file (PEM encoded).
• Key File Format – Only PKCS1 is supported by all components. Ensure that the base64 encoded key is in PKCS1 format. You may get RSA private keys in PKCS8 format when using some OpenSSL commands; the signal of the PKCS8 key is:
  
  ----- BEGIN PRIVATE KEY
  
  For PKCS1, it is:
  
  ----- BEGIN RSA PRIVATE KEY
  
  Open the key file to correct it. If it is in PKCS8 format, run this command to convert it to PKCS1:
  
  openssl rsa -in pk8.key -out pk1.key
   
• Cert File Format – Only some components support the PEM format of cert file. Ensure that your cert file can be loaded by all components. Remove everything before the -----BEGIN CERTIFICATE to ensure that this is the first line of the file.
• Certificate content – The commonName field in the Subject must be the hostname. The Subject Alternative Name subjectAltname must include the host FQDN and IP address. Otherwise, un-registering the Inventory service from SSO fails.
• Elliptic Curve Keys – These are not currently supported.

Generating the certificate requests 

For each component of the vCenter Server Appliance, you must have a custom certificate that has a unique Subject Distinguished Name encoded within the certificate.

Note: A unique organizationUnitName (OU) is not essential, but it is recommended by VMware; the requirement for proper certificate requests and therefore certificate generation is for a unique Subject Distinguished Name. The OU is just a part of the distinguished name (DN), and having a unique OU is one way to achieve a unique DN, but it is not the only method.

This means that four different certificates are required for each vCenter Server Appliance:

• vCenter Server / vCenter Single Sign-On (SSO)
• vCenter Inventory Service
• VMware Log Browser
• vSphere AutoDeploy

Note: The vSphere Web Client and the Virtual Appliance Management Infrastructure (VAMI) use the same SSL certificate as vCenter Server. vSphere Auto Deploy does not register a solution user and does not require a unique certificate (the vCenter vServer certificate can be safely reused); however, the steps provided will install a unique certificate.

To simplify the process, this article provides the steps to create different openssl.cfg files for each component.

This article uses /ssl/service to store all the files on the vCenter Server Appliance before the certificates are installed. This article also uses C:\Certs to store all files on the system creating the certificate requests and certificate generation before uploading to the vCenter Server Appliance.

To generate the appropriate configuration files:

Note: If you are using vCenter Server Appliance 5.5 Update 3e, skip step 8.
 

1. On the system where you are generating the certificate requests, create a folder in which you can store the certificates for the different components. These steps use the C:\Certs folder.
2. In the C:\Certs folder, create three other folders to organize your certificate requests. These steps use these four folders:
    
   • vCenterSSO
   • InventoryService
   • LogBrowser
   • AutoDeploy
      
3. Open a text editor on the system where OpenSSL is installed.
4. Create an OpenSSL configuration file for each service.
   
   A sample configuration file appears similar to:
   
   [ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
input_password =testpassword
output_password = testpassword

[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcva55, IP: 10.0.0.10, IP:ServerIPv6Address, DNS: vcva55.vmware.com

[ req_distinguished_name ]
countryName = US
stateOrProvinceName = NY
localityName = New York
0.organizationName = VMware
organizationalUnitName = vCenterApplianceUniqueServer
commonName = vcva55.vmware.com
   
   Paste this text in the file, replacing the information in red where appropriate.
   
   Note: The country name is always the two-digit country code for the country.
   
   Steps 6 to 9 discuss the changes that has to be made in each certificate file.
    
5. Save the file as openssl_generic.cfg in c:\certs\ .
   
   Note: If you are not using IPv6 in your environment, this can be omitted from the subjectAltName.
    
6. For the VirtualCenter Server Service configuration file, modify the organizationalUnitName to VMware vCenter Service Certificate and save the file as openssl_vpxd.cfgin c:\certs\vCenterSSO\.
   
   [ req ]
   default_md = sha512
   default_bits = 2048
   default_keyfile = rui.key
   distinguished_name = req_distinguished_name
   encrypt_key = no
   prompt = no
   string_mask = nombstr
   req_extensions = v3_req
   input_password = testpassword
   output_password = testpassword
   
   [ v3_req ]
   basicConstraints = CA:false
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment
   extendedKeyUsage = serverAuth, clientAuth
   subjectAltName = DNS:server, IP:ServerIPv4Address, IP:ServerIPv6Address, DNS:server.domain.com
   
   [ req_distinguished_name ]
   countryName = Country
   stateOrProvinceName = State
   localityName = City
   0.organizationName = Organization Name
   organizationalUnitName = VMware vCenter Service Certificate
   commonName = server.domain.com
    
7. For the vCenter Inventory Service configuration file, modify the organizationalUnitName to VMware Inventory Service Certificate and save the file as openssl_inventoryservice.cfg in c:\certs\InventoryService\.
   
   [ req ]
   default_md = sha512
   default_bits = 2048
   default_keyfile = rui.key
   distinguished_name = req_distinguished_name
   encrypt_key = no
   prompt = no
   string_mask = nombstr
   req_extensions = v3_req
   input_password = testpassword
   output_password = testpassword
   
   [ v3_req ]
   basicConstraints = CA:false
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment
   extendedKeyUsage = serverAuth, clientAuth
   subjectAltName = DNS:server, IP:ServerIPv4Address, IP:ServerIPv6Address, DNS:server.domain.com
   
   [ req_distinguished_name ]
   countryName = Country
   stateOrProvinceName = State
   localityName = City
   0.organizationName = Organization Name
   organizationalUnitName = VMware Inventory Service Certificate
   commonName = server.domain.com
    
8. To create the VMware Log Browser configuration file, modify the organizationalUnitName to VMware LogBrowser Service Certificate and save the file as openssl_logbrowser.cfg in c:\certs\LogBrowser\.
   
   [ req ]
   default_md = sha512
   default_bits = 2048
   default_keyfile = rui.key
   distinguished_name = req_distinguished_name
   encrypt_key = no
   prompt = no
   string_mask = nombstr
   req_extensions = v3_req
   input_password = testpassword
   output_password = testpassword
   
   [ v3_req ]
   basicConstraints = CA:false
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment
   extendedKeyUsage = serverAuth, clientAuth
   subjectAltName = DNS:server, IP:ServerIPv4Address, IP:ServerIPv6Address, DNS:server.domain.com
   
   [ req_distinguished_name ]
   countryName = Country
   stateOrProvinceName = State
   localityName = City
   0.organizationName = Organization Name
   organizationalUnitName = VMware LogBrowser Service Certificate
   commonName = server.domain.com
    
9. To create the vSphere Auto Deploy configuration file, modify the organizationalUnitName to VMware vSphere Autodeploy Service Certificate and save the file as openssl_autodeploy.cfg in c:\certs\AutoDeploy\.
   
   [ req ]
   default_md = sha512
   default_bits = 2048
   default_keyfile = rui.key
   distinguished_name = req_distinguished_name
   encrypt_key = no
   prompt = no
   string_mask = nombstr
   req_extensions = v3_req
   input_password = testpassword
   output_password = testpassword
   
   [ v3_req ]
   basicConstraints = CA:false
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment
   extendedKeyUsage = serverAuth, clientAuth
   subjectAltName = DNS:server, IP:ServerIPv4Address, IP:ServerIPv6Address, DNS:server.domain.com
   
   [ req_distinguished_name ]
   countryName = Country
   stateOrProvinceName = State
   localityName = City
   0.organizationName = Organization Name
   organizationalUnitName = VMware vSphere Autodeploy Service Certificate
   commonName = server.domain.com
    

When complete, there are three different configuration files each with a different organizationalUnit Name. Next, generate the certificate request and corresponding key for each of the certificates.

To generate a certificate request:

Note: If you are using vCenter Server Appliance 5.5 Update 3e, skip step 5.
 

1. Click Start > Run, type cmd, and click OK. The Command Prompt window opens.
2. Navigate to the OpenSSL directory as previously configured in the Configuring OpenSSL article.
   
   By default, the OpenSSL directory is located at:
   
   c:\OpenSSL-Win32\bin
   
    
3. Run this command to create the vCenter Server and vCenter Single Sign-On certificate request and export the private key:
   
   openssl req -new -nodes -out c:\certs\vCenterSSO\rui_vpxd.csr -keyout c:\certs\vCenterSSO\rui_vpxd.key -config c:\certs\vCenterSSO\openssl_vpxd.cfg
   
    
4. Run this command to create the vCenter Inventory Service certificate request and export the private key:
   
   openssl req -new -nodes -out c:\certs\InventoryService\rui_inventoryservice.csr -keyout c:\certs\InventoryService\rui_inventoryservice.key -config c:\certs\InventoryService\openssl_inventoryservice.cfg
   
    
5. Run this command to create the vSphere Log Browser certificate request and export the private key:
   
   openssl req -new -nodes -out c:\certs\LogBrowser\rui_logbrowser.csr -keyout c:\certs\LogBrowser\rui_logbrowser.key -config c:\certs\LogBrowser\openssl_logbrowser.cfg
   
    
6. Run this command to create the vSphere AutoDeploy certificate request and export the private key:
   
   openssl req -new -sha256 -nodes -out c:\certs\AutoDeploy\rui_autodeploy.csr -keyout c:\certs\AutoDeploy\rui_autodeploy.key -config c:\certs\AutoDeploy\openssl_autodeploy.cfg

After running these commands, you now have the rui_service.csr and rui_service.key files located in each respective directory.

When the certificate requests are created, proceed to the Getting the certificates section.
 

Getting the certificates

After the certificate requests are generated, they must be given to the certificate authority for generation of the actual certificate. The authority responds with a signed certificate and, if appropriate, a copy of their root certificate. For the certificate chain to be trusted, the root certificate must be installed on the server which is requesting the certificate.

Follow the appropriate section for the certificate authority used.

If you are using commercial non-Microsoft CAs:

1. Take each certificate signing request (rui.csr, as generated above) and send them to the commercial certificate signing authority.
2. The CA sends back the generated certificates and the certificate chain file (normally a .PEM file) to ensure that the certificates are trusted.
3. Proceed to the Installation and configuration of the certificates section of this article to complete the configuration of the custom certificates.

If you are using a Microsoft CA:

Note: Before proceeding, ensure that the three key usages are present on the .crt file by viewing its properties. This can be found by opening the rui.crt, clicking the Details tab, and locating the Key Usage row under Field. The default install of Windows Server 2008 with the CA role will not create *.crt files. You must first modify the digitalSignature,  keyEncipherment, and dataEncipherment fields on the CA server's Web Server template before continuing.

For more information, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108).

1. Log in to the Microsoft CA certificate authority web interface. By default, it is:
   
   http://servername/CertSrv/
    
2. Click the Request a certificate link.
3. Click advanced certificate request.
4. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
5. Open the certificate request (rui_service.csr, generated for each component) in a plain text editor and paste this text into the Saved Request box:
   
   -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----
    
6. Select the Certificate Template as Web Server.
   
   Note: VMware recommends that you create a copy of the Web Server Certificate and add the Subject Alternative Name field to it. This allows you to specify more than a single name to be valid on the certificate, such as vcenter.domain.com and vcenter. Users can connect to more than one name and communication will still be valid.
   
   For more information on creating a Certificate Template, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108).
    
7. Click Submit to submit the request.
8. Click Base 64 encoded on the Certificate issued screen.
9. Click the Download Certificate link.
10. Save the certificate as rui_service.crt, in the appropriate c:\certs\service\ folder.
    
    For example:
    
    rui_vpxd.crt
    
    Note:
    • By default, Microsoft CA certificates are generated with the .cer format. Either use Save As or change it to .crt before continuing with this procedure.
11. Repeat Steps 2 to 10 for each of the additional service.
12. Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
13. Click the Base 64 option.
14. Click the Download CA Certificate chain link.
15. Save the certificate chain as cachain.p7b in the c:\certs\ directory.

When complete, you have four certificates (rui_service.crt) for each of the services and either the cachain.pem (for non-Microsoft CA providers) or the cachain.p7b (if the certificates are generated using a Microsoft CA) file generated in their respective c:\certs\services folders. Proceed to the Installation and configuration of the certificates section to complete the configuration of the custom certificates.
 

Installation and configuration of the certificates for all the components

After the certificates are created, you must validate that the certificates are in the proper format. Edit the certificate with a tool such as Notepad or vi and validate that the file begins with -----BEGIN CERTIFICATE-----. Remove all text before the -----BEGIN CERTIFICATE----- in the rui.crt files.

To complete the installation and configuration of the certificates in the vCenter Server Appliance:

Note: Before proceeding, ensure that you back up the existing rui.crt, rui.key, and rui.pfx files. If you plan to skip the replacement of certificates for any of the components, such as vSphere Auto Deploy, you must restart the vCenter Server Appliance after the last certificate is replaced/services restarted.
 

1. Connect to the vCenter Server Appliance through SSH.
2. Stop the VMware VirtualCenter Server service and the vCenter Single Sign-On service using these commands:
   
   service vmware-stsd stop
service vmware-vpxd stop
   
    
3. Create a directory using the mkdir command to store the files. This article uses directories named /ssl/service on the vCenter Server Appliance for the file operations. Ensure to create the appropriate directories as you proceed through the article. Use these models as examples:
   
   mkdir ssl
mkdir ssl/vpxd
mkdir ssl/inventoryservice
mkdir ssl/logbrowser
mkdir ssl/autodeploy
   
    
4. Using WinSCP from the system you created all of the SSL certificates on, copy rui_vpxd.crt, rui_vpxd.key, and cachain.p7b file from c:\certs\vCenterSSO to the /ssl/vpxd directory on the vCenter Server Appliance.
   
   Note: In this step, ignore the cachain.p7b file if the certificate is obtained using a non-Microsoft CA.
   
    
5. Rename rui_vpxd.crttorui.crt by running the command:
   
   cp ssl/vpxd/rui_vpxd.crt ssl/vpxd/rui.crt
   
    
6. Rename rui_vpxd.key to rui.key by running the command:
   
   cp ssl/vpxd/rui_vpxd.key ssl/vpxd/rui.key
   
    
7. From the vCenter Server Appliance, run these commands to convert the cachain.p7b file to chain.pem:
   
   cd ssl/vpxd/
   
   openssl pkcs7 -print_certs -in cachain.p7b -out cachain.pem
   
   Note: This step can be ignored if the certificate is obtained using a non-Microsoft CA.
   
    
8. Open the cachain.pem file with VI editor. For more information, see Editing files on an ESX host using vi or nano (1020302). 
9. Using VI editor, remove any text before the first -----BEGIN CERTIFICATE----- and after -----END CERTIFICATE-----. 
   
   Note: This assumes there are no intermediate certificates in the Certificate Authority. If you are using two or more levels in the Certificate Authorities, remove any text in between the -----END CERTIFICATE----- of the intermediate thumbprint and -----BEGIN CERTIFICATE----- of the Root CA thumbprint. Before editing, review the chain.pem file to ensure all intermediates and the Root CA server thumbprints are present. If the file does not contain the authority certificate, obtain it from the Certification Authority and append it manually.
   
   This should result in a concatenated file similar to the model shown:
   
   -----BEGIN CERTIFICATE-----
   Thumbprint Intermediate(n) CA Server
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   Thumbprint Intermediate(2) CA Server
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   Thumbprint Intermediate(1) CA Server
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   Thumbprint Root CA Server
   -----END CERTIFICATE-----
    
10. Create the chain.pem file for vCenter Server service by running the commands:
    
    cat rui.crt cachain.pem > chain.pem
     
11. Replace the SSL certs by running the command:
    
    /usr/sbin/vpxd_servicecfg certificate change chain.pem rui.key
    
    Wait until you receive this response:
    
    VC_CFG_RESULT = 0
    
    Note: The command prints the outcome code using this syntax:
    
    VC_CFG_RESULT=CODE
    
    Status code 0 means success. For more information on all possible error conditions, see Decoding non-zero VC_CFG_RESULT for failed vpxd_servicecfg certificate changes (2057248).
     
12. Navigate to /opt/vmware/etc/lighttpd/ with:
    
    cd /opt/vmware/etc/lighttpd/
     
13. Backup the folder contents with:
    
    mkdir BAK 
    cp * BAK/
     
14. Copy the certificate chain to the file ca.crt with:
    
    cp ssl/vpxd/cachain.pem /opt/vmware/etc/lighttpd/ca.crt
    
    Note: When VAMI certificate is signed by CA and intermediate CA, those CA's certificates should be added to lighttpd's trust store.
     
15. Open the /opt/vmware/etc/lighttpd/lighttpd.conf file using a text editor.
    
    vi /opt/vmware/etc/lighttpd/lighttpd.conf
     
16. Add the line ssl.ca-file = "/opt/vmware/etc/lighttpd/ca.crt" to the lighttp.conf file:
    
    For example:
    ssl.engine = "enable"
    ssl.pemfile = "/opt/vmware/etc/lighttpd/server.pem"
    ssl.ca-file = "/opt/vmware/etc/lighttpd/ca.crt"
    ssl.cipher-list = "TLSv1+HIGH: !SSLv2: !aNULL: !eNULL: !3DES: @STRENGTH”
     
17. Save the changes and exit.
     
18. Ensure the vCenter Single Sign-On service is started before continuing by running the command:
    
    service vmware-stsd start
     
19. Unregister the vCenter Inventory Service from vCenter Single Sign-On by running the commands:
    
    cd /etc/vmware-sso/register-hooks.d

./02-inventoryservice --mode uninstall --ls-server https://server.domain.com:7444/lookupservice/sdk
     
20. Using WinSCP from the system, you created all of the SSL certificates on, copy rui_inventoryservice.crt and  rui_inventoryservice.key from c:\certs\InventoryService to the /ssl/inventoryservice directory on the vCenter Server Appliance.
21. Copy the edited cachain.pem file from Step 9 to the /ssl/inventoryservice directory using the command:
    
    cd
    
    cp ssl/vpxd/cachain.pem ssl/inventoryservice/
     
22. Rename rui_inventoryservice.crt to rui.crt by running the command:
    
    cp ssl/inventoryservice/rui_inventoryservice.crt ssl/inventoryservice/rui.crt
     
23. Rename rui_inventoryservice.key to rui.key by running the command:
    
    cp ssl/inventoryservice/rui_inventoryservice.key ssl/inventoryservice/rui.key
     
24. Create the chain.pem file for vCenter Inventory Service by running the commands:
    
    cd ssl/inventoryservice
    
    cat rui.crt cachain.pem > chain.pem
     
25. Create the *.pfx file by running the command:
    
    openssl pkcs12 -export -out rui.pfx -in chain.pem -inkey rui.key -name rui -passout pass:testpassword
     
26. Copy the rui.key, rui.crt, and rui.pfx files to the /usr/lib/vmware-vpx/inventoryservice/ssl directory:
    
    cp rui.key /usr/lib/vmware-vpx/inventoryservice/ssl
    cp rui.crt /usr/lib/vmware-vpx/inventoryservice/ssl
    cp rui.pfx /usr/lib/vmware-vpx/inventoryservice/ssl
     
27. Change the permissions on these files by running these commands:
    
    cd /usr/lib/vmware-vpx/inventoryservice/ssl/
chmod 400 rui.key rui.pfx
chmod 644 rui.crt
     
28. Run these commands to register the vCenter Inventory Service back to vCenter Single Sign-On:
    
    cd /etc/vmware-sso/register-hooks.d

./02-inventoryservice --mode install --ls-server https://server.domain.com:7444/lookupservice/sdk --user sso_administrator --passwordsso_administrator_password
    
    Note: If $ character is present in the password, add an \ character in front of it:
    
    For example, when you use Pa$sw0rd as password: 
    
    ./02-inventoryservice --mode install --ls-server https://server.domain.com:7444/lookupservice/sdk --user [email protected] --password Pa\$sw0rd
    
    
    Note: As there is a plain-text password on the preceding command, to avoid the history file showing the contents of the password because it is in plain text in the command above, run the unset HISTFILE command prior to executing step 22.
    
    Note: The default SSO administrator username for vCenter Single Sign-On 5.5 is [email protected]. 
    
    After a successful registration, you see output similar to:
    
    
     
29. To re-register the vCenter Inventory Service to vCenter Server the next time the service starts, run this command:
    
    rm /var/vmware/vpxd/inventoryservice_registered
     
30. Run these commands to restart and register the service:
    
    service vmware-inventoryservice stop
service vmware-vpxd stop
service vmware-inventoryservice start
service vmware-vpxd start
    
    Note: If you are using vCenter Server Appliance 5.5 Update 3e, skip to step 42 (after completing step 30).
     
31. Unregister the VMware Log Browser service from vCenter Single Sign-On by running the commands:
    
    cd /etc/vmware-sso/register-hooks.d

./09-vmware-logbrowser --mode uninstall --ls-server https://server.domain.com:7444/lookupservice/sdk
     
32. Using WinSCP from the system you created all of the SSL certificates on, copy the rui_logbrowser.crt, rui_logbrowser.key from c:\certs\LogBrowser to the /ssl/logbrowser directory on the vCenter Server Appliance.
33. Copy the edited cachain.pem file from Step 9 to the /ssl/logbrowser directory using these commands:
    
    cd
    
    cp ssl/vpxd/cachain.pem ssl/logbrowser
     
34. Rename rui_logbrowser.crt to rui.crt by running the command:
    
    cp ssl/logbrowser/rui_logbrowser.crt ssl/logbrowser/rui.crt
     
35. Rename rui_logbrowser.key to rui.key by running the command:
    
    cp ssl/logbrowser/rui_logbrowser.key ssl/logbrowser/rui.key
     
36. Create the chain.pem file for VMware Log Browser Service by running the commands:
    
    cd ssl/logbrowser
    
    cat rui.crt cachain.pem > chain.pem
     
37. Create the *.pfx file by running this command:
    
    openssl pkcs12 -export -in chain.pem -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
     
38. Copy rui.key, rui.crt, and rui.pfx files to the /usr/lib/vmware-logbrowser/conf directory:
    
    cp rui.key /usr/lib/vmware-logbrowser/conf
    cp rui.crt /usr/lib/vmware-logbrowser/conf
    cp rui.pfx /usr/lib/vmware-logbrowser/conf
     
39. Change the permissions on the files by running these commands:
    
    cd /usr/lib/vmware-logbrowser/conf
chmod 400 rui.key rui.pfx
chmod 644 rui.crt
     
40. Run these commands to re-register the VMware Log Browser service to vCenter Single Sign-On:
    
    cd /etc/vmware-sso/register-hooks.d

./09-vmware-logbrowser --mode install --ls-server https://server.domain.com:7444/lookupservice/sdk --user sso_administrator --passwordsso_administrator_password
    
    Note: The default SSO administrator username for vCenter Single Sign-On 5.5 is [email protected]. 
    
    On a successful registration, you see output similar to:
    
    
     
41. When complete, restart the Log Browser service by running the commands:
    
    service vmware-logbrowser stop
service vmware-logbrowser start
    
    Note: If you plan to skip the replacement of certificates for any of the components, such as vSphere Auto Deploy, you must restart the vCenter Server Appliance after the last certificate is replaced/services restarted. Proceed to step 40.
     
42. Using WinSCP from the system you created all of the SSL certificates on, copy the rui_autodeploy.crt and rui_autodeploy.key from c:\certs\AutoDeploy to the /ssl/autodeploy directory on the vCenter Server Appliance.
43. Copy the rui_autodeploy.crt and rui_autodeploy.key to the /etc/vmware-rbd/ssl/ directory: 

cp ssl/autodeploy/rui_autodeploy.crt /etc/vmware-rbd/ssl/waiter.crt
cp ssl/autodeploy/rui_autodeploy.key /etc/vmware-rbd/ssl/waiter.key
     
44. Change the permissions and ownership on the waiter files by running these commands:
    
    cd /etc/vmware-rbd/ssl/
chmod 644 waiter.crt
chmod 400 waiter.key
chown deploy:deploy waiter.crt waiter.key
     
45. Re-register the service to the vCenter Server with the commands:
    
    service vmware-rbd-watchdog stop
rm /var/vmware/vpxd/autodeploy_registered
service vmware-vpxd restart
    
    Note: autodeploy_registered may not exist.
     
46. Restart the vCenter Server Appliance. For more information, see Stopping, starting, or restarting vCenter Server Appliance services (2054085).