Search the VMware Knowledge Base (KB)
View by Article ID
Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.1 (2035009)
Note: This article is specifically for vSphere 5.1. If you are using vSphere 5.5, see Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.5 (2061953). If you are using vSphere 5.0, see Implementing CA signed SSL Certificates with vSphere 5.0 (2015383).
This article guides you through the configuration of Certificate Authority (CA) certificates for the vSphere 5.1. VMware has released a tool to automate much of the described process below. See Deploying and using the SSL Certificate Automation tool (2041600) before following the steps in the article.
If you cannot use the VMware SSL Automation Tool, proceed with this article for configuration steps and details for implementing custom certificates in your environment. The article also helps avoid common misconfigurations
Note: This article is part of a resolution path. See Implementing CA signed SSL certificates with vSphere 5.x (2034833) before following the steps in this article.
Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
- Creating the certificate request
- Getting the certificate
- Installation and configuration of the certificate in the Inventory Service
These steps must be followed to ensure successful implementation of a custom certificate for vCenter Server. Before attempting these steps ensure that:
- You have a vSphere 5.1 environment
- All certificates and corresponding files are already generated, as per Creating certificate requests and certificates for vCenter Server 5.1 components (2037432).
Installation and configuration of the certificate for the Inventory Service
When the vCenter Single Sign-On (SSO) certificates have been replaced, you can replace the Inventory Service certificates.
To complete the installation and configuration of the certificate for the Inventory Service:
- Log in to the Inventory Service server as an administrator.
- If you have not already imported it, double-click on the c:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
- Open a command prompt to the Inventory Service\scripts directory. The default directory is C:\Program Files\VMware\Infrastructure\Inventory Service\scripts.
- Unregister the Inventory Service from vCenter Single Sign-On by running the command:
unregister-sso.bat Lookup_Service_URL SSO_administrator_user SSO_administrator_password
Note: Where Lookup_Service_URL is https://ssoserver.domain.com:7444/lookupservice/sdk. Change the port if needed.
If the command is successful, the output appears similar to:
- Stop the VMware vCenter Inventory Service.
- Navigate to the Inventory Service certificate directory and backup the certificates. By default, this is C:\ProgramData\VMware\Infrastructure\Inventory Service\ssl\.
- Copy the new certificate files, rui.crt, rui.key, and rui.pfx to this directory. If you are following this resolution path, the new certificates are in c:\certs\InventoryService\.
- Start the vCenter Inventory Service.
- If running the vCenter Inventory Service, which is included with vCenter Server 5.x release build, you must modify the register-sso.bat file to ensure that the registration has proper permissions. Open the register-sso.bat file in a text editor and verify/change this command from:
set COMMAND="%PATH_ROOT%/sso/regTool.cmd" registerSolution --ls-url %1 --username "%2" --password "%3" --install-props "%PATH_ROOT%/conf/sso.ini"
set COMMAND="%PATH_ROOT%/sso/regTool.cmd" registerSolution --ls-url %1 --username "%2" --password "%3" --install-props "%PATH_ROOT%/conf/sso.ini" --role read
- Register the vSphere Inventory Service to vCenter Single Sign-On by running the command:
register-sso.bat Lookup_Service_URL SSO_administrator_user SSO_administrator_password
Where the Lookup_Service_URL is https://ssoserver.domain.com:7444/lookupservice/sdk. Change the port if needed.
If the command is successful, you see output similar to:
- Verify that the VMware vCenter Inventory service is still running. If it is not running, start it.
- Browse to https://InventoryService.domain.com:10443/. You may receive a 400 Bad request page, but you can check that the certificate is being properly used.
The configuration of the custom certificates for the Inventory Service is now complete. Next, continue to install the custom certificates for the vCenter Server Service. For more information see, Implementing CA signed SSL certificates with vSphere 5.x (2034833).
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.