Search the VMware Knowledge Base (KB)
View by Article ID

Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.5 (2061953)

  • 5 Ratings

Purpose

Note: This article is specifically for vSphere 5.5. If you are using vSphere 5.1, see Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.1 (2035009). If you are using vSphere 5.0, see Implementing CA signed SSL Certificates with vSphere 5.0 (2015383).
This article provides information on manually configuring Certificate Authority (CA) signed SSL certificates in a 5.5 environment.  VMware has released a tool to automate much of the described process below. See Deploying and using the SSL Certificate Automation Tool 5.5 (2057340) before following the steps in this article. 
 
In the case that you are unable to use the tool, this article helps you eliminate common causes for problems during certificate implementation, including configuration steps and details, and helps avoid common misconfigurations in the implementation of custom certificates in your environment.

Resolution

Note: This article is part of a resolution path. See Implementing CA signed SSL certificates with vSphere 5.x (2034833) before following the steps in this article.
 
Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
  • Creating the certificate request
  • Getting the certificate
  • Installation and configuration of the certificate in the Inventory Service
These steps must be followed to ensure successful implementation of a custom certificate for vCenter Server. Before attempting these steps ensure that:

Installation and configuration of the certificate for the Inventory Service

When the vCenter Single Sign-On (SSO) certificates have been replaced, you can replace the Inventory Service certificates.
 
To complete the installation and configuration of the certificate for the Inventory Service:
  1. Log in to the Inventory Service server as an administrator.
  2. If you have not already imported it, double click on the c:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
  3. Open a command prompt to the Inventory Service\scripts directory. The default directory is C:\Program Files\VMware\Infrastructure\Inventory Service\scripts.
  4. Unregister the Inventory Service from vCenter Single Sign-On by running the command:

    unregister-sso.bat Lookup_Service_URL SSO_administrator_user SSO_administrator_password

    Where Lookup_Service_URL is https://ssoserver.domain.com:7444/lookupservice/sdk. Change the port if needed.

    If the command is successful, you see output similar to:



  5. Run this command from the command-line to stop the VMware vCenter Inventory Service:

    net stop "vimqueryservice"

  6. Navigate to the Inventory Service certificate directory and backup the certificates. By default, this is C:\ProgramData\VMware\Infrastructure\Inventory Service\ssl\.
  7. Copy the new certificate files, rui.crtrui.key, and rui.pfx to this directory. If you are following this resolution path, the new certificates are in c:\certs\InventoryService\.
  8. Run this command from the command-line to start the VMware vCenter Inventory Service:

    net start "vimqueryservice"

  9. Register the vCenter Inventory Service to vCenter Single Sign-On by running the command:

    register-sso.bat Lookup_Service_URL SSO_administrator_user SSO_administrator_password

    Where the Lookup Service URL is https://ssoserver.domain.com:7444/lookupservice/sdk. Change the port if needed.

    If the command is successful, you see output similar to:



  10. Verify that the VMware vCenter Inventory service is still running.  If it is not running, start it.

  11. Browse to https://InventoryService.domain.com:10443/. You may receive a 400 Bad request page, but you can check that the certificate is being properly used.
The configuration of the custom certificates for the Inventory Service is now complete. Next, continue to install the custom certificates for the vCenter Server Service. For more information see, Configuring CA signed certificates for vCenter Server 5.5 (2061973).

See Also

Update History

06/27/2014 - Added Step 5 and 8 under resolution.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 5 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 5 Ratings
Actions
KB: