Creating CA assigned certificates for vCenter Server is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
- Creating the certificate request
- Getting the certificate
- Installation and configuration of the certificate in vCenter Server
These steps must be performed to ensure successful implementation of a custom certificate for vCenter Server. Before attempting these steps ensure that:
Installation and configuration of the certificate in vCenter Server
After the certificate has been created, perform these steps to complete the installation and configuration of the certificate in vCenter Server:
- Log in to vCenter Server as an administrator.
- If you have not already imported it, double-click the c:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
- Backup the certificates for the VMware vCenter Server:
C:\ProgramData\VMware\VMware VirtualCenter\SSL
- Copy the new certificate files into the C:\ProgramData\VMware\VMware VirtualCenter\SSL folder. If you are using this resolution path, the proper certificate is in c:\certs\vCenter.
Note: Do not stop or restart vCenter Server or its services until the steps below instruct you to do so. Otherwise, your vCenter Server may not start due to certificate trusts mismatch.
- Open rui.crt using a text editor and validate that the first line of the file begins with -----BEGIN CERTIFICATE-----. If there is any text prior to this, remove it. The code that validates the certificate may fail in Step 5 if there is additional text.
- Navigate to https://vcenterserverFQDN/mob/?moid=vpxd-securitymanager&vmodl=1 on vCenter Server and load the certificates for the configuration by using the Managed Object Browser.
Note: If you are accessing the Managed Object Browser directly from vCenter Server, use https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1.
- Click continue if you are prompted with a certificate warning.
- Enter a vCenter Server administrator username and password when prompted.
- Click reloadSslCertificate.
- Click Invoke Method. If successful, the window shows this message: Method Invocation Result: void.
- Close both windows.
- Open a command prompt on vCenter Server and change to the isregtool directory. By default, this is C:\Program Files\VMware\Infrastructure\VirtualCenter Server\isregtool.
- Run this command to register the vCenter Server to the inventory service:
register-is.bat vCenter_Server_URL Inventory_Service_URL SSO_Lookup_Service_URL
Where these URLs are the typical URL (modify if ports are different):
vCenter_Server_URL is https://server.domain.com/sdk
Inventory_Service_URL is https://server.domain.com:10443/
SSO_Lookup_Service_URL is https://server.domain.com:7444/lookupservice/sdk
If the command is successful, you see a message similar to:
Note: If the return code is not 0 0, an error has likely occurred in the command. Review the text to see the error. The most common error is a mistyped URL in one of the three services.
- Change to the vCenter Server directory. By default, this is C:\Program Files\VMware\Infrastructure\VirtualCenter Server\.
- Run the command:
vpxd -p
- Type the password for the vCenter Server database user to encrypt the password with the new certificate.
- Restart the VMware VirtualCenter Server service from the service control manager (services.msc).
- Restart the VMware vSphere Profile Driven Storage Service.
- After the initial restart of the services, wait for 5 minutes. If the VMware vSphere Profile Driven Storage service stops during this time, restart it.
- Navigate to https://vcenterserver.domain.com/ and validate the certificate.