Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.5
search cancel

Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.5

book

Article ID: 305858

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Note: This article is specifically for vSphere 5.5. If you are using vSphere 5.1, see Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.1 (2035009). If you are using vSphere 5.0, see Implementing CA signed SSL Certificates with vSphere 5.0 (2015383).
This article provides information on manually configuring Certificate Authority (CA) signed SSL certificates in a 5.5 environment. VMware has released a tool to automate much of the described process below. See Deploying and using the SSL Certificate Automation Tool 5.5 (2057340) before following the steps in this article.
In the case that you are unable to use the tool, this article helps you eliminate common causes for problems during certificate implementation, including configuration steps and details, and helps avoid common misconfigurations in the implementation of custom certificates in your environment.


Environment

VMware vCenter Server 5.5.x

Resolution

Note: This article is part of a resolution path. See Implementing CA signed SSL certificates with vSphere 5.x (2034833) before following the steps in this article.
Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
  • Creating the certificate request
  • Getting the certificate
  • Installation and configuration of the certificate in the Inventory Service
These steps must be followed to ensure successful implementation of a custom certificate for vCenter Server. Before attempting these steps ensure that:

Installation and configuration of the certificate for the Inventory Service

When the vCenter Single Sign-On (SSO) certificates have been replaced, you can replace the Inventory Service certificates.
To complete the installation and configuration of the certificate for the Inventory Service:
  1. Log in to the Inventory Service server as an administrator.
  2. If you have not already imported it, double click on the c:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
  3. Open a command prompt to the Inventory Service\scripts directory. The default directory is C:\Program Files\VMware\Infrastructure\Inventory Service\scripts.
  4. Unregister the Inventory Service from vCenter Single Sign-On by running the command:

    unregister-sso.bat Lookup_Service_URL SSO_administrator_user SSO_administrator_password

    Where Lookup_Service_URL is https://ssoserver.domain.com:7444/lookupservice/sdk. Change the port if needed.

    If the command is successful, you see output similar to:
  5. Run this command from the command-line to stop the VMware vCenter Inventory Service:

    net stop "vimqueryservice"
  6. Navigate to the Inventory Service certificate directory and backup the certificates. By default, this is C:\ProgramData\VMware\Infrastructure\Inventory Service\ssl\.
  7. Copy the new certificate files, rui.crt, rui.key, and rui.pfx to this directory. If you are following this resolution path, the new certificates are in c:\certs\InventoryService\.
  8. Run this command from the command-line to start the VMware vCenter Inventory Service:

    net start "vimqueryservice"

  9. Register the vCenter Inventory Service to vCenter Single Sign-On by running the command:

    register-sso.bat Lookup_Service_URL SSO_administrator_user SSO_administrator_password

    Where the Lookup Service URL is https://ssoserver.domain.com:7444/lookupservice/sdk. Change the port if needed.

    If the command is successful, you see output similar to:



  10. Verify that the VMware vCenter Inventory service is still running. If it is not running, start it.

  11. Browse to https://InventoryService.domain.com:10443/. You may receive a 400 Bad request page, but you can check that the certificate is being properly used.
The configuration of the custom certificates for the Inventory Service is now complete. Next, continue to install the custom certificates for the vCenter Server Service. For more information see, Configuring CA signed certificates for vCenter Server 5.5 (2061973).


Additional Information

Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.1
Creating certificate requests and certificates for vCenter Server 5.5 components
Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.5
Configuring CA signed certificates for vCenter Server 5.5
vCenter Server 5.5 での Inventory Service の CA 署名 SSL 証明書の構成
在 vCenter Server 5.5 中为 Inventory Service 配置 CA 签署的 SSL 证书

Powered by Wolken Software