Note: This article is part of a resolution path. Before proceeding with the steps, see
Implementing CA signed SSL certificates with vSphere 5.x (2034833).
Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
- Creating the certificate request
- Getting the certificate
- Installation and configuration of the certificate in the vSphere Web Client and the Log Browser
These steps must be followed to ensure successful implementation of a custom certificate for the vCenter server. Before attempting these steps, ensure that:
Installing and configuring the certificate for the vSphere Web Client and the Log Browser
After the certificate is created, follow these steps to complete the installation and configuration of the certificate for the Web Client:
- Log in to the vSphere Web Client server as an administrator.
- If you have not already imported it, double-click the
C:\certs\Root64.cer
file and import the certificate into the Trusted Root Certificate Authorities > Local Computer
Windows certificate store. This ensures that the certificate server is trusted. - Stop the VMware vSphere Web Client service from the service control manager (
services.msc
). - Stop the VMware Log Browser Service from service control manager (
services.msc
). - Move the current certificates (rui.crt, rui.key, rui.pfx) to a backup location for the vSphere Web Client.
By default, the certificates are located at: -
Copy the new certificate files to this directory. If you are following this resolution path, the certificates are located at C:\certs\WebClient
.
- Move the current certificates (
rui.crt
, rui.key
, rui.pfx
) to a backup location for the logbrowser. By default, the certificates are located at:
C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf
- Copy the new certificate files (
rui.crt
, rui.key
, rui.pfx
) to this directory. If you are following this resolution path, the certificates are located at C:\certs\logbrowser
. - From the command prompt, run this command:
set JAVA_HOME=
c:\Program Files\VMware\Infrastructure\JRE
- Navigate to the
SsoRegTool
directory. The default location for this directory is:
C:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool\
- Unregister the vSphere Web Client Service from SSO by running the command:
Note: The unregisterService
command from within the regTool.cmd
file is case sensitive.
regTool.cmd unregisterService -si "Installation_Directory\vSphereWebClient\serviceId" -d https://SSOServer.domain.com:7444/lookupservice/sdk -u admin@System-Domain -p password
Where: Installation_Directory
by default is C:\Program Files\VMware\Infrastructure
password
is the admin@system-domain
password
If the command is successful, the output appears similar to:
![](https://api-broadcomcms-software.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=1512280055655)
- Register the VMware vSphere Web Client back to vCenter Single Sign-On:
Note: The registerService
command from within the regTool.cmd
file is case sensitive.
- On Windows 2008, run the command:
regTool.cmd registerService --cert "C:\ProgramData\VMware\vSphere Web Client\ssl" --ls-url https://SSOServer.domain.com:7444/lookupservice/sdk --username admin@System-Domain --password password --dir "Installation_Directory\vSphereWebClient\SsoRegTool\sso_conf" --ip "*.*" --serviceId-file "Installation_Directory\vSphereWebClient\serviceId"
- On Windows 2003, run the command:
regTool.cmd registerService --cert "C:\Documents and Settings\All Users\Application Data\VMware\vSphere Web Client\ssl" --ls-url https:// SSOServer.domain.com:7444/lookupservice/sdk --username admin@System-Domain --password password --dir "Installation_Directory\vSphereWebClient\SsoRegTool\sso_conf" --ip "*.*" --serviceId-file "Installation_Directory\vSphereWebClient\serviceId"
Where: Installation_Directory
by default is C:\Program Files\VMware\Infrastructure
password
is the admin@system-domain
password
If the command is successful, the output appears similar to:
![](https://api-broadcomcms-software.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=1512275956621)
- Open the
Installation_Directory\vSphereWebClient\serviceId
file using a text editor and remove the two old service lines. In this example, the old lines end in :9
and :10
(shown in the screenshot from step 11) and the new lines end with :14
and :15
(shown in the screenshot from step 12). There should only be the two lines in the file corresponding to the registered services in the screenshot in step 12.
After editing, the file looks similar to:
![](https://api-broadcomcms-software.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=1512279858380)
- Start the VMware vSphere Web Client service from the service control manager. It may take about 5 minutes to initialize fully.
- Start the VMware vSphere Log Browser service from the service control manager.
- To test that the certificate is valid, log in to the vSphere Web Client and check that the Inventory is accessible and that the certificate is properly installed.
- If they are not on separate servers or you cannot restart the server, stop and start the services in this order:
- Stop the VMware Log Browser service.
- Stop the VMware vSphere Web Client service.
- Stop the VMware VirtualCenter Server service.
- Stop the VMware vCenter Inventory service.
- Stop the vCenter Single Sign-On services.
- Start the vCenter Single Sign-On services.
- Start the VMware vCenter Inventory service.
- Start the VMware VirtualCenter Server service and the VMware VirtualCenter Management WebServices service.
- Start the VMware vSphere Web Client service.
- Start the VMware Log Browser service.
- Wait for 5 minutes for the services to start completely.
- Log in and check that the Log Browser is functioning correctly.
Note: If the service is not fully started, you will not see the option for the Log browser. Log out and log in after a few minutes. It is available after it has completely loaded.
The configuration of the custom certificates for the vSphere Web Client and the Log Browser is now complete. Next, continue to install the custom certificates for vSphere Update Manager. For more information, see
Implementing CA signed SSL certificates with vSphere 5.x (2034833).