• This article is specifically for vSphere 5.1.
• If you are using vSphere 5.5, see Configuring CA signed SSL certificates for the vSphere Web Client and Log Browser in vCenter Server 5.5 (2061975).
• If you are using vSphere 5.0, see Implementing CA signed SSL certificates with vSphere 5.0 (2015383).

VMware vSphere Web Client 5.1.x
VMware vCenter Server 5.1.x

Note: This article is part of a resolution path. Before proceeding with the steps, see Implementing CA signed SSL certificates with vSphere 5.x (2034833).

Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:

• Creating the certificate request
• Getting the certificate
• Installation and configuration of the certificate in the vSphere Web Client and the Log Browser

These steps must be followed to ensure successful implementation of a custom certificate for the vCenter server. Before attempting these steps, ensure that:

• You have a vSphere 5.1 environment
• All certificates and corresponding files are already generated, as per Implementing CA signed SSL certificates with vSphere 5.x (2034833).

Installing and configuring the certificate for the vSphere Web Client and the Log Browser

After the certificate is created, follow these steps to complete the installation and configuration of the certificate for the Web Client:

1. Log in to the vSphere Web Client server as an administrator.
2. If you have not already imported it, double-click the C:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
3. Stop the VMware vSphere Web Client service from the service control manager (services.msc).
4. Stop the VMware Log Browser Service from service control manager (services.msc).
5. Move the current certificates (rui.crt, rui.key, rui.pfx) to a backup location for the vSphere Web Client.
   
   By default, the certificates are located at:
   • Windows 2008 - C:\ProgramData\VMware\vSphere Web Client\ssl\
   • Windows 2003 - C:\Documents and Settings\All Users\Application Data\VMware\vSphere Web Client\ssl


6. Copy the new certificate files to this directory. If you are following this resolution path, the certificates are located at C:\certs\WebClient.
7. Move the current certificates (rui.crt, rui.key, rui.pfx) to a backup location for the logbrowser. By default, the certificates are located at:
   
   C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf
   
   
8. Copy the new certificate files (rui.crt, rui.key, rui.pfx) to this directory. If you are following this resolution path, the certificates are located at C:\certs\logbrowser.
9. From the command prompt, run this command:
   
   set JAVA_HOME=c:\Program Files\VMware\Infrastructure\JRE
   
   
10. Navigate to the SsoRegTool directory. The default location for this directory is:
    
    C:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool\
    
    
11. Unregister the vSphere Web Client Service from SSO by running the command:
    
    Note: The unregisterService command from within the regTool.cmd file is case sensitive.
    
    regTool.cmd unregisterService -si "Installation_Directory\vSphereWebClient\serviceId" -d https://SSOServer.domain.com:7444/lookupservice/sdk -u admin@System-Domain -p password
    
    Where:
    • Installation_Directory by default is C:\Program Files\VMware\Infrastructure
    • password is the admin@system-domain password
    
    If the command is successful, the output appears similar to:
    
    
    
    
12. Register the VMware vSphere Web Client back to vCenter Single Sign-On:
    
    Note: The registerService command from within the regTool.cmd file is case sensitive.
    
    
    • On Windows 2008, run the command:
      
      regTool.cmd registerService --cert "C:\ProgramData\VMware\vSphere Web Client\ssl" --ls-url https://SSOServer.domain.com:7444/lookupservice/sdk --username admin@System-Domain --password password --dir "Installation_Directory\vSphereWebClient\SsoRegTool\sso_conf" --ip "*.*" --serviceId-file "Installation_Directory\vSphereWebClient\serviceId"
      
      
    • On Windows 2003, run the command:
      
      regTool.cmd registerService --cert "C:\Documents and Settings\All Users\Application Data\VMware\vSphere Web Client\ssl" --ls-url https:// SSOServer.domain.com:7444/lookupservice/sdk --username admin@System-Domain --password password --dir "Installation_Directory\vSphereWebClient\SsoRegTool\sso_conf" --ip "*.*" --serviceId-file "Installation_Directory\vSphereWebClient\serviceId"
    
    Where:
    • Installation_Directory by default is C:\Program Files\VMware\Infrastructure
    • password is the admin@system-domain password
    
    If the command is successful, the output appears similar to:
    
    
    
    
13. Open the Installation_Directory\vSphereWebClient\serviceId file using a text editor and remove the two old service lines. In this example, the old lines end in :9 and :10 (shown in the screenshot from step 11) and the new lines end with :14 and :15 (shown in the screenshot from step 12). There should only be the two lines in the file corresponding to the registered services in the screenshot in step 12.
    
    After editing, the file looks similar to:
    
    
    
    
14. Start the VMware vSphere Web Client service from the service control manager. It may take about 5 minutes to initialize fully.
15. Start the VMware vSphere Log Browser service from the service control manager.
16. To test that the certificate is valid, log in to the vSphere Web Client and check that the Inventory is accessible and that the certificate is properly installed.
17. If they are not on separate servers or you cannot restart the server, stop and start the services in this order:
    
    
    • Stop the VMware Log Browser service.
    • Stop the VMware vSphere Web Client service.
    • Stop the VMware VirtualCenter Server service.
    • Stop the VMware vCenter Inventory service.
    • Stop the vCenter Single Sign-On services.
    • Start the vCenter Single Sign-On services.
    • Start the VMware vCenter Inventory service.
    • Start the VMware VirtualCenter Server service and the VMware VirtualCenter Management WebServices service.
    • Start the VMware vSphere Web Client service.
    • Start the VMware Log Browser service.
      
      
18. Wait for 5 minutes for the services to start completely.
19. Log in and check that the Log Browser is functioning correctly.
    
    Note: If the service is not fully started, you will not see the option for the Log browser. Log out and log in after a few minutes. It is available after it has completely loaded.

The configuration of the custom certificates for the vSphere Web Client and the Log Browser is now complete. Next, continue to install the custom certificates for vSphere Update Manager. For more information, see Implementing CA signed SSL certificates with vSphere 5.x (2034833).

Implementing CA signed SSL certificates with vSphere 5.0
Implementing CA signed SSL certificates with vSphere 5.x
Creating certificate requests and certificates for vCenter Server 5.1 components
Deploying and using the SSL Certificate Automation Tool 1.0.x
Configuring CA signed SSL certificates for the vSphere Web Client and Log Browser in vCenter Server 5.5
vCenter Server 5.1 での vSphere Web Client および Log Browser の CA 署名 SSL 証明書の構成
在 vCenter Server 5.1 中为 vSphere Web Client 和 Log Browser 配置 CA 签名的 SSL 证书