Note: This article is part of a resolution path. See
Implementing CA signed SSL certificates with vSphere 5.x (2034833) before following the steps in this article.
Creating CA assigned certificates for vSphere is a complex task. In many organizations, it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
- Creating the certificate request
- Getting the certificate
- Installation and configuration of the certificate in the vSphere Web Client and the Log Browser
These steps must be followed to ensure successful implementation of a custom certificate for the vCenter Server. Before attempting these steps, ensure that:
Note: If the Web Client is on a separate machine, you need to manually update the
ca_certificates.crt file located at
C:\ProgramData\VMware\SSL with the issuing certificate chain that issued the SSO certificates.
Installing and configuring the certificate for the vSphere Web Client and the Log Browser
After the certificate has been created, follow these steps to complete the installation and configuration of the certificate for the Web Client:
- Log in to the vSphere Web Client server as an administrator.
- If you have not already imported it, double-click the
C:\certs\Root64.cer
file and import the certificate to the Trusted Root Certificate Authorities > Local Computer
Windows certificate store. This ensures that the certificate server is trusted. - Stop the VMware vSphere Web Client service from the service control manager (
services.msc
). - Stop the VMware Log Browser Service from service control manager (
services.msc
). - Back up the current certificates (
rui.crt
, rui.key
, rui.pfx
) for the vSphere Web Client. By default, the certificates are located at:
C:\ProgramData\VMware\vSphere Web Client\ssl\
- Copy the new certificate files to this directory. If you are following this resolution path, the certificates are located in
C:\certs\WebClient
. - Back up the current certificates for the Log Browser. By default, the certificates are located at:
C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf
- Copy the new certificate files (
rui.crt
, rui.key
, rui.pfx
) to this directory. If you are following this resolution path, the certificates are located at C:\certs\logbrowser
. - From the command prompt, run this command:
set JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components
- Navigate to the
SsoRegTool
directory. By default, this directory is located at:
C:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool\
- Unregister the vSphere Web Client service from SSO by running the command:
Note: The unregisterService
command from within the regTool.cmd
file is case sensitive.
regTool.cmd unregisterService -si "Installation_Directory\vSphereWebClient\serviceId" -d https://SSOServer.domain.com:7444/lookupservice/sdk -u [email protected] -p password
Where: Installation_Directory
, by default, is C:\Program Files\VMware\Infrastructure
password
is the [email protected] password
If the command is successful, you see output similar to:
![](https://api-broadcomcms-software.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=1512269845975)
- Register the VMware vSphere Web Client back to vCenter Single Sign-On:
Note: The registerService
command from within the regTool.cmd
file is case sensitive.
regTool.cmd registerService --cert "C:\ProgramData\VMware\vSphere Web Client\ssl" --ls-url https://SSOServer.domain.com:7444/lookupservice/sdk --username [email protected] --password password --dir "Installation_Directory\vSphereWebClient\SsoRegTool\sso_conf" --ip "*.*" --serviceId-file "Installation_Directory\vSphereWebClient\serviceId"
Where: Installation_Directory
by default is C:\Program Files\VMware\Infrastructure
password
is the [email protected]
password
If the command is successful, you see output similar to:
![](https://api-broadcomcms-software.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=1512268969822)
- Open the
Installation_Directory\vSphereWebClient\serviceId
file in a text editor and remove the two old service lines. In this example, the old lines end in 6d271
and 49ae1
(shown in the screenshot from step 11) and the new lines end with 3bfc4
and ba9f2 (shown in the screenshot from step 12). There should only be the two lines in the file corresponding to the registered services in the screenshot in step 12.
Before editing, the file looks similar to:
![](https://api-broadcomcms-software.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=1512273423606)
After editing, the file looks similar to:
![](https://api-broadcomcms-software.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=1512271141991)
- Start the VMware vSphere Web Client service from the service control manager. It may take about 5 minutes to initialize fully.
- Start the VMware vSphere Log Browser service from the service control manager.
- To test that the certificate is valid, log in to the vSphere Web Client and check that the Inventory is accessible and that the certificate is properly installed.
- If they are not on separate servers or you cannot restart the server, stop and start the services in this order:
- Stop the VMware Log Browser service.
- Stop the VMware vSphere Web Client service
- Stop the VMware VirtualCenter Server service
- Stop the VMware vCenter Inventory service
- Stop the VMware Secure Token Service
- Stop the VMware Identity Management Service
- Stop the VMware Certificate Service
- Stop the VMware Kdc Service
- Stop the VMware Directory Service
- Start the VMware Directory Service
- Start the VMware Kdc Service
- Start the VMware Certificate Service
- Start the VMware Identity Management Service
- Start the VMware Secure Token Service
- Start the VMware vCenter Inventory service
- Start the VMware VirtualCenter Server service and the VMware VirtualCenter Management WebServices service
- Start the VMware vSphere Web Client service.
- Start the VMware Log Browser service.
- Wait for 5 minutes for the services to start completely.
- Log in and check that the Log Browser is functioning correctly.
Note: If the service is not fully started, you do not see the option for the Log browser. Log out and log in again after a few minutes. It is available after it has completely loaded.
The configuration of the custom certificates for the vSphere Web Client and the Log Browser is now complete. You can continue to install the custom certificates for vSphere Update Manager. For more information, see
Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5 (2037581).