Creating CA assigned certificates for vCenter Server is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
- Creating the certificate request
- Getting the certificate
- Installation and configuration of the certificate in vCenter Server
These steps must be followed to ensure successful implementation of a custom certificate for vCenter Server. Before attempting these steps ensure that:
Installation and configuration of the certificate in vCenter Server
After the certificate has been created, follow these steps to complete the installation and configuration of the certificate in vCenter Server:
- Log in to vCenter Server as an administrator.
- If you have not already imported it, double-click the c:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
- Backup the rui.crt, rui.key, and the rui.pfx certificates for vCenter Server.
By default, the certificates are located at:
- In Windows 2008 - C:\ProgramData\VMware\VMware VirtualCenter\SSL
- In Windows 2003 - C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL
- Copy the new certificates (from c:\certs\vCenter, if you are following this resolution path) to the SSL directory for your operating system listed in Step 3.
- Open rui.crt in a text editor and validate that the first line of the file begins with -----BEGIN CERTIFICATE-----. If there is any text prior to this, remove it. The code that validates the certificate may fail in Step 5 if there is additional text.
- Go to https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 on the vCenter Server and load the certificates for the configuration by using the Managed Object Browser (MOB).
Note: If the Managed Object Browser of the vCenter Server has been disabled per the VMWare vSphere Hardening Guide, this prevents access and display the error: 503 Service Unavailable. To resolve this issue, see vCenter Server Managed Object Browser (MOB) reports a 503 Service Unavailable error (2042554).
- Click continue if you are prompted with a certificate warning.
- Enter a vCenter Server administrator username and password when prompted.
- Click reloadSslCertificate.
- Click Invoke Method. If successful, the window shows this message: Method Invocation Result: void.
- Close both windows.
- Open a command prompt on vCenter Server and change to the isregtool directory. By default, this is C:\Program Files\VMware\Infrastructure\VirtualCenter Server\isregtool.
- Run this command to register the vCenter Server to the inventory service:
register-is.bat vCenter_Server_URL Inventory_Service_URL SSO_Lookup_Service_URL
Where these URLs are the typical URL (modify if ports are different):
- vCenter_Server_URL is https://server.domain.com/sdk
- Inventory_Service_URL is https://server.domain.com:10443/
- SSO_Lookup_Service_URL is https://server.domain.com:7444/lookupservice/sdk
If the command is successful, you see a message similar to:
![](https://api-broadcomcms-software.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=1512275421143)
Note: If the return code is not 0 0, an error has likely occurred in the command. Review the text to see the error. The most common error is a mistyped URL in one of the three services.
- Change to the vCenter Server directory. By default, this is C:\Program Files\VMware\Infrastructure\VirtualCenter Server\.
- Run this command:
vpxd -p
- Type the password for the vCenter Server database user to encrypt the password with the new certificate.
- Restart the VMware VirtualCenter Server service from the service control manager (services.msc)
- Restart the VMware vSphere Profile Driven Storage Service.
- After the initial restart of the services, wait for 5 minutes. If the VMware vSphere Profile Driven Storage service stops during this time, restart it.
- Navigate to https://vcenterserver.domain.com/ and validate the certificate.