Providing the steps below:
Generate Signed certificates as mentioned in the KB article.
Inventory Service [Windows]
1. If you have installed CA cert on Client/Windows GOS (or SSO Server), rui.crt should be now trusted as signed by CA.
2. Unregister the Inventory Service from vCenter Single Sign On.
- Change to the Inventory Service scripts directory.
The directory is typically C:\Program Files\VMware\Infrastructure\Inventory Service\scripts.
- Run the following command to unregister the Inventory Service from vCenter Single Sign On.
unregister-sso.bat https://<SSO FQDN>:7444/lookupservice/sdk <SSO administrator user name> <SSO administrator password>
3. Remove any data present in rui.crt before “-----BEGIN CERTIFICATE-----"
4. Copy the certificate files (rui.crt, rui.key and rui.pfx) as obtained per step#1 to the system where there Inventory Service is installed.
5. Stop “VMware vCenter Inventory Service” from services.msc
- Register the Inventory Service with vCenter Single Sign On.
- Change to the Inventory Service scripts directory.
6. Start “VMware vCenter Inventory Service” from services.msc
7. Browse to https://<Inv Server FQDN>:10443 , check for trusted certificate
8. Re-register VMware VC server with inventory server.
a. Change to the directory vCenter Server install directory/isregtool.
The directory is typically
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\isregtool
b. Run the following command
< register-is.bat https://<vCenter Server FQDN>/sdk https://<Inventory Service FQDN>:10443 https://<Lookup Service FQDN>:7444/lookupservice/sdk >
9. Restart virtual center service
Virtual Center Service [Windows]
1. Generate Signed certificates and pfx file
2. If you have installed CA cert on Client/Windows GOS (or SSO Server), rui.crt should be now trusted as signed by CA
3. Copy the certificate files (rui.crt, rui.key and rui.pfx) as obtained per step#1 to the system where there Virtual Center Service is installed.
The certificates directory is typically
On2008:
C:\Program Data\VMware\VMware VirtualCenter\SSL
On 2003:
C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL
Service\SSL
4. Using a browser on the vCenter Server system, connect to
https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1
If you use a browser on another system, connect to
https://vSphere_server_system/mob/?moid=vpxd-securitymanager&vmodl=1
Enter the administrator name and password for the vCenter Server system.
The Managed Object Type: vpxSecurityManager Web page appears.
Under Methods click reloadSslCertificate.
Click Invoke Method.
The following message appears:
Method Invocation Result: void.
5. Register vCenter Server to the Inventory Service.
a. Change to the directory vCenter Server install directory/isregtool.
The directory is typically
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\isregtool
b. Run the following command.
register-is.bat https://<vCenter Server FQDN>/sdk https://<Inventory Service FQDN>:10443 https://<Lookup Service FQDN>:7444/lookupservice/sdk
6. Reset the vCenter Server Database Password using “vpxd –p”
7. Restart VC Services from services.msc
8. Restart the VMware vSphere Profile Driven Storage Service.
After the initial restart of the services, wait for 5 minutes. If the VMware vSphere Profile Driven Storage service stops during this time, restart it.
9. Check for trusted certificate in url via web browser https://<VCserver FQDN>
For Linux -VC/ VCVA5.1
Note:
We need to have separate certificates for below services:
- vCenter Server / Single Sign On (SSO)
- vSphere Inventory Service
- vSphere Web Client
- Open LDAP
- VMware Appliance Management Interface (VAMI)
- vSphere Log Browser
- vSphere Auto Deploy
b. Insure to have subject Alternative name defined in request file for all service certificates
c. Create all certs with Different Organization Unit Name.
- Uploading CA certificate in VCVA cert store
a. Copy cacert.pem in VCVA cert store.
Default location be /etc/ssl/certs/
b. Get cert hash using:
openssl x509 -hash -noout -in cacert.pem
c. Create a soft link for cacert.pem with file named as <hash>.0
ln –s cacert.pem <hash>.0
Steps to Replace:
a. DO-NOT Copy cacert.pem, rui.crt, rui.key, rui.pfx to /etc/vmware-vpx/ssl
Put everything on any local folder say /root/certs/ etc
b. Create a chain certificate using rui.crt and cacert.pem
cat rui.crt cacert.pem > chain.pem
c. Stop sso & vpxd service
service vmware-sso stop
service vmware-vpxd stop
d. Change certs by running command
/usr/sbin/vpxd_servicecfg certificate change chain.pem rui.key
Make sure result is VC_CFG_RESULT=0.
If not, the 3 digit error code can be looked up by "more /usr/sbin/vpxd_servicecfg | grep ###" where ### is the 3 digit code.
The process of replacing vCenter Server and vCenter SSO certificates will replace these files:/etc/vmware-vpx/ssl/rui.crt/etc/vmware-vpx/ssl/rui.key/etc/vmware-vpx/ssl/rui.pfx/etc/vmware-vpx/ssl/sms.truststore/etc/vmware-sso/keys/sso.crt/etc/vmware-sso/keys/sso.key/opt/vmware/etc/lighttpd/server.pem
e. Copy cacert.pem as rui-ca-cert.pem to /etc/vmware-vpx/ssl/
Make file as read only
In case, interca is also present, we need to create a cachain by combining CA and InterCA certificates.
cat intercacert.pem cacert.pem > cachain.pem
Copy this chain as rui-ca-cert.pem to /etc/vmware-vpx/ssl/
f. Start vmware-vpx service
g. Restart the vCenter Server Appliance
h. Uploading SSO chain in STS :
We also need to upload New SSO chain to STS,
- Open cacert.crt file, move to Tab “Details”, show:<All>
Click “Copy to file” > Next
Select format as “Base-64 encoded x.509”
Provide File name as “cacert.cer”
If interCA certificate (intercacert.crt) is also present, covert it also into “Base-64 encoded x.509” format as “intercacert.cer”
- Open rui.crt file, move to Tab “Details”, show:<All>
Click “Copy to file” > Next
Select format as “Base-64 encoded x.509”
Provide File name as “rui.cer”
- Combine rui.cer and cacert.cer to get chain certificate (ruichain.cer)
cat rui.cer cacert.cer > ruichain.cer
In case , if Interca (intercacert.cer) is also present combine Interca certificate also:
cat rui.cer intercacert.cer cacert.cer > ruichain.cer
- Generated PKCS12 file (rui.pfx) after combining chain certificate (ruichain.cer) and client key (rui.key)
- Import pkcs12 (rui.pfx) into Java Keystore (rui.jks)
- Also import CA certificate (cacert.cer) in JKS file using alias
'root-ca’
keytool -v -importcert -keystore rui.jks -deststoretype JKS -storepass testpassword -keypass testpassword -file cacert.cer -alias root-ca
If Inter CA certificate is also present, we need to import this also with alias
‘intermediate-<cert hash>.0’
Note: to get certificate hash:
openssl x509 -hash -noout -in intercacert.cer
Note: To check rui.jks entries:
keytool -list -v -keystore rui.jks
Uploading STS chain (rui.jks) via web-client:
** we need to restart Web-Client service, else authentication may fail with message:
"Failed to connect to VMware Lookup Service https://winall.parent4.com:7444/lookupservice/sdk - SSL certificate verification failed."
- Login to WebClient as root.
Navigate toAdministration > Sign-On and Discovery > Configuration, then click the STS Certificatetab. ClickEdit. ClickBrowse.
Navigate to the directory having rui.jks file. When prompted, enter“testpassword”as the password and clickOK. The rui key chain will be shown in the interface.
Select rui. ClickOK. When prompted for the password, enter“testpassword”
Another chain is added, and the certificate is available in the GUI.
~dGeorgey