This is Part 5 of the 15-part vCenter 5.1 Update 1 installation series, and covers manually replacing the VMware inventory service SSL certificate. If you want to use the VMware vCenter Certificate Automation tool (highly recommended), then you can skip this part and go directly to Part 6. As a post-install process the new VMware tool will be used to replace all of the certificates, including the Inventory service.
Before we get started, listed below are the other related articles in this series:
Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Inventory Service Install)
Part 6 (Create vCenter and VUM Databases)
Part 7 (Install vCenter Server)
Part 8 (Install Web Client)
Part 9 (Optional SSO Configuration)
Part 10 (Create VUM DSN)
Part 11 (Install VUM)
Part 12 (VUM SSL Configuration)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)
UPDATE 4/28/2013: Since VMware has released the vCenter Certificate Automation tool, I now recommend using that tool to replace your certificates instead of the manual process. It’s more automated and less error prone. But should you want to do it manually, you can still follow this post.
UPDATE 1/27/2013: Updated the post with 5.1.0b information, which seems to have resolved a script error with the un-registration process. Other minor tweaks as well.
UPDATE 10/26/12: vSphere 5.1.0A *still* seems to have a problem with the unregister script and required me to modify the script to make it work. However, unlike the GA release, updating the SSL certificates post-install in 5.1.0A does not cause the vCenter installer to fail. So I can now recommend that you configure the inventory service with trusted SSL certificates. Pre-population is still easier, but the procedure below seems to work now. You can find the official VMware KB article covering these steps here.
Replacing Inventory Service SSL Certificate
1. The first step is to UN-register the Inventory service from the vCenter SSO service. Open an elevated command prompt and type the following commands:
cd /d C:\Program Files\VMware\Infrastructure\Inventory Service\scripts
unregister-sso.bat https://YourServer.FQDN:7444/lookupservice/sdk admin@System-Domain YourPassword
If successful you should see output similar to the following screenshot. Keep the command window open.
2. Stop the “VMware vCenter Inventory Service”.
3. Copy the three key certificate files we created back in part two of my series to the following directory: C:\ProgramData\VMware\Infrastructure\Inventory Service\ssl. First, make a backup of the keys in the SSL folder. Second, copy the Inventory service certificate files (rui.crt, rui.key and rui.pfx) from the D:\Certs\Inventory directory and overwrite the versions in the SSL folder.
4. Start the “VMware vCenter Inventory Service”.
5. In the same command window you kept open from step 2, enter the following command:
register-sso.bat https://YourServer.FQDN:7444/lookupservice/sdk admin@System-Domain YourPassword
If successful you should see output similar to the following screenshot.
6. Browse to the inventory service URL (https://YourServer.FQDN:10443) and validate that the trusted SSL certificate is being used. You will see a 400 Bad request error, but that can be safely ignored. Just validate the browser is showing the trusted certificate is being used.
Congratulations! You have now updated your Inventory Service SSL certificates and can proceed to creating the vCenter and VUM databases and DSN in Part 6.