In this post I cover the basics of replacing the Log Browser and Web Client SSL certificates for vCenter 5.1 Update 1. However, as I’ve mentioned before, VMware has released the vCenter certificate automation tool. That tool automates the replacement of the Log Browser and web client certificates, among others. I now recommend you use that tool instead of manually replacing the certificates. However, you can still follow the instructions below if for some reason the VMware tool doesn’t work for you. You can find the full VMware KB article here.
Since this is the next to last article in the 15-part vCenter 5.1 Update 1 installation series, it’s now time to follow my 4 part certificate replacement series here. The last article in this 15-part series shows you how to replace ESXi host certificates, which the VMware certificate tool will NOT do. You can either jump directly to the SSL replacement tool series and replace all of your vCenter SSL certificates now, or you can go ahead to Part 15 and mint SSL certificates for your ESXi hosts then come back and update the vCenter certificates.
Before we get started, listed below are the other related articles in this series:
Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Inventory Service Install)
Part 5 (Inventory Service SSL Certificate)
Part 6 (Create vCenter and VUM Databases)
Part 7 (Install vCenter Server)
Part 8 (Install Web Client)
Part 9 (Optional SSO Configuration)
Part 10 (Create VUM DSN)
Part 11 (Install VUM)
Part 12 (VUM SSL Configuration)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)
UPDATE 5/4/2013: Updated content to reflect the recommendation of using the VMware vCenter Certificate automation tool instead of manually replacing the certificates. Updated references to reflect that Update 1 is now out.
UPDATE 11/20/2012: VMware has updated the KB article here with additional information if you are subordinate CAs. Since my lab consists of only a single CA, I don’t cover the subordinate CA steps below. Refer to the KB article for more details.
Log Browser and Web Client SSL Certificate Replacement
1. Stop the VMware vSphere Web Client service and the VMware Log Browser service.
2. From your D:\Certs\WebClient directory copy rui.crt, rui.key and rui.pfx to the directory below.
C:\ProgramData\VMware\vSphere web client\ssl
3. From your D:\Certs\LogBrowser directory copy rui.crt, rui.key and rui.pfx to the directory below.
4. To un-register the Web Client with the SSO service, open an elevated command prompt and type:
set JAVA_HOME=c:\Program Files\VMware\Infrastructure\JRE
cd /d C:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool
regTool.cmd unregisterService -si “C:\Program Files\VMware\Infrastructure\vSphereWebClient\serviceId” -d https://SSOServer.domain:7444/lookupservice/sdk -u admin@System-Domain -p YourPassword
5. To Register the service type the command below. Note: The directory paths appear to be case sensitive, so make sure they match exactly what your system has. In particular, the “ssl” directory may need to be in all lower case.
regTool.cmd registerService –cert “C:\ProgramData\VMware\vSphere Web Client\ssl” –ls-url https://SSOServer.domain:7444/lookupservice/sdk –username admin@System-Domain –password YourPassword –dir “C:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool\sso_conf” –ip “*.*” –serviceId-file “C:\Program Files\VMware\Infrastructure\vSphereWebClient\serviceId”
If successful you should see something like the following:
6. Navigate to C:\Program Files\VMware\Infrastructure\vSphereWebClient and open the ServiceID file in Notepad. Remove all entries except for the two IDs which were listed from the previous registration step (In my case they were :29 and :30, which I highlighted in yellow).