vCenter Certificate Automation Tool: Part 3 (vCenter and Orchestrator)

Continuing from Part 2 of my VMware vCenter Certificate Automation tool series, we are now ready to replace the vCenter server and vCenter Orchestrator certificates. If you want to start at the beginning, check out Part 1.

1. Per the pre-planning guide step 4 I exit back to the main menu by pressing 5, then press 4. vCenter needs to trust the SSO certificate, so I press 1. The default path and file are correct, so I press enter. Success!

Step 4 of the pre-planning guide is complete. Check!

2. From the same menu I press 2, to update the vCenter SSL certificate. Again, the default paths and files were correct so I accepted them. Now I’m prompted for the vCenter administrator name and password. Next I’m asked to enter the original vCenter server database password, with all kinds of scary warnings if I input the wrong password since no validation is done. I’m also asked to enter the SSO administrator username and password.

After several minutes of chugging away I see a successful message.

Step 5 of the pre-planning guide is complete. Check!

3. Per the pre-planning guide I now must select option 3, to trust the inventory service SSL certificate.

Step 6 of the pre-planning guide is complete. Check!

4. Pressing 5 I get back to the main menu. And I need to go back into the inventory service, so I press 3.  Finally, we now configure the inventory service to trust vCenter by pressing 2.

Step 7 of the pre-planning guide is complete. Check!

5. Pressing 5 I get back to the main menu. I now press 5, to update vCO. Per the pre-planning guide I need to configure vCO to trust SSO, so I press 1. The default SSO filename is correct so I press enter.

Step 8 of the pre-planning guide is complete. Check!

6. Now vCO needs to be told to trust vCenter server, so I press 2 and validate the path is right.

Step 9 of the pre-planning guide is complete. Check!

7. Next up is updating the vCO SSL certificate, so I press 3 and validate the path.

Step 10 of the pre-planning guide is complete. Check!

Check out Part 4 where we update the Web Client and Log Browser SSL certificates.

Print Friendly, PDF & Email

Related Posts

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
May 8, 2013 1:09 am


I'm getting the ERROR: unable to find vCO installtion when trying to update the Orchestrator Trusts. Orchestrator is installed, of course…. Any idea? Anybody experienced this issue, too?

best regards,


May 10, 2013 6:41 am
Reply to  monopohl

Also had this error…. could be because vCO services isn't enabled by default if using the one that comes packaged with vCenter Server.
I enabled the vCO services but you still get the same error when re-running the tool.
In the end I just did a manual import of the SSO & vCenter Server SSL certs and the vCO cert…. seems to be fine.

Dave B
July 2, 2013 2:59 pm
Reply to  monopohl

monopohl. I have the same message followed by "The service is not installed on that machine." but indeed I have I have two Orchestrator services (both set to manual) that won't start and Orchestrator also shows up in "Programs and Features". It installed along with everything else as part of the vCenter suite of stuff. I am researching but don't know the cause or the solution yet.

September 9, 2013 12:09 pm
Reply to  Dave B

Any update on this, Dave? I'm stuck on the same exact error. vCO is up and running, but this step still fails.

May 10, 2013 5:57 am

KB2047787 now points to the 'Troubleshooting & Known Issues' section of:

May 28, 2013 7:11 am

Hi Derek,

The "vCenter Original database password", which as you responded had nothing to do with the RSA_DBA is still a mistery to me.
I looked at the KB you pointed to and checking the registry I dont see any user. Does this mean no password should be used (blank) or should I use the password of the user that uses the ODBC connection?


June 25, 2013 11:09 am

Not sure where I screwed up, but I'm stuck on, "Update the vCenter Server Trust to Inventory Service". Every step until now has completed successfully. Forgive the long comment with error. If it is too long, please delete. Just trying to get help. Initializing complex type for RuntimeFault (com.vmware.vim.binding.vmodl.RuntimeFault) completed! Adding property faultCause (version com.vmware.vim.binding.vmodl.version.version1) Adding property faultMessage (version com.vmware.vim.binding.vmodl.version.version1) Initializing complex type for SystemError (com.vmware.vim.binding.vmodl.fault.SystemError) completed! Adding property faultCause (version com.vmware.vim.binding.vmodl.version.version1) Adding property faultMessage (version com.vmware.vim.binding.vmodl.version.version1) Adding property reason (version com.vmware.vim.binding.vmodl.version.version0) Cannot login to IS com.vmware.vim.query.client.exception.ClientException: java.util.concurrent.ExecutionException: com.vmware.vim.binding.vmodl.fault.SystemError: reason = Invalid fault inherited from com.vmware.vim.binding.vmodl.fault.SystemError: java.lang.IllegalStateException at com.vmware.vim.query.client.impl.QueryAuthenticationManagerImpl.loginBySamlToken( at… Read more »

June 26, 2013 6:58 am

An update to the above comment. I fail the exact same way when running register-is.bat manually. I even went back and tried vCenter 5.1U1a build 880471. I'm not sure what I'm doing wrong. I'm not using Windows Authentication. I don't think that should cause this problem though.

November 15, 2013 7:25 am
Reply to  Dan

Hi Dan,

did you ever find a resolution to this issue? I am having the exact same problem.


Jack Chen
January 15, 2014 7:44 am
Reply to  Ben

I also met the "Cannot login to IS" when I tried to manually run register-is.bat. Found one document… but I don't think that was my problem. I was following… to recreate IS service, but always failed at register-is.bat.

Finally I found a workaround for me:

1. shutdown IS.
2. delete IS data
3. delete IS user.
4. createdb to recreate IS data
5. start IS
6. create IS user by "register-sso.bat"
7. run register-is.bat.

The two extra steps are delete IS user, then recreate it by register-sso.bat.

July 22, 2013 10:56 pm

Oke if you follow your guide, then it's the password of the service account used at the installation

July 27, 2017 8:49 am

For Step 5 (vCenter SSL Certificate) I'm hitting head against the wall trying different combinations…can you share what you used for the following?

vCenter Server administrator user name:
vCenter Server administrator password:
vCenter Server original database password:
Single Sign-On Administrator user:
Single Sign-On Administrator password: