vSphere 5.5 Install Pt. 16: vCenter SSL

10-12-2013 9-06-56 PMA Now that vCenter is fully installed, now it’s time to replace the self-signed certificate for the vCenter service and Orchestrator. Since we’ve already replaced the other certificates (SSO, Inventory, etc.) this process is a piece of cake. If you haven’t been following this series to the letter and have all self-signed certificates, you will need to use the VMware Certificate automation tool planner and follow all 16+ steps. You can only take the ‘short cut’ method if all other certificates have been replaced per my guide.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Automated vCenter SSL

1. From an elevated command prompt run the VMware certificate automation tool. Select Option 5.

10-12-2013 9-10-41 PM

2. On the vCenter menu select Option 2.

10-12-2013 9-11-23 PM

3. Answer all of the questions according to your environment. The certificate paths should already be configured if you used my Toolkit script. The vCenter server database password is the password to your vCenter service account. Make sure you enter it correctly or you may be left with a smoking vCenter hole.

10-12-2013 9-21-36 PM

Automated vCenter Orchestrator SSL

1. From the main menu select Option 6, then select option 3.

10-12-2013 10-11-21 PM

Health Check

1. Login to the vSphere Web client with the ad***********@vs*****.local account. In the left pane click on the vCenter object. Click on Hosts and Clusters, then on the Monitor tab click Service Health.

10-22-2013 9-04-47 PM

If everything went well, all services should be green. If you service list is empty, then wait a minute or two, then click on the refresh Circle/Arrow in the upper right corner. If some services are in an unhealthy state, then reboot your vCenter server. Wait 10 minutes after the reboot, then check back on this page. Profile Driven Storage was a little stubborn for me, but a reboot and patience worked.

10-22-2013 9-05-42 PM


Yes, we are finally here! You have a fully working vCenter Server on Windows Server 2012, plus all trusted SSL certificates. If all of your services came up healthy, then you should be good to go. But wait..we still have VUM to install, configure, and secure. Plus those pesky ESXi hosts all need SSL certificates too. Check out the VUM install in Part 17.

Print Friendly, PDF & Email

Related Posts

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
October 29, 2013 6:03 am

I will use that then, the script doesn't seem to work so I will wait for your blog post.

Jeffry A. Spain
November 4, 2013 8:37 am

In anticipation of parts 17 and 18 of the series, here's my initial experience with installing VUM 5.5. In the installer, on the vCenter Server Information screen, I changed the IP Address / Name field to the FQDN of the server. It was prepopulated with the server's IPv6 address. I used my vCenter service account credentials (domainuser) under Username and Password. I did not test with the ad***********@vs*****.local credentials. Otherwise I completed the VUM installation with the default settings. I ran the ssl-updater.bat tool and updated the certificate and private key in the usual manner (options 8 and then 1)… Read more »

Jeffry A. Spain
November 4, 2013 4:52 pm

FYI, successful with VUM configuration using the 5.1 series guidelines. Jeff.

November 6, 2013 4:35 pm

Thank Derek for a great blog and thanks Jeffry, I also followed the KB and was successful with my VUM configuration with 5.5 with a separate 2012 SQL server.

December 10, 2013 7:59 am

Got problems with Updateing my vCenter SSL Certificate:
[10.12.2013 – 15:26:36,33]: Attempting rollback…
Could not reload vCenter SSL Certificates
[10.12.2013 – 15:26:37,77]: ""Cannot reload the vCenter Server SSL certificates. The certificate might not be unique.""
[10.12.2013 – 15:26:37,79]: Deleting the new certificates and keys…
[10.12.2013 – 15:26:37,81]: Restoring the original certificates and keys…
1 Datei(en) kopiert.
1 Datei(en) kopiert.
1 Datei(en) kopiert.
[10.12.2013 – 15:26:37,85]: The vCenter certificate update failed.

My environment:
Windows 2012 Server Fully Patched
Clean Windows Installation

Everything works fine, but on the last step im unable to Update the certification vor de vcenter server

Ronny Løken
September 19, 2014 3:15 am

Hi! I did not get the script to work properly when generating certificates for the linux appliance (vCSA). To get it o work, I had to change both #$WServices to the same as #$LServices, if not the script would fail because it was lookun in the wrong folders (example: C:CertsVMware vCenter Service CertificateVMware vCenter Service Certificate.csr). As I am no guru on PowerShell, I was not able to figure out where to make the changes som that the $Service variable was correctly set (or maybe some other variable has to be changed). I will investigate further, maybe I'll figure it… Read more »

August 30, 2017 5:12 am

Thank you for the very thorough blog and installation instructions. I came across something strange and was wondering if yourself of the community could help. The scenario I am seeing is that when I log into the vSphere Web client as @vsphere.local I am able to see the vCenter Server, but when I log in under the Domain vCenter Service account which I have added as as the local admin, "act as part of the OS", and added to an AD Group which has been added to the Administrator's group within the vCenter Users and Groups section.