I'm having problems getting the self signed certificates for vCenter v5.5 replaced with Enterprise CA certificates. I am using the certificate replacement tool from VMware. The SSO certificate is successfully replaced so I move on to having the Inventory service trust the SSO certificate. They succeeds as well but I think all its doing is bouncing the Inventory service. I then go to install the Inventory service certificate and get:
[Sat 03/15/2014 - 15:51:06.27]: The services that are restarted as a part of this operation are: vCenter Inventory Service.
Enter the location to the new Inventory Service SSL chain (default value is: c:\certs\Inventory\chain.pem):
Enter the location to the new Inventory Service private key (default value is: c:\certs\Inventory\rui.key):
Enter the Single Sign-On Administrator user (default value is: administrator@vsphere.local):
Enter the Single Sign-On Administrator password (will not be echoed):
[.] The supplied certificate chain is valid.
[Sat 03/15/2014 - 15:51:20.40]: Last operation update Inventory Service SSL certificate failed :
[Sat 03/15/2014 - 15:51:20.41]: Cannot determine if Inventory Service is registered with Single Sign-On - errorlevel is 1
If I look at the logs, I see the following:
[Sat 03/15/2014 - 15:51:15.43]: The Inventory Service is installed at "C:\Program Files\VMware\Infrastructure\Inventory Service"
[Sat 03/15/2014 - 15:51:15.44]: Rollback path is "C:\ssl-certificate-updater-tool-1308332\backup"
[Sat 03/15/2014 - 15:51:15.45]: Rollback path is "C:\ssl-certificate-updater-tool-1308332\backup\IS"
[Sat 03/15/2014 - 15:51:18.03]: Determining whether Inventory Service is registered with Single Sign-On ...
Intializing registration provider...
Getting SSL certificates for https://FP-CSVC01.domain.loc:7444/lookupservice/sdk
com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
Return code is: SslHandshakeFailed
1
[Sat 03/15/2014 - 15:51:20.39]: "Cannot determine if Inventory Service is registered with Single Sign-On - errorlevel is 1"
[Sat 03/15/2014 - 15:51:20.39]: Exiting Inventory Service update SSL certificate due to errors
Obviously there is something about the CA chain that it doesn't like. If I look at my cert store on the vCenter server, I have my Root CA in the Trusted Root store. In the Intermediate Store I have both the Root and Intermediate. If I browse to the lookup service (https://FP-CSVC01.domain.loc:7444/lookupservice/sdk) from a web browser, the certificate shows as valid and throws no errors so there should be nothing wrong with the certificate.
The format of the chain.pem in the Inventory directory is correct as well. It is the Inventory cert, followed by the Intermediate cert, followed by the Root cert. No extra spaces anywhere.
I have also tried to manually replace the certificates and it essentially fails at the same spot. SSO replacement goes fine then I go to unregister the Inventory service and the SSL handshake fails.
Funny thing is that if I am using vCenter 5.1, I get past this all without issue.
Thoughts??