Thanks for the information Frank ! That helps me.

Now, first of all, I have to understand how the tool is working and most of all the setup of it, which seems not to be so trivial...

Oh the setup is extremely easy. Simply unzip the files.

Go into the ssl-environment.bat first and set up all the paths to your certificate chains and private keys.

Next step is to start the ssl-updater.bat and be sure to run the execution planner first. Then just follow the steps, first half of each steps is the point from the main menu to go to, second half is the actual step to choose in that submenu then.

You will need the database password, the administrator@vsphere.local password and a password and username for one vCenter administrator.

The hardest part is to actually obtain the certificates and making sure they are valid. For each service you will need a unique subject field (we do not go by serial or thumbprint in that regard). You will then need to copy the whole certificate chain into 1 file, do NOT use notepad for this or output redirection but a proper text editor if you want to avoid mistakes. Remove all comments, line breaks and bag attributes from the chain. Start with the service certificate, followed by the intermediates and then the root CA, the ssl-environment.bat will have a description how this needs to look like.

Make sure your private key is actually in RSA private key format, by simply opening the file in a text editor as well.

Your certificates need to contain the subject alternate name field with at least the DNS or the IP of the server they are created for.

Apart from these requirements you should also check you %PROGRAMDATA%\VMware\VMware Virtualcenter\vpxd.cfg that file contains the following section:

      <lookupService>

        <serviceId>vCenterService</serviceId>

      </lookupService>

You DON'T want to have it read "vCenterService" written there.

If you have open an elevated command prompt and cd into c:\program files\vmware\infrastructure\ssoserver\ssolscli and run the following command

ssolscli listServices https://fqdn:7444/lookupservice/sdk asssuming that the CN of your certificate for SSO has the fqdn in it, otherwise use the ip address, if this command fails you will get double 100 as error, if it succeeds you will get a list with all registered end points and more important their service IDs.

You want to have the one for the vCenterService which should have an endpoint ending in https://fqdn:443/sdk and should be in the format of {randomlettersandnumbers}:number, copy this whole string into the vpxd.cfg and restart the vCenter Server service.

Another issue might be that you have an sso.crt in the SSL subfolder of the ProgramData folder mentioned above. The tool will recognize this and directly tell you the kb you need to follow to rectify this. Please note that this issue usually happens, when you upgraded from 5.0 and had the same certificate for Inventory Service and vCenter Server, so to be able to actually rectify this you will at least need to replace the Inventory Service certificate before.

Hope that helped a little

Many thanks for your help !

Finally I got it running. But because of our vCenter got migrated from 5.0 to 5.1 some time ago there was a problem with old certificates and so the LookupService did not run proberly. After a repoint of the vCenter against the LookupService all went to a good end. But this has been done by the vmware support.

So then the preparation for the the upgrade to 5.5 is now be done and I hope tomorrow is going all fine.