GTO - people are having problems using a single certificate; there is a rumor that they have to be different.  I don't know of anyone who has a working solution with one cert.  I've switched to just system generated certs (see below).

SkullCandy - amending my previous post, I got the product installed, but the VCenter Service kept crashing and restarting.  The logs suggested this was due to trying to download a STS Certificate (probably one of the custom generated ones done during the original SSO installation).

SO:

If you followed the procedure to do the certificates, my final upgrade fix was to uninstall VCenter, Inventory, and SSO service.  Delete all SSL certificates from the ProgramData\SSL folders (there are 3 places to look, two for VMware itself and one for intentory service).  Then reinstall the three components - SSO, Intentory, VCenter.  It regenerates the certificates and WORKS.

Phil

Well, I'm glad you got it working and that's great for those who can use the VMware generated certs, but I can't.

The security policy here requires certs from our local CA. Besides, it makes for a cleaner install and you don't get those annoying untrusted cert notifications when using a trusted cert.

Makes sense, but you'll have to wait for a definitive fix before upgrading.   VMware really screwed v5.1 upgrades; it's Symantec-esq.

for a new install, or a non-production upgrade, reverting all certificates to self-signed, and then upgrading from 5.0U1 to 5.1 is a feasible option to get a function 5.1 deployment.

VMware has published a document on replacing all 5.1 certificates with CA/ECA signed certificates. Has anyone tried to execute this document following successful 5.1 upgrade/install?

I'm much more concerned with upgrading production 4.1 with CA signed certificates to 5.1. Reverting production to self-signed certificates is NOT the answer. VMware needs to fix this ASAP.

That's kind of what Derek's blog does, it marries the upgrade with the VMware cert guide and the VMware upgrade guide. It is a very detailed write up and done well.

I ended up trying the upgrade again yesterday using the individual components (SSO, Inventory, vCenter instead of the Simple Install) and a mixture of the upgrade guide, the certificate replacement guide and Derek's blog. I ran into an issue binding the certs to the three services (Part 3 of Derek's blog) and rolled back. Of course that 29155-Identity source discovery error popped up again as well, but at least you can get by that. I think I'm on my 3rd attempt now.

This upgrade is definitely not for the faint of heart, and it seems like it is way more difficult than it should be.

In my opinion, I think VMware should have broken this up a bit more, possibly leaving the SSO option for after the vCenter upgrade, or introducing it later on in the year as a separate application. It should never have been bundled with this upgrade; it is making things too difficult.

I'll be updating my vCenter 5.1 series with input from Terafirma and some additional testing I'll be doing this weekend. You are right..this is way harder than it should be.

We went ahead and rebuilt from scratch using Derek's guide, minus the portions regarding certificates. This build went smooth until we went to add Update Manager following the completion of vCenter. For reasons that make no sense the service account were trying to use is being rejected by the Update Manager install. Either their is a local machine perm were missing or vCenter has added some new area for plug-in permissions in 5.1 that we have been unable to find.

My upgrade experience from 5.0 to 5.1 was abysmal as well. I never could get the SSO service installed on my vCenter server machine, so it lives somewhere else now. That's good from a security point of view, but the SSO service performance is very bad.

I've also read the various comments regarding the certificate issues with great interest. I, too, embarked on replacing the self signed ones. I decided to leave the SSO certs alone and the only way I could get the vCenter Server and Inventory service to register properly was to:

* Completely uninstall vCenter Server and the Inventory service.

* Create certificates with different common names (I used "vCenter Service" and "Inventory Service") with the FQDN of the server set in the SAN attribute of the certificate. After that I put them into the respective locations on the server.

* Reinstalled the Inventory and the vCenter Server service.

If you use the same certificate for all services, registration will fail.

I hope this helps

So from what I'm hearing you say, you basically pre-populated the SSL certificate locations for the inventory and vCenter service, so when you re-installed it automatically used your trusted certs?

Exactly.

That was my last resort....did yet another install with failed certificate replacement AFTER the service in question was installed. I'll wipe my lab again and see if pre-populating everything works for me as well.

I did create unique certs for each service as well, based on Terafirma's discovery.

It was my last resort as well. I discovered this after messing around with it for more than 4 days. I find it quite amazing that the certificate is used as a "primary key" in the registration process, especially since by default it uses self-signed certs. I'd love to have a word with the person who had that idea...

Amazingly, the SSO certificate replacement process does appear to work as advertised. But like you found out, the Inventory Service and vCenter replacement procedures are horribly broken. 

After I read through the paper of the procedure to replace the SSO certificates, I decided to not even touch that one, as my users would not see the effect of it anyway. I was disgusted enough already by my upgrade experience.

One more thing regarding setting up security in SSO and ESXi: Do not under any circumstances use AD groups in permissions on your ESXi machines in vCenter. Performance of evaluating AD groups directly will result in

• very slow vCenter Server startup times (5 - 10 minutes depending on the amount of groups)
• timouts when logging in (9 out of 10 times it will fail)

My workaround for that was to create groups in SSO and assign AD users to these groups. It's still slow, but at least it works.

I also found that in order to keep performance up, I need to reindex the RSA database on a regular basis, especially after making changes to permissions. That one really amazes me, since that database has very few tables and is no more than 10 MB.

Pre-populating the SSL certificates did NOT work for me. The vCenter server installer still died with Error 26002.Setup failed to Register VMware vCenter server to VMware vCenter Inventory Service.

In my "subject" value for each certificate I have a different "OU" value. One is "InventoryService" and the other is "vCenterServer". The other values (CN, O, L, S, C) are all the same. Are you saying you changed the CN value to be descriptive of the service and not the FQDN of the server?

Exactly which value did you change in your SSL certs, when viewing them in Windows Explorer?

The common name needs to be different, i.e. the CN value.

The actual hostname (as the FQDN) will be specified in the Subject Alternative Name. If you are issuing certs from a Mirosoft CA, you need to first enable it to use the SAN attribute. After that you can specify the SAN either in the CSR directly (if you use OpenSSL to generate the CSR) or in the CertSrv util when requesting the certificate as an additional attribute (Syntax: SAN:DNS=<FQDN of server>).

if you look at the self-signed cert generated by the installer, they do it exactly in that fashion.