vCAC 6 SSL configuration gotcha

When installing vCAC 6 using the stand alone Identity appliance you will need to configure the SSL certificates in a specific way. Otherwise you will not be able to login to your system with the identity store credentials. This is because the vCAC appliance contacts the Idenetiy appliance for a SAML token. If the SSL communication is not right you will not be presented a token to login to vCAC. Note: the vsphere.local will allow login and allow you to setup your tenant, but that’s as far as you will get. Note: If you have already done this incorrectly you will need to start a fresh install and redeploy both vCAC appliance and ID appliances.

First off, when you deploy the Identity appliance the OVF deployment scripts will generate a self signed certificate. Please resist any temptation to regenerate this certificate. Leave it as is unless you plan to add a CA signed certificate.



The vCAC appliance is a different story. You will need to generate a self signed certificate but be sure the common name is the fully qualified domain name of the vCAC appliance.





Remember sharing is caring!

4 Replies to “vCAC 6 SSL configuration gotcha”

  1. You have a comment about not altering the SSL certificate of the SSO appliance unless you are using a CA certificate.
    I’m curious to understand what issue you are seeing if you go against this.
    I’ve deployed a number of test systems and made this alteration every time ensuring that I alter the common name to match the FQDN of Identity Appliance and not had any problems.

    • Hi Gary, The problem I had was that you could not login to vCAC with your AD credentials. The login would work but not redirect to the vCAC server. This may have something to do with Active Directory.

  2. Skipping the self-signed cert for SSO helped me workaround an an issue that came up shortly after the tenant configuration. I could publish a blueprint, setup my service and catalog items, but I could not add users to an activate an entitlement. SSO was never able to find the users in my AD Identity Store.

    Thanks for the helpful article Ryan.

    p.s. I also had an issue during IaaS install when my administrator@vsphere.local accoun’ts password contained a percent character ( % )

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.