Do you have Platform Service Controller (PSC) or vCenter configured and replaced the self signed machine certificates? Are you looking to deploy NSX Manager 6.2? If so you must consider the following.

NSX Manager can be configured to use Lookup Service and you can provide SSO credentials to register NSX Management Service as a solution user, to configure this the certificate installed on your PSC must be trusted. If the self signed certificates have been replaced with Enterprise Certificates this process will fail to verify. This is because the PSC / vCenter are configured to use the new certificate but the corresponding services such as Lookup Service have not. NSX Manager will report the below error

NSX Management Service operation failed.(Initialization of Admin Registration Service Provider failed. Root Cause: Error occurred while registration of lookup service, com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified)

VMware have covered this in detail here

The following will illustrate how to fix this error. My environment I am using the vCenter appliance in embedded mode configured as a subordinate CA using an internal Enterprise CA - Windows 2012 CA. When I try to configure Lookup Service on the NSX Manager I get the below error

First you need to check the certificates are different, enable SSH on your PSC (or vCenter appliance when using embedded). Run the following

shell.set -enabled true

Then

/usr/lib/vmidentity/tools/scripts/lstool.py list -url https://localhost/lookupservice/sdk -no-check-cert -ep-type com.vmware.cis.cs.identity.sso 2>/dev/null

Record the details after SSL trust in a notepad. Now run

echo | openssl s_client -connect localhost:443

Record the details after Server Certificate. Notice these are different. You now need to find the certificate in the ssltrust field of the ArrayOfLookupServiceRegistrationInfo using Managed Objects Browser (MOB). First backup the old certificate to do this connect to the PSC using WinSCP and create a folder called Cert. Now connect to the MOB browser but browsing to the below and login with the SSO administrator account

https://vc_with_embedded_psc.example.com/lookupservice/mob?moid=ServiceRegistration&method=List

In the value box delete all the keys so you are only left with <filterCriteria></FilterCriteria> then select Invoke Method

Do a search on the below

https://vcenter.domain.com:443/sdk

The box directly above this will have the Base64 of the old cert. Copy this out to a notepad and call it old.crt. You need to add the —-Begin Certificate—- and —-End Certificate—- with a carriage return

Using WinSCP copy this to the /Cert folder previously created. Thats the old one backed up.

Now we need to find the fingerprint of the old cert. Connect back to the PSC (vCenter if using embedded mode) and run the following

shell.set -enabled true

Then

openssl x509 -in /Cert/old.crt -noout -sha1 -fingerprint

Save the fingerprint to notepad for later

Now run to get an export of the latest cert

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert -store MACHINE_SSL_CERT -alias __MACHINE_CERT -output /certificate/new_machine.crt

Now run the following - change the URL and Fingerprint details to match yours

cd /usr/lib/vmidentity/tools/scripts/

Then

python ls_update_certs.py -url https://lab-vc01.vjenner.com/lookupservice/sdk -fingerprint EC:C3:98:b9:1C:EA:CD:03:5B:4F:B8:7A:80:93:2B:6B:EC:80:9A:09-certfile /Cert/new_machine.crt -user Administrator@vsphere.local -password Password

This takes a few minutes to complete, once complete you should see the services updated successfully

Thats it! You can now configure Lookup Service on your NSX Manager.

Note - this script must be run every time the machine certificates are replaced on a embedded appliance / external PSC or vCenter with external PSC. That means if your certs are set to 2 years remember to do this part when renewing.