VMware Cloud Community
dmaster
VMware Employee
VMware Employee

Replace VMware Virtual Center SSL Certificate with Microsoft CA

Hello All,

I'm trying to replace the default SSL certificates from Virtual Center 2.01 with certificates from my own Microsoft Enterprise root CA..

I followed this howto..

http://edward.aractingi.net/blog/archives/virtualization/[/b]

in this article i'am missing how i get my rui.crt[/b] certificate ?

i am only able to get the rui.pem[/b] , rui.pfx[/b] and rui.key[/b] files

And this howto..

http://www.vmware.com/pdf/vi_vcserver_certificates.pdf[/b]

(I get the feeling that this document is not meant for a Microsoft CA just a local root CA)

in this article i get stuck on page 8 with the line..

openssl ca -out ruit.crt -config openssl.cnf -infiles mycsr.csr

error message[/b]

c:\Program files\openssl\openssl ca -out Webaccess.crt -config openssl.cfg -infiles Webaccess.csr

Using configuration from openssl.cfg

Loading 'screen' into random state - done

unable to load CA certificate

3360:error:0906D06C:PEM routines:PEM_read_bio:

no start line:.\crypto\pem\pem_lib.c:663:Expecting: CERTIFICATE

Was anybody able to replace this certificates ? Who can help me out ?

Reply
0 Kudos
58 Replies
Dennis2
Contributor
Contributor

You forgot to say that you should enter the FQDN of the VC at Enter your name when generating the request.

Reply
0 Kudos
celak
Enthusiast
Enthusiast

Hello,

Is there any way to completely disable the SSL feature of VI3?

I don't want to use SSL and don't want to see validation error messages of SSL certs.

Thanx.

Reply
0 Kudos
Jwoods
Expert
Expert

Yes this is the last BUT very important part. If not done, you'll be spinning your wheels trying to fix what's not broken.

Reply
0 Kudos
madcult
Enthusiast
Enthusiast

When I try to connect to a VirtualCenter server there always appears this message that the certificate is not trusted. Every time I have to click ignore. Even if I install this certificate the information appears next time again.

Message:

>>The certificate received from "server1.domain.com" was issued for "VMware". Secure communication with "server1.domain.com" cannot be guaranteed. Ensure that the fully-qualified daomain name on the certificate matches the address of the server you are trying to connect to. <<

I think our problem is that the certificate "was issued for 'VMware'" and not for the FQDN "server1.domain.com"! We have no root CA or maybe I misunderstood what it is for but atm we do not work with certificates except with those usually made by any linux machine when we connect to it per ssh. How can I solve this? We don't want to let our admins to see this message. It makes other admins think that something went wrong and that's what we want to avoid. Smiley Wink

Reply
0 Kudos
rbeu
Contributor
Contributor

Has anyone tried replacing the certs without shutting down the vm's and instead vmotion'ing them off one host at a time and then restarting that host? I have a feeling vmotion will fail between the hosts without them being restarted first but I'm curious if anyone has tried this.

Reply
0 Kudos
Jwoods
Expert
Expert

Has anyone tried replacing the certs without shutting down the vm's and instead vmotion'ing them off one host at a time and then restarting that host? I have a feeling vmotion will fail between the hosts without them being restarted first but I'm curious if anyone has tried this.

There's no need to restart the host. This is how I replaced my certs. Left the VMs as is, created and replaced the cert on VC. Disconnected, removed and re-added the each of the hosts. No problems sited.

Reply
0 Kudos
astrolab
Contributor
Contributor

You're right. I re-ran the test without shutting down the hosts or the VMs, just

1- disconnected the hosts.

2- Removed them.

3- Stopped VC service.

4- Installed new certs on the VC server.

5- Ran vpxd -p

6-restarted service

7-Re-added the hosts.

So why does VMWare recommend a restart of both the VC server and the hosts?

Reply
0 Kudos
rbeu
Contributor
Contributor

Thanks for the tip, JWoods. Tried it today and it worked for me as well except I didn't remove the hosts from VC, I just disconnected and reconnected them.

Reply
0 Kudos
jasonboche
Immortal
Immortal

I've made some updates to Astrolab's procedures based on the experience of others and based on my own experience as noted by the ** Moderator note: ** . Modifications of these steps saves significant time and avoids outage of VMs and ESX hosts.

Thank you Astrolab, dmaster, and everyone else for providing all the information on this thread.

Jas

Jason Boche

VMware Communities User Moderator

VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
Reply
0 Kudos
meistermn
Expert
Expert

There is a KB Articel for re-authentication.

Reply
0 Kudos
meistermn
Expert
Expert

This step should be approved:

Open the file that you saved above with notepad and copy all of the the contents including the "---BEGIN CERTIFICATE REQUEST-" and "-END CERTIFICATE REQUEST---" lines

For Opening the file you should use Ultraedit or some other good editor to prevent that it convert to dos formart , as notepad and wordpad does.

Reply
0 Kudos
jtweathers
Contributor
Contributor

I am running into the same issue you noted at the bottom. I have replaced my certificates on virtual center and run vpxd.exe -p and virtual center starts without issue.

I have also replaced the certificates on one of my ESX hosts. On the ESX host with the new certificates when I try and add to Virtual center I get Failed to install the virtualcenter agent service. It still appears in Virtual center but shows disconnected. When trying to reconnect you immediately get login failed due to a bad username or password, you then enter the username and password and the agent install fails again.

If I try and add the ESX hosts where I did not replace the certificates they work fine.

Did you ever figure out what has to be done for virtual center to communicate with an ESX 3.5 host that has had its certificates replaced?

Reply
0 Kudos
ThomasV
Enthusiast
Enthusiast

If you replace the ESX certificate on the host you have to perform a /etc/init.d/mgmt-vmware restart

If you use faulty certificates the vpxa service will be stopped and in the vpxa log an error will be displayed: tail -f /var/log/vmware/vpx/vpxa.log will display the last lines

The faulty certificate is due to the copy paste of the certificate request with wordpad. If you open the resulting certificate with notepad++ and check show special characters you will see there are CR/LF at the end of each line. For the certificate to be valid only LF are allowed, simply click convert to unix in notepad++ and re-upload it to you esx.

Reply
0 Kudos
astrolab
Contributor
Contributor

I installed MS CA certificates on several hosts, performed mgmt-vmware restart but still the problem persists as indicated by you. Basically what's happening is:

1-VC has the certificates installed===&gt; Works fine

2-Stand-alone ESX hosts have Certs installed==&gt; works fine

3-If both VC and ESX hosts managed by VC have certs===&gt; No Good, the hosts get disconnected and stay so.

Reply
0 Kudos
ThomasV
Enthusiast
Enthusiast

After you replace the certificates on an ESX host and you perform a mgmt-vmware restart, what does "/etc/init.d/vmware-vpxa status"' gives as outcome? That service should be started.

If not, id really verify if you .crt file does not contains any CR's

Reply
0 Kudos
jtweathers
Contributor
Contributor

I figured it out today. It was the cr/lf issue. I noticed in the vcagent log that the rui.crt file was unknown to the agent. I opened the rui.crt file with nano and it stated that there were 21 lines converted from DOS. I saved the file using rui.crt.1. Then deleted rui.crt and copien rui.crt.1 to rui.crt and everything is working now.

Reply
0 Kudos
mikkel-robin
Contributor
Contributor

Hi smpeck.

Did you solve the "The website you want to view requests identification" problem?

Reply
0 Kudos
scerazy
Enthusiast
Enthusiast

Why on earth the certificate issue is so messy even in 2.5 U3?

When using wildcard certificate that comes with certificate Authority certificate chain both VI client complains (in really odd way, I connect to vcenter.domain.org & it complains that certificate for 10.0.0.54 - why to resolve? - is issued to *domain.com) & also webaccess insists on some certificate that does not show in the box

Seb

Reply
0 Kudos
Markisha1979
Contributor
Contributor

Hi all.

I've got some problems following the procedure posted before.

When i paste my cert request i HAVE NO possibility to select "web server" certificate type...

Where should i find it???

Reply
0 Kudos