11 Replies Latest reply on Nov 4, 2013 5:21 AM by amusica

    vShield Manager SSL certificate

    HamR Enthusiast

      Can someone please advise the correct syntax for the common name when generating a CSR?

       

      I've tried:

      • the vShield Manager IP address (mgmt interface) - the name and IP address resolve forward and reverse in the DNS

      • the vShield Manager FQDN

      • the vShield Manager short name

      • the vShield Manager canonical name

       

       

      All attempts return the error, "Please enter correct domain name as common name."

       

       

      The Admin Guide says:

      "Enter the name that matches the site name. For example, if the IP address of vShield Manager management interface is 192.168.1.10, enter 192.168.1.10."

       

       

       

      Thanks in advance,

      HamR

        • 1. Re: vShield Manager SSL certificate
          robert.eckdale Enthusiast

          Ditto.

           

          Seems strange that others have not run into this.

          • 2. Re: vShield Manager SSL certificate
            wysr Lurker

            Hi all

             

            I also ran in this issue. Fortunaetly I found a workaround...:

             

             

            --> in a browser - I took Opera - login to vShield and open URL:
            --> right click --> source
            --> Change this:
            function checkDomain(nname){
            var arr = new Array(
            '.com','.net','.org','.biz','.coop','.info','.museum','.name',
            '.pro','.edu','.gov','.int','.mil','.ac','.ad','.ae','.af','.ag',
            '.ai','.al','.am','.an','.ao','.aq','.ar','.as','.at','.au','.aw',
            '.az','.ba','.bb','.bd','.be','.bf','.bg','.bh','.bi','.bj','.bm',
            '.bn','.bo','.br','.bs','.bt','.bv','.bw','.by','.bz','.ca','.cc',
            '.cd','.cf','.cg','.ch','.ci','.ck','.cl','.cm','.cn','.co','.cr',
            '.cu','.cv','.cx','.cy','.cz','.de','.dj','.dk','.dm','.do','.dz',
            '.ec','.ee','.eg','.eh','.er','.es','.et','.fi','.fj','.fk','.fm',
            '.fo','.fr','.ga','.gd','.ge','.gf','.gg','.gh','.gi','.gl','.gm',
            '.gn','.gp','.gq','.gr','.gs','.gt','.gu','.gv','.gy','.hk','.hm',
            '.hn','.hr','.ht','.hu','.id','.ie','.il','.im','.in','.io','.iq',
            '.ir','.is','.it','.je','.jm','.jo','.jp','.ke','.kg','.kh','.ki',
            '.km','.kn','.kp','.kr','.kw','.ky','.kz','.la','.lb','.lc','.li',
            '.lk','.lr','.ls','.lt','.lu','.lv','.ly','.ma','.mc','.md','.mg',
            '.mh','.mk','.ml','.mm','.mn','.mo','.mp','.mq','.mr','.ms','.mt',
            '.mu','.mv','.mw','.mx','.my','.mz','.na','.nc','.ne','.nf','.ng',
            '.ni','.nl','.no','.np','.nr','.nu','.nz','.om','.pa','.pe','.pf',
            '.pg','.ph','.pk','.pl','.pm','.pn','.pr','.ps','.pt','.pw','.py',
            '.qa','.re','.ro','.rw','.ru','.sa','.sb','.sc','.sd','.se','.sg',
            '.sh','.si','.sj','.sk','.sl','.sm','.sn','.so','.sr','.st','.sv',
            '.sy','.sz','.tc','.td','.tf','.tg','.th','.tj','.tk','.tm','.tn',
            '.to','.tp','.tr','.tt','.tv','.tw','.tz','.ua','.ug','.uk','.um',
            '.us','.uy','.uz','.va','.vc','.ve','.vg','.vi','.vn','.vu','.ws',
            '.wf','.ye','.yt','.yu','.za','.zm','.zw', ".local");
            var mai = nname;
            var val = true;
            var dot = mai.lastIndexOf(".");
            var dname = mai.substring(0,dot);
            var ext = mai.substring(dot,mai.length);
            //alert(ext);
                  
            if(dot>2 && dot<57)
            {
                   for(var i=0; i<arr.length; i++)
                   {
                     if(ext == arr[i])
                     {
                           val = true;
                           break;
                     }    
                     else
                     {
                           val = false;
                     }
                   }
                   if(val == false)
                   {
                            return false;
                   }
                   else
                   {
                           for(var j=0; j<dname.length; j++)
                           {
                             var dh = dname.charAt(j);
                             var hh = dh.charCodeAt(0);
                             if((hh > 47 && hh<59) || (hh > 64 && hh<91) || (hh > 96 && hh<123) || hh==45 || hh==46)
                             {
                                    if((j==0 || j==dname.length-1) && hh == 45)   
                                    {
                                            alert("Domain name should not begin are end with '-'");
                                         return false;
                                    }
                             }
                           else    {
                                    alert("Your domain name should not have special characters");
                                    return false;
                             }
                           }
                   }
            }
            else
            {
                 return false;
            }      
                return true;
                }

            --> to this (yes, you have to delete all these lines!):
            function checkDomain(nname){
                return true;
                }

            --> click Apply changes in Opera
            --> Submit your CSR in the other window (with IP address as CN), then download CSR
            --> sign CSR
            --> download certificate as DER
            --> also download Root Certificate
            --> in vShield Manager install Root certificate, then the DER certificate
            --> reboot vShield Appliance

             

            For me, that worked.

             

            Hope this helps someone!

             

            Roland

            • 3. Re: vShield Manager SSL certificate
              amusica Enthusiast
              VMware Employees

              I have to tell you, it was very reassuiring to see I wasn't the only one with that problem.  However, I approached this a little differently.  I created the CSR with the FQDN and added both the shortname and IP address as Subject Alternative Name on the certificate.

               

              SAN:dns=vshield.domain.int&dns=vshield&dns=10.0.0.10

              • 4. Re: vShield Manager SSL certificate
                wysr Lurker

                ...ok, your solution is smoother than my hack...

                thanks for posting!

                • 5. Re: vShield Manager SSL certificate
                  dmaster Expert
                  vExpertVMware Employees

                  Hi amusica,

                   

                  Thanks to your suggestion to insert 3 san dns attributes.  "SAN:dns=vshield.domain.int&dns=vshield&dns=10.0.0.10" the windows c# client does not complain anymore about that my certifcate for vCNS manager is not secure. So that's great news

                   

                  But now when connecting to vcenter 5.5 server with the windows c# client. I receive the following message when starting the vShield Manager.

                   

                  vCNScertificateissue2.jpg

                   

                  vCNScertificateissue1.jpg

                   

                  Any suggestions on how to beat this security alert ?

                   

                  regards,

                   

                  Dennis

                  • 6. Re: vShield Manager SSL certificate
                    amusica Enthusiast
                    VMware Employees

                    I have not tried on 5.5 yet, but does your CA (Certificate Authority) have an accessible CRL (Certificate Revocation List)?   Are you using an internal/corporate CA or a known Trusted Root CA (Verisign, CyberTrust, etc.)

                    • 7. Re: vShield Manager SSL certificate
                      dmaster Expert
                      VMware EmployeesvExpert

                      Hi amusica,

                       

                      I don't know if my CA has an accesible CRL ? I am using an internal/corporate CA (Windows 2012 enterprise root CA).

                      That's probably the reason I assume..

                       

                      From this manual... http://www.vmware.com/pdf/vshield_55_api.pdf I read something regarding the CRL but it doesn't make sense to me ?

                       

                      Working with Certificate Revocation List (CRL)

                      Allows you to manage CRLs.

                      Create a CRL

                      Creates a CRL on the specified scope.

                      Example 5-69. Create CRL

                      Request:

                      POST https://<vsm-ip>/api/2.0/services/truststore/crl/<scopId>

                      Request Body:

                      <trustObject>

                      <pemEncoding></pemEncoding>

                      </trustObject>

                      Query CRL

                      Retrieves all CRLs certificates for the specified certificate or scope.

                      Example 5-70. Query CRL

                      Retrieve certificate object for the specified certificate ID:

                      GET https://<vsm-ip>/api/2.0/services/truststore/crl/<crlId>

                      Retrieve all certificates for the specified scope:

                      GET https://<vsm-ip>/api/2.0/services/truststore/crl/scope/<scopeId>

                      Delete CRL

                      Deletes the specified CRL.

                      Example 5-71. Delete CRL

                      Request:

                      DELETE https://<vsm-ip>/api/2.0/services/truststore/crl/<crlId>

                       

                      When accessing vShield manager from Microsoft Internet Explorer or Google Chrome everything looks fine !! a green lock

                       

                      vCNScertificateissue3.jpg

                       

                      Regards,

                       

                      Dennis

                      • 8. Re: vShield Manager SSL certificate
                        amusica Enthusiast
                        VMware Employees

                        Just a few things i'd be curious to know.  from Chrome, does it also like (is it green) for the shortname, and IP address?  How does it operate with the Web Client?  Lastly assuming the first answer is yes and yes, and the second answer is it performs the same as the c# client, have you tried unregistering and reregistering the vShield appliance after the certificate was changed?

                        • 9. Re: vShield Manager SSL certificate
                          dmaster Expert
                          VMware EmployeesvExpert

                          Hi amusica,

                           

                          Just to confirm the behavior of Chrome.. it also likes the shortname and the IP address. In both cases the lock is green.

                           

                          In the web client I can't see anything usefull for vShield Manager, also the interface is completely different, but no warnings or messages about a CRL ?

                          I don't see anything like User VMs or service VMs like you see in the traditional vShield manager which is also very strange ??

                          Looks like the view for the extention vShield Manager in the new vSphere Web client is not properly working.

                           

                          vCNScertificateissue4.jpg

                          vCNScertificateissue5.jpg

                           

                          I have tried to remove the vShield manager extention from the vcenter server web interface (/mob) and also to reboot the vcenter server. I have even tried to re-entering the vcenter server information within vShield Manager. But all without success.

                           

                          Regards,

                           

                          Dennis

                          • 10. Re: vShield Manager SSL certificate
                            dmaster Expert
                            VMware EmployeesvExpert

                            Hi amusica,

                             

                            I also replaced the SSL certificate for VMware vSphere Auto Deploy. In there I get the same issue regarding a CRL warning just as I see with vshield manager.

                             

                            Could it be that my Windows Root CA must be added to some java keystore on the virtual center server ?

                             

                            Regards,

                             

                            Dennis

                            • 11. Re: vShield Manager SSL certificate
                              amusica Enthusiast
                              VMware Employees

                              A few things.  First just as a heads up support may be able to assist with this problem and I cannot guarantee accuracy as I have not tried this.  Now that I said that....

                               

                              It would be nice if vShield had the same ability to ignore the CRL as VMware View does (http://pubs.vmware.com/view-52/topic/com.vmware.ICbase/PDF/horizon-view-52-installation.pdf) Specifically, "Configuring Certificate Revocation Checking on Server Certificates", while the process would have to be different, it would still be nice.

                               

                              I have not had the same problem with my CAs (in the past, and the CRLs are published), so if you have someone else who works on the Certs/CA, they may be better suited to help.  I also have made numerous changes over the years, so I am not sure what would help (unfortunately).

                               

                              However, according to the vShield documentation it would appear that you can a upload a CRL file and not require a CDP.  http://www.vmware.com/pdf/vshield_51_admin.pdf "Add a Certificate Revocation List" page 69.  The prior documentation you provided was for the API which is not relevant for this conversation.

                               

                              Additionally, MSFT has some documentation that may/may not be helpful.

                              http://technet.microsoft.com/en-us/library/ee649260(v=ws.10).aspx

                              http://blogs.technet.com/b/nexthop/archive/2012/12/17/creating-a-certificate-revocation-list-distribution-point-for-your-internal-certification-authority.aspx

                              http://technet.microsoft.com/en-us/library/cc782162(v=ws.10).aspx

                               

                              I am sure there is a ton of other documentation.  Please let us know if this was helpful, and if you resolve/get stuck.  As people continue to check this thread from 4/2011  (except the original poster who should have marked the original thread answered )