Thanks for the info. I have replaced the vc SSL cert as well. this is just not acceptable. the kludge does not even work for me (it appears to, but no customization occurs! - it clones the template, but then i have to sysprep and join domain. grr)

i'll be updating the sr today - they are not responding (again)

I have the same problem. I have just upgraded to VC U3 as recommended by the support rep and still have the same. I have an opened SR and will let you know the outcome of this.

here is the official answer from VMWare on this issue:

(I have not tried U3, please let us know on that one, as the rep did not mention that).

We have an internal KB which states that generating the certificate request from the VirtualCenter server after you have installed Internet Explorer 7 results in an SSL certificate which generate 'The VirtualCenter server is unable to decrypt passwords stored in the customization specification.' regardless of either FQDN or short hostname for the CN.

To resolve this issue, perform the following steps:

1. Do not install Internet Explorer 7 on your VirtualCenter server.

2. When generating the certificate signing request, use the short host name of your VirtualCenter server.

3. After you have installed your custom certificate, you may upgrade the VirtaulCenter Server to Internet Explorer 7.

4. In your xml, set 'PlainText' back to 'false'. Import customization specification and attempt deployment.

... yay. back to the original cert (for now - now i'm wondering if this is why we are having so many issues with the VDI product??!!)

Thanks everyone,

regards,

jamie

I can't believe its taken so long for such a simple fix. Will try this at some point. THe only problem I can think of immediately is I think the XenDesktop broker requires a FQDN to connect to a VI backend.

Can anyone confirm this?

Thanks for the update

Here is what we did to resolve the problem. Basically, the VirtualCenter (U2 & U3) is hardcoded with the "testpassword" to decrypt the SSL cert. So, when you go to create the .pfx file, you have to use the word "testpassword" in all lower case as a password. See below example from Vmware Support. If you want to continue using your previous customization specifications you will have to export them and change the password to "plaintext" and reimport them, or create new ones.

Example:

Export the credential just created into PFX format.

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

Message was edited by: jasonboche

Fixed 2 command line typos

That worked like a champ (except the type-o on .pfx) Also re-imporint the customization with plain text set to false didn't encrypt the password. I also had to re-enter the password in the customization to re-encrypt it.

I've wanted a fix for this for months. Thank you!

Jason White - VCP

My VirtualCenter server already has IE7 installed on it.

After uninstalling VC2.5u2 and installing VC2.5u3, I'm having problems where the export and import trick no longer works as it did in VC2.5u2 and previous versions.

1. Created a brand new customization for Windows

2. Tried to use it and received the infamous The VirtualCenter server is unable to decrypt passwords stored in the customization specification.

3. Exported to .xml

4. Modified .xml changing <plainText>false</plainText> to <plainText>true</plainText>

5. Modified .xml changing <value>long encrypted string</value> to <value></value>

6. Imported .xml back in

7. Tried to use it and received a new error message now A specified parameter was not correct. spec.identity.password.value

8. Exported to .xml again

9. Noticed line containing <value></value> has now been changed to <value/>

This is pretty frustrating.

Jason Boche

VMware Communities User Moderator

Minneapolis Area VMware User Group Leader

Have you tried using a non-empty password vaule?

I have not. My templates have no password in them. I'll give it a try soon though. At any rate, I am using certificates on the VC server which also has IE7 so from what's been discovered so far, I'm hosed until a long term solution is developed, or I rebuild the VC server without IE7.

Jas

[i]Jason Boche[/i]

[VMware Communities User Moderator|http://www.vmware.com/communities/content/community_terms/][/i]

[Minneapolis Area VMware User Group Leader|http://communities.vmware.com/community/vmug/us-central/minneapolis][/i]

Hi Jason,

Please read Tigernoy's post just above yours on how to resolve the issue. It works with IE7. Worked great for me. Make sure you use .pfx as the extension though, his command line has a type-o.

Here is what we did to resolve the problem. Basically, the VirtualCenter (U2 & U3) is hardcoded with the "testpassword" to decrypt the SSL cert. So, when you go to create the .pfx file, you have to use the word "testpassword" in all lower case as a password. See below example from Vmware Support. If you want to continue using your previous customization specifications you will have to export them and change the password to "plaintext" and reimport them, or create new ones.

Example:

Export the credential just created into PFX format.

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

Message was edited by: jasonboche

Fixed 2 command line typos

Tigernoy's fix works. Thank you and good work. The customization template passwords are also now encrypted once again so I guess that's a bonus.

I've corrected the 2 typos and the command now works as posted.

[i]Jason Boche[/i]

[VMware Communities User Moderator|http://www.vmware.com/communities/content/community_terms/][/i]

[Minneapolis Area VMware User Group Leader|http://communities.vmware.com/community/vmug/us-central/minneapolis][/i]

I had the same problem - VC 2.5.0 Build 10425 everything was fine until we replaced the default VC certificate with a Windows Certificate Authority certificate (I followed the procedure here: , then I started receiving the "Unable to decrypt passwords" error when trying to deploy templates.

Following the advice from above I was able to set the

-passout pass:testpassword

option on the certificate and now my templates work again!

THANK YOU Tigernoy and THANKS to everyone else for commenting on this thread!

Gene

Anything is ever going to be done about this issue?

VC 2.5 U4 & I still get the very same error.

Yes, changing the customization xml to FALSE works, but is far from ideal....

The fix about recreating .pfx worked till U3, as I used it.

Did they change it back again in U4 (so I need to revert it?)

Seb

Bump!

Same problem exists in vCenter 4.0! You'd think since they knew about this back in the 3.5 era this would have gotten fixed in 4.0. Bzzzt! Vmware wake up!

Where do I run this command?

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

Thanks

Webster

Anywhere you want, on Windows (you have to install openssl) or on Linux

Seb