1 2 Previous Next 18 Replies Latest reply on Aug 31, 2012 4:58 AM by Shaz71

    vCenter SSL certificate from CA Problems

    nicholas1982 Hot Shot

      Hi All,

       

      I hope someone may be able to help with a few issues I have with replacing the default SSL on a vCenter 5 u1 server.

       

      I had one of my colleagues generate an SSL certificate using IIS7, we then processed the CSR with Thawte, and we purchased an SS123 cert from Thawte which is just a domain validation SSL.

       

      We exported the SSL with the private key into a PFX format; I used OpenSSL to obtain the rui.key and rui.crt and copied them along with the rui.pfx to the necessary locations on the vCenter server. I followed all the steps documented http://pubs.vmware.com/vsphere-50/topic/com.vmware.vsphere.solutions.doc_50/GUID-37AAEDFE-EF2E-45FC-B0C6-44841E4FB302.html and other sites like WoodITwork.com

       

      After completing all the steps, I browse the vCenter URL https://vc_url.com and I still get a certificate warning, I check the certificate from browser and can see the SSL has been installed but I get the error “This certificate cannot be verified up to a trusted certification authority”

       

      I then login to vCenter via the vSphere client and gets a certificate warning, strange warning:

      vc.voclients.local is actually the local domain FQDN of the vCenter. The error received is that its untrusted and it also states that The certificate received from “vc.voclients.local” was issued for “” which as you can see from that attachment is blank.

       

      I used the online Thawte SSL Checker, the status stated invalid chain with the following error: “The intermediate CA certificates cannot be found for the following certificate chain.”

       

      I have another concern and I’m not sure if this has ever been brought up before but the documentation states to use the password on the PFX file of “testpassword” now if one were to gain unauthorised access to a vCenter server they could steal the PFX and knowing the password.

       

      Just as a side note I successfully got the SSL to work a few years ago on vCenter 2.5 using the same method, I really wish VMware provided a tool to perform such SSL tasks, it has become very complicated now with having to change 3 or 4 different places. I have attached some images of the errors which may shed some light on the issue.

       

      Any suggestions are welcomed

        • 1. Re: vCenter SSL certificate from CA Problems
          schepp Virtuoso
          vExpertUser Moderators

          Hi,

           

          I don't see how this is a vCenter problem. Everything tells you the certificate is broken. I would suggest to recreate it.

           

          Regards

          • 2. Re: vCenter SSL certificate from CA Problems
            nicholas1982 Hot Shot

            Thanks for the suggestion, that did cross my mind, however the certificate worked fine on IIS, I have now sent through a request to Thawte to revoke the certificate. I think I will now generate the CSR using OpenSSL hopefully that helps.

             

            What I would like to know is has someone successfully replaced the vCenter 5 SSL with one of a pubic SSL purchased from a CA? If So do mind sharing your success and where and what type of SSL you purchased. And I mentioned earlier I purchase a Thawte DV SSL certificate which is only domain validation only, I understand Thawte recently updated all their ROOT CAs, I did by the way update it on the server but still no success.

            • 3. Re: vCenter SSL certificate from CA Problems
              schepp Virtuoso
              vExpertUser Moderators

              How can the certificate work fine in IIS if it fails the Thawte certificate check? Strange

               

              My vCenter 5 runs with a DV SSL certificate as well. Since I work for an university we get our certificates signed by the german research network with the german telekom as CA. Worked fine with the documentation you mentioned in your first post.

               

              Regards

              • 4. Re: vCenter SSL certificate from CA Problems
                nicholas1982 Hot Shot

                Hi Tim, we generated the CSR from a different Windows 2008 server, we installed the SSL and tested it on that server, it seemed to be working fine, although I didn't check it with the SSL checker so not 100% sure, we then exported that into a PFX for the vCenter server and haven't had much success. Do you mind sharing with me how you generated the CSR for your Thawte DV SSL? Thanks for your comments.

                 

                Sent from my iPhone

                • 5. Re: vCenter SSL certificate from CA Problems
                  schepp Virtuoso
                  vExpertUser Moderators

                  Hi,

                   

                  I used openssl on a linux server to generate them. Like "openssl req -newkey rsa:2048 -out cert.pem -keyout sec-key.pem -sub '/C=DE/O=......'

                   

                   

                  Regards

                  • 6. Re: vCenter SSL certificate from CA Problems
                    nicholas1982 Hot Shot

                    Thanks Tim, appreciate your help.

                     

                    Sent from my iPhone

                    • 7. Re: vCenter SSL certificate from CA Problems
                      nicholas1982 Hot Shot

                      Hi Tim, Sorry to bother you, but I have been unsuccessful at replacing my certificate, I have follwoed all the step and and strangely enought my certificate appears just fine and fully trusted with the entire chain if go to https://<myvcenter>:8443 which is the default Tomcat page, so I know the SSL is ok and working, just vCenter doesn't load the chain. Anyway you say you have succesfully replaced your with a Thawte DV SSL on vCenter 5, I have an open SR with VMware they cannot work it out either. I have seen a lot of documentation saying the the opnssl.cnf or cfg file needs to be modified. I would like to know did you need to do this to get your SSL to work?

                      • 8. Re: vCenter SSL certificate from CA Problems
                        schepp Virtuoso
                        User ModeratorsvExpert

                        Hi Nicholas,

                         

                        you missunderstood me. I didn't use a Thawte certificate. My ceritificates are signed with the German Telekom Root CA 2. But it also just verifies the domain name only, like your cert.

                         

                        I didn't modify the openssl.cnf since I gave all needed parameters to the program on the command line. If you call openssl without those options, the openssl.cnf is used.

                         

                         

                        After my certificate request was signed I created the rui.crt, rui.key and rui.pfx out of the .pem certificate and key I got and copied it to C:\ProgramData\VMware\VMware VirtualCenter.

                        Then I went to http://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 on the vCenter Server and clicked "reloadSslCertificat"e and then "invoke Method" on the popup. After restarting the VMware vCenter Management Webservices, my new certificate was shown when going to https://vcenter-FQDN

                         

                         

                        Regards,

                        Tim

                        1 person found this helpful
                        • 9. Re: vCenter SSL certificate from CA Problems
                          nicholas1982 Hot Shot

                          Hi Tim,

                           

                          Thanks for the fast response, I ran the following to generate the CSR

                           

                          openssl req -new -newkey rsa:2048 -nodes -keyout rui.key -out rui.csr -nodes

                           

                          After receiving the signed certificate I ran the following command

                           

                          openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile CACert.crt -name rui -passout pass:testpassword -out rui.pfx

                           

                          May I ask when you created the PFX file using the command above, did you need to inlcude Intermediate certificate using the -certfile switch in your command?

                           

                          I beleive this is required, if you need to update the Intermediate certificate chain.

                          • 10. Re: vCenter SSL certificate from CA Problems
                            schepp Virtuoso
                            vExpertUser Moderators

                            Nicholas wrote:

                             

                            I ran the following to generate the CSR

                             

                            openssl req -new -newkey rsa:2048 -nodes -keyout rui.key -out rui.csr -nodes

                             

                            So you must have configured your req-section in the openssl.cnf, right? Otherwise the certificate wouldn't have a CommonName.

                             

                            Im almost sure i didn't use the -certfile switch when creating the pfx. Did it months ago and my documentation somethings sucks, so not 100% sure

                             

                            Regards

                            • 11. Re: vCenter SSL certificate from CA Problems
                              nicholas1982 Hot Shot

                              Hi Tim,

                               

                              Still no joy for me, I actually researched this issue and it turns out there are others out there experiencing the same issue, vCenter just does not load the entire certificate chain for commercial SSL certificates, however the Tomcat Web UI on port 8443 does load the certificate chain correctly, therefore fully trusting the SSL providing you inserted the Intermediate CA into the PFX file. Clients would have to pre-trust the certificate to avoid the certificate error. thus defeating the purpose or replacing it with a commercially signed SSL. I also have a VMware SR open, they have replicated the issue in their lab, so now VMware support acknowledge that there is an issue with it as well.

                               

                              I know you did this while ago but are you certain you and or the clients haven't pre-trusted the SSL you installed? If you vCenter is open to the public you can try an SSL checker like https://ssl-tools.verisign.com just type in  <Your VC URL> to make sure there are not any SSL chain errors.

                               

                              You see I think the issue hasn't blown out because most people probable generate self-signed and then have clients pre-trusting the SSL, If you read this you will see VMware recommend commercially signed SSL's http://www.vmware.com/files/pdf/techpaper//vsp_41_vcserver_certificates.pdf

                               

                               

                              Page 2 - "Certificates signed by a commercial certificate authority, such as Entrust or Verisign, are pretrusted on the

                              Windows operating system."

                               

                              Page 6 - "VMware recommends that you replace default certificates with those signed by a commercial certificate

                              authority."

                               

                              Anyway thanks again for your time.

                              • 12. Re: vCenter SSL certificate from CA Problems
                                marc10k Lurker

                                Hi Nicholas,

                                 

                                just wanted to say that we have the same issue here. We use a wildcard certificate by Alphassl (Globalsign) and the chain is complete when you open the URL to vcenter in the browser (Port 443 and 8443), the chain is not complete when you open the vsphere client.

                                 

                                I tried different things (crt, intermediate-crt and root-crt in one file, adding intermediate to certificate store with mmc on server) and the pfx was created with the intermediate-crt included (I think the pfx certificate is used when you open vsphere client?).

                                 

                                Is this a confirmed issue with VMware? I suppose you might run into problems when upgrading to view 5.1 since the documentation says you must use a trusted certificate.

                                • 13. Re: vCenter SSL certificate from CA Problems
                                  moreyroof Lurker

                                  Hi  nicholas1982,

                                   

                                  Could you share the SR# as I'm having the same trouble and it would be good if I can reference an existing SR# when I talk to VMware about my issue using a Thawte cert.

                                   

                                  Thanks

                                  • 14. Re: vCenter SSL certificate from CA Problems
                                    moreyroof Lurker

                                    If others are running into this problem and you submit a support request with vmware you can reference the service request number I have open with them about this issue.  It is 12189702006.  Perhaps if they get more service requests they will work on fixing this issue more quickly.

                                    1 2 Previous Next