VMware Cloud Community
jmedd
Enthusiast
Enthusiast

Issue with replacing vRO Client Certificate

Using vRO 5.5.2, I have replaced the default certificate with one signed by an internal Microsoft CA. If I navigate via a web browser to the URL https://vroserver.fqdn:8281 the certificate behaves correctly, I don't get prompted about the certificate before viewing the site and can view the certificate successfully in the browser.

ClientCert01.png

ClientCert02.png

So that all looks good. However, when I connect from the same client machine with the vRO client I get prompted with the below:

ClientCert03.png

ClientCert04.png

The below KB suggests (near the bottom of the article) that :

If your Orchestrator SSL certificate is issued from a CA not imported in the Orchestrator keystore, you might receive warning certificate messages when you try to connect the Orchestrator client to the Orchestrator server. To fix that, add your root CA certificate to the Orchestrator keystore on the machine on which the Orchestrator client is installed.

and then steps to register the root CA certificate with the client.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=200703...

However, the path ‘orchestrator_installation_directory\jre\lib\security\jssecacerts.’ doesn’t seem to exist.

ClientCert05.png

Any ideas?

Blog: http://jonathanmedd.net | Twitter: @jonathanmedd
Tags (2)
Reply
0 Kudos
7 Replies
SpasKaloferov
VMware Employee
VMware Employee

Hi,

check this out:

How to change the SSL certificate of a vCO Appliance

http://kaloferov.com/blog/how-to-change-the-ssl-certificate-of-a-vco-appliance/

BR

Best Regards / Поздрави

Spas Kaloferov | Technical Solutions Architect

,

Reply
0 Kudos
jmedd
Enthusiast
Enthusiast

Thank you, but I have already been through that process (or similar) via other sources on the web. My issue is that the certificate behaves correctly through a web browser (as per the test in your blog page), but not on the vRO Client.

Blog: http://jonathanmedd.net | Twitter: @jonathanmedd
Reply
0 Kudos
SpasKaloferov
VMware Employee
VMware Employee

Can you post a screenshot of the [Certification path] tab of the certificate?

Reply
0 Kudos
jmedd
Enthusiast
Enthusiast

Here you go:

ClientCert06.png

Blog: http://jonathanmedd.net | Twitter: @jonathanmedd
Reply
0 Kudos
SpasKaloferov
VMware Employee
VMware Employee

You've set you've followed the article above. Did you PFX package contain also the sunnydale-DC01-CA certificate?

BR,
Spas Kaloferov

Reply
0 Kudos
jmedd
Enthusiast
Enthusiast

I have now been back, started from scratch using your guide rather than the others I used previously, specifically scenario 1 and get the same result.  I can happily navigate with a web browser to the vCO server and the certificate looks fine, however the vCO client still prompts about the certificate.

To answer your question about pfx, I am not using a pfx since that is not mentioned in scenario 1 of your guide.

To me it still looks like the issue is with the vCO client as I mentioned earlier referencing this KB:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=200703...

However, I am unable to carry out the solution since the path to the Orchestrator keystore on the client machine does not appear to exist.

Blog: http://jonathanmedd.net | Twitter: @jonathanmedd
Reply
0 Kudos
SpasKaloferov
VMware Employee
VMware Employee

HI ,

i actually sent you the link for the vCO Appliance. Here for the Windows vCO.

How to change the SSL certificate of Windows installed vCO

http://kaloferov.com/blog/how-to-change-the-ssl-certificate-of-windows-installed-vco/

Anyway the warning you get in the vCO Client after you change the certificate is expected. Just select to install it and ignore the message. Next time you login you will not receive it, because the vCO Client will be trusting the certificate this time.

BR,

Spas Kaloferov.

Reply
0 Kudos