VMware Cloud Community
AlexM0
Contributor
Contributor
‎03-19-2015 02:52 AM

vCenter 6.0 VMCA as a subordinate CA - error during certificate-manager Cert replacement (service restart)

Hello

I've been trying to set the VMCA as a subordinate CA, using certificate-manager.

The Cert replacement operation works fine, but then I get an error during the starting service operations.

No errors in the certificate-manager.log, but one in the service-control.log:

2015-03-19T09:36:00.523Z INFO service-control Stopped:

vpxd (VMware vCenter Server)

2015-03-19T09:39:02.559Z ERROR service-control Unable to start service VMwareComponentManager, Exception: {

    "resolution": null,

    "detail": [

        {

            "args": [

                "VMwareComponentManager"

            ],

            "id": "install.ciscommon.service.failstart",

            "localized": "An error occurred while starting service 'VMwareComponentManager'",

            "translatable": "An error occurred while starting service '%(0)s'"

        }

    ],

    "componentKey": null,

    "problemId": null

}

In the Windows Event logs, I see twice the following error:

Log Name:  Application
Source:    vmware-cis-config
Date:      3/19/2015 10:39:47 AM
Event ID:  242

Task Category: None

Level:     Error
Keywords:  Classic
User:      N/A
Computer:  wirdlab-mgt-vc

Description:

SetServiceStatus failed setting STOPPED status Error 6 - The handle is invalid.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

<Provider Name="vmware-cis-config" />
<EventID Qualifiers="49152">242</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-03-19T09:39:47.000000000Z" />
<EventRecordID>4531513</EventRecordID>
<Channel>Application</Channel>
<Computer>xxxxxxxxxx</Computer>
<Security />

  </System>

  <EventData>

<Data>6</Data>
<Data>The handle is invalid.</Data>

  </EventData>

</Event>


Anyone has an idea or experienced the same?

Thanks

Alex

Reply
0 Kudos
3 Replies
Chavelle
Contributor
Contributor
‎03-26-2015 06:20 AM

Hi Alex,

I had the same error and after some try and error, I made it working.

you need the following:

vcenter Server certificate in a base64 Format and .cer/.crt file

the .key file corresponding to the vcenter certificate file

addionally you need the certificate file from CA you got the signed certificate(for the vcenter) from, also in base64 .cer/.crt file

The certificate must in in this format:

Request a certificate for each machine from your third-party or enterprise CA. The certificate must meet the following requirements:

- Key size: 2048 bits or more

- CRT format

- x509 version 3

- SubjectAltName must contain DNS Name=

- Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

something I'm not really sure about, if the FQDN in the certificate must match the vcenter hostname... but in the testings before the hostname in the certificate was not issued to the hostame of the vcenter server and the replacements where'nt working (same error as yours)

After I got a certificate with the FQDN of vcenter hostname, I was able to replace the certifcate with the new one.

for more Information see:

http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-securit...

see page  62

well, as from the security guide, the certificates can also in the format of .crt instead of .cer...

but the .cer files I used worked fine for me.

Reply
0 Kudos
AlexM0
Contributor
Contributor
‎03-26-2015 09:36 AM

Hi

I do not want to issue machine certificates from my CA, but I'm changing the VCMA root CA to be a Sub CA in my PKI.

You point to page 62, but the correct section for my case is

Replace VMCA Root Certificate with Custom Signing Certificate and Replace All

Certificates

Prerequisites

The certificate that you send to be signed must meet the following requirements:

- Key size: 2048 bits or more

- PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are

converted to PKCS8

- x509 version 3

- For root certificates CA extension must be set to true, and cert sign must be in the list of requirements.

- Make sure that all nodes in your environment are time synchronized.

- No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is ten

certificates.

- VMCA does not support using certificates with wildcards or more than one DNS name.

- You cannot create subsidiary CAs of VMCA.

VMCA validates the following certificate attributes when you replace the root certificate:

- Key size: 2048 bits or more

- PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are

converted to PKS8.

- x509 version 3

- Key Usage: Certificate Sign, CRL Sign

- Basic Constraint: Subject Type CA

My generated CA certificate fullfills those requirements.

Reply
0 Kudos
rbolgerTrace3
Enthusiast
Enthusiast
‎04-25-2015 10:28 PM

For what it's worth, I'm having the exact same problem.  It seems like the certificate-manager process is being too impatient with the vpxd startup time.  It eventually reaches some sort of timeout value waiting for it to start and then gives up and rolls everything back.  There don't appear to be any errors in /var/log/vmware/vpxd/vmware-vpxd.log or the latest vpxd.log.

For the time being, I've resorted to the manual steps using certool as documented here:

Replace the Root Certificate (Intermediate CA)

It's super frustrating because the whole reason to use the sub-CA in the first place is to avoid manually generating the rest of the certs.

Reply
0 Kudos