11 Replies Latest reply on Sep 29, 2019 6:59 AM by mc1903cae

    vCenter 6.7 / VMCA as a Subordinate CA / Incomplete certification path on ESXi 6.7 hosts; but ESXi 6.5 hosts work OK.

    mc1903cae Enthusiast

      VCSA with Embedded PSC v6.7 (Build 9451876)

      VMCA configured as Subordinate CA to a Windows 2012 R2 Enterprise Root CA. (SHA256 Hash / 2048 bit Key)

      VMCA replaces the SSL certificate on a ESXi v6.5 (Build 5969303) host and the 'certification path' is complete. All works as expected, no browser errors.

      VMCA replaces the SSL certificate on a ESXi v6.7 (Build 8169922) host and the 'certification path' is incomplete. Still get the standard browser errors. The root CA and VMCA certificates are NOT in the path, only the ESXi host certificate!

       

      ESXi v6.5 Host - Complete Certification Path.
      Good SSL Certificate- ESXi 6.5 Host.png

      A dump of the SSL connection using the TestSSLServer utility (GitHub - pornin/TestSSLServer ) shown below.

       

      Connection: mc-esxi-v-204.momusconsulting.com:443

      SNI: mc-esxi-v-204.momusconsulting.com

        TLSv1.0:

           server selection: uses client preferences

           3-- (key:  RSA) RSA_WITH_AES_128_CBC_SHA

           3-- (key: RSA)  RSA_WITH_AES_256_CBC_SHA

           3f- (key: RSA) ECDHE_RSA_WITH_AES_128_CBC_SHA

           3f- (key: RSA) ECDHE_RSA_WITH_AES_256_CBC_SHA

        TLSv1.1: idem

        TLSv1.2:

           server selection: enforce server preferences

           3f- (key: RSA) ECDHE_RSA_WITH_AES_256_GCM_SHA384

           3f- (key: RSA) ECDHE_RSA_WITH_AES_128_GCM_SHA256

           3-- (key: RSA)  RSA_WITH_AES_256_GCM_SHA384

           3-- (key: RSA)  RSA_WITH_AES_128_GCM_SHA256

           3f- (key: RSA) ECDHE_RSA_WITH_AES_256_CBC_SHA384

           3f- (key: RSA) ECDHE_RSA_WITH_AES_256_CBC_SHA

           3f- (key: RSA) ECDHE_RSA_WITH_AES_128_CBC_SHA256

           3f- (key: RSA) ECDHE_RSA_WITH_AES_128_CBC_SHA

           3-- (key: RSA)  RSA_WITH_AES_256_CBC_SHA256

           3-- (key: RSA)  RSA_WITH_AES_256_CBC_SHA

           3-- (key: RSA)  RSA_WITH_AES_128_CBC_SHA256

           3-- (key: RSA)  RSA_WITH_AES_128_CBC_SHA

      =========================================

      +++++ SSLv3/TLS: 1 certificate chain(s)

      +++ chain: length=3

      names match:        yes

      includes root:      yes

      signature hash(es): SHA-256

      + certificate order: 0

      thumprint:  A18830247B90395EE003D706CE3AEB3CDA96BC6D

      serial:     E032A1675443F48D

      subject: EMAILADDRESS=admin@momusconsulting.com,CN=mc-esxi-v-204.momusconsulting.com,OU=Momus Labs,O=Momus Consulting,L=Basingstoke,ST=Basingstoke,C=GB

      issuer:     CN=VMCA-mc-vcsa-v-204,OU=Momus Labs,O=Momus Consulting,L=Basingstoke,ST=Hampshire,C=GB

      valid from: 2018-10-06 14:22:12 UTC

      valid to:   2020-10-05 12:06:47 UTC

      key type:   RSA

      key size:   2048

      sign hash:  SHA-256

      server names:

         mc-esxi-v-204.momusconsulting.com

      + certificate order: 1

      thumprint:  6313EF9061D1ED748298F0DB7D693F6CC2099046

      serial:     5D0000000BA3C47E6295F579B400000000000B

      subject:    CN=VMCA-mc-vcsa-v-204,OU=Momus Labs,O=Momus Consulting,L=Basingstoke,ST=Hampshire,C=GB

      issuer:     CN=Momus Root CA on mc-addc-v-101,DC=momusconsulting,DC=com

      valid from: 2018-10-06 12:06:47 UTC

      valid to:   2020-10-05 12:06:47 UTC

      key type:   RSA

      key size:   2048

      sign hash:  SHA-256

      + certificate order: 2

      thumprint:  A3BD98D6B6C712A510E11669A84D0571C2D2F0F1

      serial:     65F1DEEF09DD1A9A436075662D731F0F

      subject:    CN=Momus Root CA on mc-addc-v-101,DC=momusconsulting,DC=com

      issuer:     CN=Momus Root CA on mc-addc-v-101,DC=momusconsulting,DC=com

      valid from: 2018-10-05 15:11:29 UTC

      valid to:   2028-10-05 15:21:28 UTC

      key type:   RSA

      key size:   2048

      sign hash:  SHA-256

      (self-issued)

      =========================================

      Server compression support: no

      Server sends a random system time.

      Secure renegotiation support: yes

      Encrypt-then-MAC support (RFC 7366): no

      SSLv2 ClientHello format (for SSLv3+): yes

      Minimum EC size (no extension):   256

      Minimum EC size (with extension): 256

      ECDH parameter reuse:  no

      Supported curves (size and name) ('*' = selected by server):

        * 256 secp256r1 (P-256)

      =========================================

        WARN[CS006]: Server supports cipher suites with no forward secrecy.

       

       

      ESXi v6.7 Host - Incomplete Certification Path.
      Bad SSL Certificate - ESXi 6.7 Host.png

      Again, a dump of the SSL connection is shown below.

       

      Connection: mc-esxi-v-205.momusconsulting.com:443

      SNI: mc-esxi-v-205.momusconsulting.com

        TLSv1.2:

           server selection: enforce server preferences

           3f- (key: RSA) ECDHE_RSA_WITH_AES_256_GCM_SHA384

           3f- (key: RSA) ECDHE_RSA_WITH_AES_128_GCM_SHA256

           3-- (key: RSA)  RSA_WITH_AES_256_GCM_SHA384

           3-- (key: RSA)  RSA_WITH_AES_128_GCM_SHA256

           3f- (key: RSA) ECDHE_RSA_WITH_AES_256_CBC_SHA384

           3f- (key: RSA) ECDHE_RSA_WITH_AES_256_CBC_SHA

           3f- (key: RSA) ECDHE_RSA_WITH_AES_128_CBC_SHA256

           3f- (key: RSA)  ECDHE_RSA_WITH_AES_128_CBC_SHA

           3-- (key: RSA)  RSA_WITH_AES_256_CBC_SHA256

           3-- (key: RSA)  RSA_WITH_AES_256_CBC_SHA

           3-- (key: RSA)  RSA_WITH_AES_128_CBC_SHA256

           3-- (key: RSA)  RSA_WITH_AES_128_CBC_SHA

      =========================================

      +++++ SSLv3/TLS: 1 certificate chain(s)

      +++ chain: length=1

      names match:        yes

      includes root:      no

      signature hash(es): SHA-256

      + certificate order: 0

      thumprint:  9CB7BEC3BD58491A36069B182093F22BE9813042

      serial:     FD682ECC9662D00C

      subject: EMAILADDRESS=admin@momusconsulting.com,CN=mc-esxi-v-205.momusconsulting.com,OU=Momus Labs,O=Momus Consulting,L=Basingstoke,ST=Basingstoke,C=GB

      issuer:     CN=VMCA-mc-vcsa-v-204,OU=Momus Labs,O=Momus Consulting,L=Basingstoke,ST=Hampshire,C=GB

      valid from: 2018-10-06 14:44:04 UTC

      valid to:   2020-10-05 12:06:47 UTC

      key type:   RSA

      key size:   2048

      sign hash:  SHA-256

      server names:

         mc-esxi-v-205.momusconsulting.com

      =========================================

      Server compression support: no

      Server sends a random system time.

      Secure renegotiation support: yes

      Encrypt-then-MAC support (RFC 7366): no

      SSLv2 ClientHello format (for SSLv3+): yes

      Minimum EC size (no extension):   256

      Minimum EC size (with extension): 256

      ECDH parameter reuse:  no

      Supported curves (size and name) ('*' = selected by server):

        * 256 secp256r1 (P-256)

      =========================================

        WARN[CS006]: Server supports cipher suites with no forward secrecy.

       

      Any ideas?

       

      Thanks

      M