VMware Cloud Community
AKEENA64
Contributor
Contributor
‎05-18-2020 08:28 AM
Jump to solution

Vcenter 6.7 - Root Vmware (CA) certficate issue

Infos tech

Vcenter Applicance 6.7

PSC embeded

Esxi 6.5 U2

Bonjour à tous,

voilà, je viens sur le forum pour trouver de l'aide au problème que je rencontre. Je viens de mettre à jour mon "Vcenter" avec un certificat Autosigné + Root. Je suis passé par le process du "Certificat Manager" et de l' "ADCS". Jusque là, tout va bien. J'ai bien mis à jour le serveur. Je vérifie le certificat (cadenas sur la page Web) sur le "Vcenter" et sur le "Vmware Appliance Management", tout est OK !

Hi All,

here, I come to the forum to find help with the problem I am having. I just updated my "Vcenter" with a Self-signed + Root certificate. I went through the process of "Certificate Manager" and "ADCS". That's fine. I have successfully updated the server. I check the certificate (padlock on the web page) on the "Vcenter" and on the "Vmware Appliance Management", everything is OK !

vcen.png

mana.png

Par contre, des que j'ajoute un ESXI à mon "Vcenter", là, il récupère l'ancien certificat Root Vmware (CA)...

On the other hand, I added an ESXI to my "Vcenter", it recovers the old Root Vmware (CA) certificate ...

ca.png

Au niveau de l'ESXI :

on the ESXI :

ES2.png

J'ai pourtant fait un renouveler certificat et un actualisé du certificat au niveau du "Vcenter", mais rien à faire il garde l'ancien certificat + root Vmware...

J'ai lancé toutes ces commandes afin de localiser le certificat + Root Vmware :

However, I did a certificate renewal and an updated certificate at the "Vcenter" level, but nothing, it keeps the old certificate + root Vmware ...

I launched all these commands in order to locate the + Root Vmware certificate:

En-tête 1

STORE="TRUSTED_ROOTS" ;  echo "[*] Store :" $STORE; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE --text | grep -ie "Alias" -ie "Subject" -ie "Issuer"

STORE="MACHINE_SSL_CERT" ;  echo "[*] Store :" $STORE; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE --text | grep -ie "Alias" -ie "Subject" -ie "Issuer"

STORE="TRUSTED_ROOT_CRLS" ;  echo "[*] Store :" $STORE; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE --text | grep -ie "Alias" -ie "Subject" -ie "Issuer"

STORE="machine" ;  echo "[*] Store :" $STORE; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE --text | grep -ie "Alias" -ie "Subject" -ie "Issuer"

STORE="vpxd" ;  echo "[*] Store :" $STORE; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE --text | grep -ie "Alias" -ie "Subject" -ie "Issuer"

STORE="vpxd-extension" ;  echo "[*] Store :" $STORE; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE --text | grep -ie "Alias" -ie "Subject" -ie "Issuer"

STORE="vsphere-webclient" ;  echo "[*] Store :" $STORE; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE --text | grep -ie "Alias" -ie "Subject" -ie "Issuer"

STORE="APPLMGMT_PASSWORD" ;  echo "[*] Store :" $STORE; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $STORE --text | grep -ie "Alias" -ie "Subject" -ie "Issuer"

etc...

J'ai bien retrouvé le "CA Vmware" dans "TRUSTED_ROOTS" que j'ai sauvegardé, dépublié et enfin supprimé avec les commandes suivantes :

I found the "CA Vmware" in "TRUSTED_ROOTS" which I saved, unpublished and finally deleted with the following commands:

En-tête 1

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias cd82e6bf7d2e01d26997e566f8a7786b979492d2 --output /tmp/certs/CA-CALIFORNY.crt

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /tmp/certs/CA-CALIFORNY.crt --login administrator@... --password ...

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOT_CRLS -y --alias cd82e6bf7d2e01d26997e566f8a7786b979492d2

Relancer tous les services du "Vcenter/PSC", rebooter même (le Vcenter, l'ESXI)... Mais rien n'y fait, l' "ESXI" récupère toujours le certificat "CA Vmware"...

Relaunch all the services on the "Vcenter / PSC", then reboot (the Vcenter, the ESXI) ... But nothing !!! the "ESXI" always retrieves the "CA Vmware" certificate ...

Que faire d'autre, svp ???

What can i do please ??

Merci à vous pour votre aide précieuse..

Thanks a lot for your help...

Akeena64

0 Kudos
1 Solution

Accepted Solutions
AKEENA64
Contributor
Contributor
‎05-18-2020 11:01 AM
Jump to solution

I understood before with your explication, no problem with that !!!

The diagrame is just when connected from a pc...

It's bizarre to not have just one entity who manage all the certificates (VCMA, Vcenter, etc...).

So now, it's not a problem. It's clear with your knowledges !!!

Thanks a lot for yours informations !! 😉

Akeena

View solution in original post

0 Kudos
4 Replies
daphnissov
Immortal
Immortal
‎05-18-2020 09:19 AM
Jump to solution

You're conflating two things here which are totally separate. The first is the machine certificate of vCenter Server. This is the certificate that vCenter presents to identify itself to clients. You have successfully replaced this with one signed by an external CA. The second is the VMware Certificate Authority (VMCA) which is an internal CA which is contained within vCenter Server which it uses to sign other certificates, namely those of ESXi hosts. This you did not replace and these are totally separate. The general recommendation is to do as you have already done and replace the machine certificate (which you've done) and leave the VMCA root certificate as-is (which is done automatically).

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
AKEENA64
Contributor
Contributor
‎05-18-2020 09:59 AM
Jump to solution

Hi Daphnissov,

thanks a lot for your return.

So if I understood correctly, we have 2 certificates and 2 roots certificates on the PCs, right ?

  Vcenter / PSC                      ESXI

               |                                                 |

               |                                                 |

               |                                                 |

     Computer                    Computer

Self signed certificat               server certificate (Vmware)

Root signed certificat               CA root (Vmware)

It's not a problem in use ?

Thanks

Akeena

0 Kudos
daphnissov
Immortal
Immortal
‎05-18-2020 10:27 AM
Jump to solution

I don't understand your diagram, so let me explain differently.

The ESXi host has its machine certificate signed by the VMCA. It has no relation to the machine certificate you have manually replaced for vCenter, which is signed by your own internal CA (NOT VMCA). This approach is called the "hybrid" certificate replacement approach and there is no problem with it whatsoever. It's actually the preferred method of handling custom certificates because the VMCA handles all the hosts; you are just responsible for handling the vCenter Server.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
AKEENA64
Contributor
Contributor
‎05-18-2020 11:01 AM
Jump to solution

I understood before with your explication, no problem with that !!!

The diagrame is just when connected from a pc...

It's bizarre to not have just one entity who manage all the certificates (VCMA, Vcenter, etc...).

So now, it's not a problem. It's clear with your knowledges !!!

Thanks a lot for yours informations !! 😉

Akeena

0 Kudos