Hello All,
I'm trying to replace the default SSL certificates from Virtual Center 2.01 with certificates from my own Microsoft Enterprise root CA..
I followed this howto..
http://edward.aractingi.net/blog/archives/virtualization/[/b]
in this article i'am missing how i get my rui.crt[/b] certificate ?
i am only able to get the rui.pem[/b] , rui.pfx[/b] and rui.key[/b] files
And this howto..
http://www.vmware.com/pdf/vi_vcserver_certificates.pdf[/b]
(I get the feeling that this document is not meant for a Microsoft CA just a local root CA)
in this article i get stuck on page 8 with the line..
openssl ca -out ruit.crt -config openssl.cnf -infiles mycsr.csr
c:\Program files\openssl\openssl ca -out Webaccess.crt -config openssl.cfg -infiles Webaccess.csr
Using configuration from openssl.cfg
Loading 'screen' into random state - done
unable to load CA certificate
3360:error:0906D06C:PEM routines:PEM_read_bio:
no start line:.\crypto\pem\pem_lib.c:663:Expecting: CERTIFICATE
Was anybody able to replace this certificates ? Who can help me out ?
the certificates are on the ESX HOST under /etc/vmware/ssl
I install the openssl tools on the VC server and then do a request to the MS CA website.
When the certificate is in, i use a couple of openssl commands to export it to openssl format, so that VC can use it.
Currently i can't access the documents, when i am home i will post them here.
Do i also have to replace the certificates from my esx3 host to get VC2 and Webaccess working with my Microsoft Enterprise root CA ?
according page 4 of the VMware white paper i have to replace rui.key , rui.crt and rui.pfx
i cannot figer out how i get my new rui.crt certificate, probably with openssl but i don't know the exact syntax.. as you can see in the error message..
rui.crt as far as i know is just the Root Certificate to trust. you can check if you open the file on a windows client - it shows the root certificate. (you can also open the PFX with "testpassword" as password.. found this in the pdf above..)
basically i've the same problem afterwards, i've tried to replace the rui files but restart of the Virtual Center Server leads to an unexpected terminate of the service without information why.. Change back to original RUI and everything works fine.
also tested to change PFX password to testpassword or without password, now change..
anybody able to change the ssl certificate of just the web access?
do this:
install openssl tools on VC server.
generate a new key:
openssl genrsa 1024 > rui.key
Create a signing request:
openssl req -new -key rui.key > rui.csr
Open the rui.csr with a text editor and select all the text.
Issue the certificate on the MS CA and download the cert file to rui.crt
Then convert the rui.crt to rui.pfx with the following command:
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout
pass:testpassword -out rui.pfx
Hello All,
i managed to replace my virtualcenter 2.01 certificates, so i can use virtualcenter webaccess without getting a warning of untrusted certificates..
But[/b] what about the certificates : rui.key and rui.crt wich are located on the ESX Server Host (/etc/vmware/ssl/[/b] ) ? Do i have to replace them also ? Do i have to create new certificates for the ESX server host ?
What is the advantage of that ? Is this necessary when you replaced the virtualcenter host certificates ?
i created a small howto for replacing the VC2 host certificates..
Thanks Rob for your hint about creating the rui.crt certificate..
*********************************************************
Howto - Create new certificates with Openssl and Microsoft Certificate Services Web Enrollment for VirtualCenter 2.01
rui.key
=======
openssl genrsa 1024 > rui.key
rui.csr
=======
openssl req -new -key rui.key > rui.csr -config openssl.cfg
when asked for common name, fill in the hostname or the FQDN of the VirtualCenter server
rui.crt
=======
Goto --> Microsoft Certificate Services Web Enrollment
press --> Request a certificate
then press --> Or, submit an advanced certificate request.
then press --> Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a
base-64-encoded PKCS #7 file.
then paste the contents of rui.csr into the field "Saved Request:"
choose with "Certificate Template:" for "Web Server"
press submit
select "Base 64 encoded"
then download the certificate and rename it to rui.crt
rui.pfx
=======
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -out rui.pfx
Enter Export Password:
Replacing the Certificates on VirtualCenter 2 Host
==================================================
copy the files : rui.key , rui.crt and rui.pfx to C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\
Restart your VirtualCenter server service. This will also restart your Webaccess service..
Message was edited by:
dmaster
just retested the procedure.
Make sure when you download the certitificate you select base64
When you didn't specified a password on the request you can just issue the following command to create a .pfx
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -out rui.pfx
hey dmaster you where a little bit faster then me
i also replaced the certificates on the esx hosts.
Unfortunaly i doesn't like the new certs.
Can't get the servers in VC anymore.
strange that is didn't test this sooner?
What about the ESX Host certificates : rui.key and rui.crt wich are located /etc/vmware/ssl/ ?
Do i have to replace them also ? The are probably not the same like the VirtualCenter Host certificates.
Do i have to create new certificates for the ESX server host on the same way i did on the VC2 host, again with a webserver template ?
What is the advantage of that ?
Is this necessary when you replaced the virtualcenter host certificates ?
If you want to connect through the webinterface from a client etc.
okay.. it's clear for me now.. thanks for the help..
problem solved, answer is posted in this topic
Today iw as rebuilding my test lab and i made a huge error in my post:
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -out rui.pfx
Do this:
openssl pkcs12 -export -in rui.crt -inkey rui.key -name -out rui.pfx
This also fixed a lot of other issues.
Hi Rob,
Did you also have the problem that you canno't use the custimization specifications ? because it's complaining about problems with unecrypting the password.. after you changed the SSL certificates of VC2 ?
sorry no time to test guest customization.
What still is buggy is the vpxa daemon crashes on the esx hosts.
So i left the esx hosts without a certificate.
do this:
install openssl tools on VC server.
generate a new key:
openssl genrsa 1024 > rui.key
Create a signing request:
openssl req -new -key rui.key > rui.csr
Open the rui.csr with a text editor and select all the text.
Issue the certificate on the MS CA and download the cert file to rui.crt
Then convert the rui.crt to rui.pfx with the following command:
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout
pass:testpassword -out rui.pfx
My vpxdeamon on VC2.5 keeps freaking out when replacing the certificates with error
2008-01-14 18:33:04.790 'App' 3920 error crypto failure: error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02
2008-01-14 18:33:04.790 'App' 3920 error Failed to decrypt password: applying key to encrypted data failed (likely the wrong key)
I'm using Win32 OpenSSL Light 0.9.8g to generate the keys.
I haven´t used password anywwhere but in the conversion to pfx-file so i suspect there is a bug in the Win32-version.
Can anyone here confirm that this is an issue?
I get the same error when generating the certificate with Open SSL 0.9.7a from an ESX 3.0.1 b42829 console.
You try use KB article 'VirtualCenter Server Fails to Start After You Replace Default SSL Certificates with Custom SSL Certificates' ID 1003070