1 2 3 4 Previous Next 58 Replies Latest reply on Mar 5, 2009 3:05 AM by Markisha1979 Go to original post
      • 31. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
        Jwoods Expert
        RobMokkink wrote:

        Today iw as rebuilding my test lab and i made a huge error in my post:

         

        openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -out rui.pfx

         

        Do this:

         

        openssl pkcs12 -export -in rui.crt -inkey rui.key -name <your fqdn of the virtualcenter server> -out rui.pfx

         

        This also fixed a lot of other issues.

         

        Rob/Dmaster, does the "security warning" still appear for you after replacing the ssl cert on VC?  Whenever I generate a cert for either hostname or FQDN I still receive the security warning. 

         

         

         

        Cert generated using hostname "VCSERVER1" --> The certificate received from "vcserver1.foo.foo.com" was issue for "VCSERVER1".  Secure communication with "vcserver1.foo.foo.com" cannot be guaranteed.

         

        Cert generated using FQDN "vcserver1.foo.foo.com" -->  The certificate received from "VCSERVER1" was issue for "vcserver1.foo.foo.com".  Secure communication with "vcserver1.foo.foo.com" cannot be guaranteed.

         

        I didn't expect to receive any warning after replacing the cert.  Just thought it would go straight through after login.  I know I can simply check "Do not display..." or just ignore, but wanted to verify whether or not this behavior is expected.

         

         

        • 32. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
          Dennis@wmdata Enthusiast

          If your computer doesn't trust the issuer of the certifiacte you have to install the root certificate of the issuer on all your computers that will be running the VC client.

          • 33. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
            Jwoods Expert
            Dennis@wmdata wrote:

            If your computer doesn't trust the issuer of the certifiacte you have to install the root certificate of the issuer on all your computers that will be running the VC client.

             

            And that's the weird part.  The cert was issued by my Enterprise CA.  The VC server is in the domain and has the root cert in the cert store.

             

             

             

             

             

             

             

             

             

             

             

            • 34. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
              Dennis@wmdata Enthusiast

              Have you verifed that the root certificate actually is loaded on your client computer where you start the VC cleint application?

              • 35. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
                Jwoods Expert
                Dennis@wmdata wrote:

                Have you verifed that the root certificate actually is loaded on your client computer where you start the VC cleint application?

                 

                Yep, it's there.  What I'm getting from your questioning is that the additional screen that I'm seeing upon login should not exist after the cert has been replaced?  

                 

                 

                • 36. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
                  smpeck Lurker

                   

                  Thanks for the information. I followed these directions and I am now able to use the VI client witout cert warnings using a certificate fom my local domain's CA. However, I run into problems accessing the web interface. Using IE, I get the following message box:

                   

                   

                  "Choose a digital certificate. The website you want to view requests identification. Please choose a certificate." There are no certificates listed in the menu. Any ideas?

                  • 37. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
                    Jwoods Expert

                    Problem solved.  Cert had the FQDN, but it seems VIC requires FQDN to compare against cert!  I was originally using shortname.  Thanks for the help Dennis!

                    • 38. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
                      Dennis@wmdata Enthusiast

                      Yep. That's how certifictes work. If you deviate from the subject name in any way the check will fail.

                      • 39. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
                        astrolab Enthusiast

                        I tried to put together a step-by-step process on regenerating the VirtualCenter certificate. It applies to an environment with a Microsoft CA, but it can be adapted to any root CA. Please let me know of any errors.

                         

                        1. *Install openSSL Light on the VC Server. ** Moderator note: Win32 OpenSSL Light can be downloaded from the kind folks at http://www.slproweb.com/products/win32openssl.html **

                         

                        2. Generate an RSA private key and a certificate-signing request

                         

                        BACK UP THE EXISTING RUI.CRT, RUI.KEY and RUI.PFX TO A SECURE LOCATION.

                         

                        They are located in c:\docs and settings\all users\app data\vmware\ VMware VirtualCenter\SSL

                         

                        From the VC Server, navigate at the command prompt to the openSSL\bin directory

                         

                        Issue the following commands:

                         

                         

                        openssl genrsa 1024 > rui.key

                         

                         

                        openssl req -new -key rui.key > rui.csr

                         

                         

                        Fill in the appropriate information. ** Moderator note: Your Name/Common Name is the FQDN of your VC Server ie. servername.domain.com **

                         

                         

                        3. Request a Certificate

                         

                         

                        Go to your CA webpage.

                         

                         

                        Click on Request a Certificate

                         

                         

                        Open the file that you saved above with notepad and copy all of the the contents including the "---BEGIN CERTIFICATE REQUEST-" and "-END CERTIFICATE REQUEST---" lines

                         

                         

                        Be sure that the Certificate Template is set to Web Server. There is no need to enter anything into the Additional Attributes field.

                         

                         

                        Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

                         

                         

                        Paste the notepad contents of the certificate request file from above into the Saved Request field and click on the Submit button.

                         

                         

                        Select Base 64 Encoded and click Download Certificate and save the certificate to C:\...\openSSL\bin ** Moderator note: Save file name as rui.crt **

                         

                         

                        During this process, you may receive an email with certificate information in it.  You may safely delete the email.

                         

                         

                        4. Create a .pfx (personal individual exchange) file for rui.crt

                         

                         

                        At the Command Prompt on the VC server navigate to C:\...\openSSL\bin and issue:

                         

                         

                        openssl pkcs12 -export -in rui.crt -inkey rui.key -name VirtualCenterServerFQDN -out rui.pfx

                         

                         

                        5. Move rui.crt, rui.key, and rui.pfx to

                         

                         

                        c:\docs and settings\all users\app data\vmware\ VMware VirtualCenter\SSL

                         

                         

                        6. Disconnect all ESX hosts managed by VirtualCenter  ** Moderator note: (original step: Power off all VMs on the hosts in the VC. This needs to be done because after the VC loads the new certs it will not be possible to gracefully shutdown the VMs from the VC Client, though it can still be done through RDP or Service Console.)

                         

                         

                        7. ** Moderator note: Added step 7: Stop the VMware VirtualCenter Server service **

                         

                         

                        7.5

                        • From CMD, navigate to the C:\Program files\VMware\Infrastructure\VirtualCenter Server\* directory, and issue the following command:

                         

                         

                        Vpxd -p (it re-encrypts the DB password). When prompted. type the pw used for the VC database.

                         

                         

                        8. Start the VMware VirtualCenter Server service ** Moderator note: Starting the VC Service should be sufficient. (oringal step: Restart the VC server.) 9. ** Moderator note: This step not necessary ** (original step: Restart all ESX hosts.)

                         

                         

                        10. Reconnect all ESX hosts, ** Moderator note: VMs should already be powered on ** (original step: and power on the VMs.)

                         

                         

                        11. IMPORTANT: connect to the VC Infrastructure by using the Virtual Center FQDN.

                         

                         

                        Now, the question for the forum is: if I regenerate the certificate on every single ESX host, using the same Microsoft CA, the host is not happy, gets disconnected and when trying to reconnect I receive the error: bad username or password. Has anybody implemented a comprehensive certificate strategy where both VC and the single hosts use certificates issued by the same CA?

                         

                        Message was edited by: jasonboche

                        Added/changed some steps as noted.

                        • 40. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
                          Dennis@wmdata Enthusiast

                          You forgot to say that you should enter the FQDN of the VC at Enter your name when generating the request.

                          • 41. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
                            celak Enthusiast

                             

                            Hello,

                             

                             

                            Is there any way to completely disable the SSL feature of VI3?

                             

                             

                            I don't want to use SSL and don't want to see validation error messages of SSL certs.

                             

                             

                            Thanx.

                             

                             

                            • 42. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
                              Jwoods Expert

                              Yes this is the last BUT very important part.  If not done, you'll be spinning your wheels trying to fix what's not broken.

                              • 43. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
                                madcult Hot Shot

                                When I try to connect to a VirtualCenter server there always appears this message that the certificate is not trusted. Every time I have to click ignore. Even if I install this certificate the information appears next time again.

                                 

                                Message:

                                >>The certificate received from "server1.domain.com" was issued for "VMware". Secure communication with "server1.domain.com" cannot be guaranteed. Ensure that the fully-qualified daomain name on the certificate matches the address of the server you are trying to connect to. <<

                                 

                                I think our problem is that the certificate "was issued for 'VMware'" and not for the FQDN "server1.domain.com"! We have no root CA or maybe I misunderstood what it is for but atm we do not work with certificates except with those usually made by any linux machine when we connect to it per ssh. How can I solve this? We don't want to let our admins to see this message. It makes other admins think that something went wrong and that's what we want to avoid.

                                • 44. Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA
                                  rbeu Novice

                                  Has anyone tried replacing the certs without shutting down the vm's and instead vmotion'ing them off one host at a time and then restarting that host?  I have a feeling vmotion will fail between the hosts without them being restarted first but I'm curious if anyone has tried this.