<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Week long headache with CA signed certificates on VCSA 5.5 in vCenter™ Server Discussions</title>
    <link>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166235#M71668</link>
    <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Anyone help me out here?&lt;/P&gt;&lt;P&gt;I've worked through the KB article 8 times, and followed Derek Seaman's blog on this, but still always the same result.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
    <pubDate>Fri, 21 Feb 2014 05:50:19 GMT</pubDate>
    <dc:creator>WHISKEYTANG0F0X</dc:creator>
    <dc:date>2014-02-21T05:50:19Z</dc:date>
    <item>
      <title>Week long headache with CA signed certificates on VCSA 5.5</title>
      <link>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166234#M71667</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;After a week of deploying VCSA 5.5 over and over again, probably 18 times, and seeing what must be every SSL related error possible, I am asking advice here for those who may have stumbled through this before. (Or know Linux)&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;On my last attempt I've installed fresh, configured the server, generated cert reqs through OpenSSL 0.9.8y, approved them through my internal CA, and attempted VMWare KB:&lt;/P&gt;&lt;P&gt;&lt;A href="http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&amp;amp;cmd=displayKC&amp;amp;externalId=2057223" title="http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&amp;amp;cmd=displayKC&amp;amp;externalId=2057223"&gt;VMware KB: Configuring Certificate Authority (CA) signed certificates for vCenter Server Appliance 5.5 &lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;All goes well this time until step 22: &lt;SPAN&gt;Run these commands to register the vCenter Inventory Service back to vCenter Single Sign-On:&lt;BR /&gt;&lt;BR /&gt;&lt;CODE&gt;cd /etc/vmware-sso/register-hooks.d&lt;BR /&gt;&lt;BR /&gt;&lt;SPAN&gt;./02-inventoryservice --mode install --ls-server &lt;/SPAN&gt;&lt;A class="jive-link-external-small" href="https://VCSA1.domain.com:7444/lookupservice/sdk"&gt;https://VCSA1.domain.com:7444/lookupservice/sdk&lt;/A&gt;&lt;SPAN&gt; --user &lt;/SPAN&gt;&lt;SPAN style="color: #ff0000;"&gt;administrator@vsphere.local&lt;/SPAN&gt; --password &lt;EM style="color: red;"&gt;sso_administrator_password&lt;/EM&gt;&lt;/CODE&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;EM style="color: red;"&gt;&lt;BR /&gt;&lt;/EM&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="color: #000000;"&gt;And I am rewarded with this: &lt;/SPAN&gt;&lt;/P&gt;&lt;TABLE&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD&gt;&lt;SPAN&gt;Getting SSL certificates for &lt;/SPAN&gt;&lt;A class="jive-link-external-small" href="https://VCSA1.mydomain.com:7444/lookupservice/sdk"&gt;https://VCSA1.mydomain.com:7444/lookupservice/sdk&lt;/A&gt;&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified&lt;/P&gt;&lt;P&gt;Return code is: SslHandshakeFailed&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-size: 12pt;"&gt;What gives?&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-size: 12pt;"&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-size: 10pt;"&gt;The SSO service never gave me any errors when doing the cert install in previous steps. The FQDN is the same in the cert as it is on the VCSA on initial setup, and yes the same case.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-size: 10pt;"&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-size: 10pt;"&gt;VMWare KB yield nothing relevant as does a Google search.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-size: 10pt;"&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-size: 10pt;"&gt;HELP! I'm going crazy trying to figure this out.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;EM style="color: red;"&gt;&lt;BR /&gt;&lt;/EM&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;EM style="color: red;"&gt;&lt;BR /&gt;&lt;/EM&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;&lt;EM style="color: red;"&gt;&lt;BR /&gt;&lt;/EM&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 18 Feb 2014 23:15:15 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166234#M71667</guid>
      <dc:creator>WHISKEYTANG0F0X</dc:creator>
      <dc:date>2014-02-18T23:15:15Z</dc:date>
    </item>
    <item>
      <title>Re: Week long headache with CA signed certificates on VCSA 5.5</title>
      <link>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166235#M71668</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Anyone help me out here?&lt;/P&gt;&lt;P&gt;I've worked through the KB article 8 times, and followed Derek Seaman's blog on this, but still always the same result.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 21 Feb 2014 05:50:19 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166235#M71668</guid>
      <dc:creator>WHISKEYTANG0F0X</dc:creator>
      <dc:date>2014-02-21T05:50:19Z</dc:date>
    </item>
    <item>
      <title>Re: Week long headache with CA signed certificates on VCSA 5.5</title>
      <link>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166236#M71669</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I've had the same problem, but my issue is:&lt;/P&gt;&lt;P&gt;com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched&lt;/P&gt;&lt;P&gt;Return code is: SslHandshakeFailed (when trying to unregister or reregister the Inventory Service after successfully replacing the vCenterSSO certificate).&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Mon, 07 Apr 2014 16:08:36 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166236#M71669</guid>
      <dc:creator>bedobash</dc:creator>
      <dc:date>2014-04-07T16:08:36Z</dc:date>
    </item>
    <item>
      <title>Re: Week long headache with CA signed certificates on VCSA 5.5</title>
      <link>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166237#M71670</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I believe that if you follow this article you will be able to replace your bad certs:&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;A href="http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&amp;amp;cmd=displayKC&amp;amp;externalId=2057223" title="http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&amp;amp;cmd=displayKC&amp;amp;externalId=2057223"&gt;http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&amp;amp;cmd=displayKC&amp;amp;externalId=2057223&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;If you give it a try and is working please let me know. My feeling is that the ssl trust chain is broken and you will need to recreate it in a similar way.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Thank you.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Mon, 21 Apr 2014 08:33:30 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166237#M71670</guid>
      <dc:creator>BorgOne</dc:creator>
      <dc:date>2014-04-21T08:33:30Z</dc:date>
    </item>
    <item>
      <title>Re: Week long headache with CA signed certificates on VCSA 5.5</title>
      <link>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166238#M71671</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Have you read Derek Seaman's bog on SSL in ESX 5.5?&amp;nbsp; You can probably start here: &lt;A href="http://www.derekseaman.com/2013/10/vsphere-5-5-install-pt-5-ssl-deep.html" title="http://www.derekseaman.com/2013/10/vsphere-5-5-install-pt-5-ssl-deep.html"&gt;http://www.derekseaman.com/2013/10/vsphere-5-5-install-pt-5-ssl-deep.html&lt;/A&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Wed, 23 Apr 2014 16:15:45 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166238#M71671</guid>
      <dc:creator>flynmooney</dc:creator>
      <dc:date>2014-04-23T16:15:45Z</dc:date>
    </item>
    <item>
      <title>Re: Week long headache with CA signed certificates on VCSA 5.5</title>
      <link>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166239#M71672</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;You can check the chain using openssl verify. In Windows the command would be:&lt;/P&gt;&lt;P&gt;&lt;SPAN style="color: #000000; font-family: Tahoma; font-size: 16px; font-style: normal; font-weight: normal; text-align: -webkit-auto; text-indent: 0px;"&gt;openssl verify -CAfile C:\pathtopem\chain.pem -verbose&amp;nbsp; c:\pathtoCerfile\filename.cer&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;I don't know what the linux equivalent is.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;When I ran into this issue, it was because the intermediate cert wasn't included in the chain. Open the cert and look at the sections and make sure your root cert is at the bottom and the vcenter cert is at the top.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Wed, 23 Apr 2014 16:54:02 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166239#M71672</guid>
      <dc:creator>PhillyDiane</dc:creator>
      <dc:date>2014-04-23T16:54:02Z</dc:date>
    </item>
    <item>
      <title>Re: Week long headache with CA signed certificates on VCSA 5.5</title>
      <link>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166240#M71673</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I am in the same boat as you are. I even posted a question to the editor of the article that after following the steps, I get the same issue. I have to be honest here that I didn't use a Microsoft CA nor a public CA, and ran all the OpenSSL commands directly on the appliance. So, I started by creating a root CA with the key, then I generate the CSRs etc from the appliance. To ensure that the root CA that I created was valid, I copied it to /etc/ssl/certs and ran c_rehash /etc/ssl/certs, which then lists my new CA. &lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Wed, 03 Sep 2014 19:40:09 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166240#M71673</guid>
      <dc:creator>Andr3201110141</dc:creator>
      <dc:date>2014-09-03T19:40:09Z</dc:date>
    </item>
    <item>
      <title>Re: Week long headache with CA signed certificates on VCSA 5.5</title>
      <link>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166241#M71674</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;As it always goes, I made progress right after my last post.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;After getting the error, it seems that the certificate is put in place, because if you browse to &lt;/SPAN&gt;&lt;A class="jive-link-external-small" href="https://vcenter:7444/lookupservice/sdk"&gt;https://vcenter:7444/lookupservice/sdk&lt;/A&gt;&lt;SPAN&gt;, the correct certificate does appear. I then ran OpenSSL s_client to verify that the certificate is valid and this is what I got:&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;vCenter55:/ # openssl s_client -connect 192.168.33.128:7444 -status &lt;SPAN style="text-decoration: underline;"&gt;&lt;STRONG&gt;### The command I ran the first time&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;CONNECTED(00000003)&lt;/P&gt;&lt;P&gt;OCSP response: no response sent&lt;/P&gt;&lt;P&gt;depth=1 /C=ZA/ST=Gauteng/L=Pretoria/O=company/OU=Certificate Authority/CN=company Root CA&lt;/P&gt;&lt;P&gt;verify error:num=19:self signed certificate in certificate chain &lt;STRONG style="text-decoration: underline;"&gt;### Seems the appliance doesn't like the self-signed certificate&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;verify return:0&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;Certificate chain&lt;/P&gt;&lt;P&gt;0 s:/C=ZA/ST=Gauteng/O=company/OU=VMware vCenter Service Certificate/CN=vCenter55.company.co.za&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; i:/C=ZA/ST=Gauteng/L=Pretoria/O=company/OU=Certificate Authority/CN=company Root CA&lt;/P&gt;&lt;P&gt;1 s:/C=ZA/ST=Gauteng/L=Pretoria/O=company/OU=Certificate Authority/CN=company Root CA&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; i:/C=ZA/ST=Gauteng/L=Pretoria/O=company/OU=Certificate Authority/CN=company Root CA&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;Server certificate&lt;/P&gt;&lt;P&gt;-----BEGIN CERTIFICATE-----&lt;/P&gt;&lt;P&gt;MIID9jCCAt6gAwIBAgICAS.......FBQAwfjELMAkGA1UEBhMCWkEx&lt;/P&gt;&lt;P&gt;-----END CERTIFICATE-----&lt;/P&gt;&lt;P&gt;subject=/C=ZA/ST=Gauteng/O=company/OU=VMware vCenter Service Certificate/CN=vCenter55.company.co.za&lt;/P&gt;&lt;P&gt;issuer=/C=ZA/ST=Gauteng/L=Pretoria/O=company/OU=Certificate Authority/CN=company Root CA&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;No client certificate CA names sent&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;SSL handshake has read 2309 bytes and written 441 bytes&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;New, TLSv1/SSLv3, Cipher is AES256-SHA&lt;/P&gt;&lt;P&gt;Server public key is 2048 bit&lt;/P&gt;&lt;P&gt;Secure Renegotiation IS supported&lt;/P&gt;&lt;P&gt;Compression: NONE&lt;/P&gt;&lt;P&gt;Expansion: NONE&lt;/P&gt;&lt;P&gt;SSL-Session:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Protocol&amp;nbsp; : TLSv1&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Cipher&amp;nbsp;&amp;nbsp;&amp;nbsp; : AES256-SHA&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Session-ID: 540771BD58058D6BD2F7C0B673A0D5740FC964C9179DC83DDA9EDA0BCAEB06C7&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Session-ID-ctx:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Master-Key: 8BDD035D2FCB5645DECF21B5BB26B6C46C6A964DBD8B5E54EA4CEF1893B75E2D2C2C904E1162B808BA7BBD5CFDDEE22E&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Key-Arg&amp;nbsp;&amp;nbsp; : None&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Start Time: 1409774013&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Timeout&amp;nbsp;&amp;nbsp; : 300 (sec)&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Verify return code: 19 (self signed certificate in certificate chain) &lt;SPAN style="text-decoration: underline;"&gt;&lt;STRONG&gt;### The return code 19, as seen above, is and error&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;vCenter55:/ # openssl s_client -connect 192.168.33.128:7444 -CApath /etc/ssl/certs &lt;SPAN style="text-decoration: underline;"&gt;&lt;STRONG&gt;### This time I ran it while specifying the folder where my root CA is kept&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;CONNECTED(00000003)&lt;/P&gt;&lt;P&gt;depth=1 /C=ZA/ST=Gauteng/L=Pretoria/O=company/OU=Certificate Authority/CN=company Root CA&lt;/P&gt;&lt;P&gt;verify return:1 &lt;SPAN style="text-decoration: underline;"&gt;&lt;STRONG&gt;### No error this time.&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;depth=0 /C=ZA/ST=Gauteng/O=company/OU=VMware vCenter Service Certificate/CN=vCenter55.company.co.za&lt;/P&gt;&lt;P&gt;verify return:1&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;Certificate chain&lt;/P&gt;&lt;P&gt;0 s:/C=ZA/ST=Gauteng/O=company/OU=VMware vCenter Service Certificate/CN=vCenter55.company.co.za&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; i:/C=ZA/ST=Gauteng/L=Pretoria/O=company/OU=Certificate Authority/CN=company Root CA&lt;/P&gt;&lt;P&gt;1 s:/C=ZA/ST=Gauteng/L=Pretoria/O=company/OU=Certificate Authority/CN=company Root CA&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp; i:/C=ZA/ST=Gauteng/L=Pretoria/O=company/OU=Certificate Authority/CN=company Root CA&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;Server certificate&lt;/P&gt;&lt;P&gt;-----BEGIN CERTIFICATE-----&lt;/P&gt;&lt;P&gt;MIID9jCCAt6gAwIBAgI......wfjELMAkGA1UEBhMCWkEx&lt;/P&gt;&lt;P&gt;-----END CERTIFICATE-----&lt;/P&gt;&lt;P&gt;subject=/C=ZA/ST=Gauteng/O=company/OU=VMware vCenter Service Certificate/CN=vCenter55.company.co.za&lt;/P&gt;&lt;P&gt;issuer=/C=ZA/ST=Gauteng/L=Pretoria/O=company/OU=Certificate Authority/CN=company Root CA&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;No client certificate CA names sent&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;SSL handshake has read 2309 bytes and written 465 bytes&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;New, TLSv1/SSLv3, Cipher is AES256-SHA&lt;/P&gt;&lt;P&gt;Server public key is 2048 bit&lt;/P&gt;&lt;P&gt;Secure Renegotiation IS supported&lt;/P&gt;&lt;P&gt;Compression: NONE&lt;/P&gt;&lt;P&gt;Expansion: NONE&lt;/P&gt;&lt;P&gt;SSL-Session:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Protocol&amp;nbsp; : TLSv1&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Cipher&amp;nbsp;&amp;nbsp;&amp;nbsp; : AES256-SHA&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Session-ID: 54077230E37AC53541373C907E213A8ED19EA02DF5EAFA47C28BF114DA3D68E1&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Session-ID-ctx:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Master-Key: F8226AA2B758500D90B0137632F14752FB617E749577C7B4826CD541B1DE6D8BA8F4C3FA24CE59F734E8D5176D1F43AB&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Key-Arg&amp;nbsp;&amp;nbsp; : None&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Start Time: 1409774128&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Timeout&amp;nbsp;&amp;nbsp; : 300 (sec)&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; Verify return code: 0 (ok) &lt;SPAN style="text-decoration: underline;"&gt;&lt;STRONG&gt;### This time the cert is OK&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Turning my attention to the &lt;SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif';"&gt;02-inventoryservice script...&lt;/SPAN&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Wed, 03 Sep 2014 20:08:44 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166241#M71674</guid>
      <dc:creator>Andr3201110141</dc:creator>
      <dc:date>2014-09-03T20:08:44Z</dc:date>
    </item>
    <item>
      <title>Re: Week long headache with CA signed certificates on VCSA 5.5</title>
      <link>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166242#M71675</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Just some more information about where the issue seems to be. None of the below made a difference but I add it for the record. &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Going through the &lt;SPAN style="color: #666666; font-family: Calibri, sans-serif; font-size: 14px;"&gt;&lt;SPAN&gt;02-inventoryservice script, it reaches a point where it calls the vi_regtool, which is a Java application. When you get the message "Initializing registration provider" and "Getting SSL certificates for &lt;/SPAN&gt;&lt;A class="jive-link-external-small" href="https://"&gt;https://&lt;/A&gt;&lt;SPAN&gt;...", it is within in this Java application. More precisely, it is when it runs the command 'exec -a vi_regtool $JAVA_BIN "$LOG4J_CONF" $JAVA_OPTS -jar "$VI_REGTOOL_JAR" "$@"'.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Since Java has its own certificate store, I added my self-signed certificate into the Java cacerts store. I even created an intermediate CA to sign the server certs with and added this cert into the store too. On vCSA the Java JRE home is at /usr/java/jre-vmware. To add the CA to the Java store, run this command while withing the JRE HOME folder: bin/keytool -import -trustcacerts -alias MyRootCA -file RootCA.crt -keystore lib/security/cacerts. This adds the cert successfully, and even after rebooting the appliance, I still cannot run &lt;SPAN style="color: #666666; font-family: Calibri, sans-serif; font-size: 14px;"&gt;02-inventoryservice to completion.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I get: server certificate assertion not verified and thumbprint not matched.&lt;/P&gt;&lt;P&gt;Return code is: SSLHandshakeFailed. &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Andre&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Thu, 04 Sep 2014 08:39:10 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166242#M71675</guid>
      <dc:creator>Andr3201110141</dc:creator>
      <dc:date>2014-09-04T08:39:10Z</dc:date>
    </item>
    <item>
      <title>Re: Week long headache with CA signed certificates on VCSA 5.5</title>
      <link>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166243#M71676</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I realized that there are a number of things that I missed, so I wrote a script to automate the entire process. Testers wanted!&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;A href="http://vmwarenotes.blogspot.com/2014/10/certificator.html" title="http://vmwarenotes.blogspot.com/2014/10/certificator.html"&gt;Andre's VMware Notes: Certificator&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Andre Combrinck&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Thu, 02 Oct 2014 04:28:56 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166243#M71676</guid>
      <dc:creator>Andr3201110141</dc:creator>
      <dc:date>2014-10-02T04:28:56Z</dc:date>
    </item>
    <item>
      <title>Re: Week long headache with CA signed certificates on VCSA 5.5</title>
      <link>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166244#M71677</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hello WTF,&lt;/P&gt;&lt;P&gt;I will go for the shameless self-branding :&lt;/P&gt;&lt;P&gt;&lt;A href="http://bidabe.zapto.org/?p=316" title="http://bidabe.zapto.org/?p=316"&gt;http://bidabe.zapto.org/?p=316&lt;/A&gt;&lt;/P&gt;&lt;P&gt;I used this script on four vCSA so far =&amp;gt; no problem !&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;This script automates SSL certificates signing for vCSA 5.5 and guide you through:&lt;/P&gt;&lt;P&gt;– Generate Certificate Signing Request (CSR)&lt;/P&gt;&lt;P&gt;– Request / Download Certificate&lt;/P&gt;&lt;P&gt;– Install new certificates.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;It runs on vCenter Server Virtual Appliance 5.5 and is intended to work with Microsoft Internal CA.&lt;/P&gt;&lt;P&gt;It checks the system requirements: OpenSSL version, vCSA version, DNS Records and IP Address&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;SSH into your vCSA (puTTY) :&lt;/P&gt;&lt;P&gt;# vCSAFQDN:~ # vim /usr/bin/uptcrt&lt;/P&gt;&lt;P&gt;:set paste&lt;/P&gt;&lt;P&gt;(Paste the whole script from clipboard)&lt;/P&gt;&lt;P&gt;:wq&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;# chmod a+x /usr/bin/uptcrt&lt;/P&gt;&lt;P&gt;# uptcrt&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I would be surprised if you still experience issues but please let me know.&lt;/P&gt;&lt;P&gt;There are a few things that can break your setup (notably encoding between Windows and Linux), this script will avoid that.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;regards,&lt;/P&gt;&lt;P&gt;Florian Bidabé&lt;/P&gt;&lt;P&gt;Information Systems&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Wed, 08 Oct 2014 05:01:30 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/vCenter-Server-Discussions/Week-long-headache-with-CA-signed-certificates-on-VCSA-5-5/m-p/2166244#M71677</guid>
      <dc:creator>FlorianBidabe</dc:creator>
      <dc:date>2014-10-08T05:01:30Z</dc:date>
    </item>
  </channel>
</rss>

