VMware Cloud Community
AdminTGal81
Contributor
Contributor
Jump to solution

SSL Certificate on ESX Hosts

Hi All,

When connecting to the ESX servers using my VI Client, I get an SSL Security warning stating that there is an untrusted SSL certificate. I've pretrusted the certificate and put it in my Tursted Root Certificate Authorities Store and the security warning still pops up every time I log in to the local ESX hosts (not virtual center). Does anyone know why I continue to receive this warning even though I've pre trusted the root certificate for all my ESX hosts?

Thanks in advance!

Reply
0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal
Jump to solution

As it happens, I just went through this process for my benefit yesterday and the documentation is admitedly a bit lacking. We need to get the doc updated with some missing steps.

Here is probably your issue the file created by the Windows CA was not created in text form and the file needs to be converted to the proper format for the VC agent (vpxa) to understand it. To do this, you need to login to your ESX host and change to the /etc/vmware/ssl directory and issue the following commands. You will be using the included OpenSSL tools installed within the ESX service console.

openssl x509 –text –in rui.crt –out rui.text (this will put the file in the proper format)

mv rui.crt /tmp/rui.crt-old (this is to backup the original)

mv rui.text rui.crt (this is to replace the file)

Please try this and let me know if it helps.

BTW...if you find anything else missing from the doc, let me know.

View solution in original post

Reply
0 Kudos
11 Replies
Texiwill
Leadership
Leadership
Jump to solution

Hello,

When connecting to the ESX servers using my VI Client, I get an SSL Security warning stating that there is an untrusted SSL certificate. I've pretrusted the certificate and put it in my Tursted Root Certificate Authorities Store and the security warning still pops up every time I log in to the local ESX hosts (not virtual center). Does anyone know why I continue to receive this warning even though I've pre trusted the root certificate for all my ESX hosts?

Refer to http://www.vmware.com/pdf/vi_vcserver_certificates.pdf for some help on this. But also this depends on how you 'pre-trusted' the certificates. Also, are you pre-trusting the certificates given to you from VMware or using your own CA? THe VIC does not like 'self-signed' certificates.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
AdminTGal81
Contributor
Contributor
Jump to solution

I have referred to that pdf and it told me that I could simply pre trust the default certificates presented to me from the ESX hosts. Even after putting them in my certificate manager I still get the warning. We did replace the original certificate for virtual center with our own Self Signed cert and that fixed that problem, but according to the pdf you've referred me to it says that all we have to do is pre trust them.

Side note after pretrusting them, if I view the cert it says that it is ok, but the error message still appears when logging on.

Thanks!

Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

Side note after pretrusting them, if I view the cert it says that it is ok, but the error message still appears when logging on.

That is very interesting. Perhaps one of the VMware Employees on this forum could comment?


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
AdminTGal81
Contributor
Contributor
Jump to solution

By the way, for the sake of those reading this thread the pdf we've been talking about leaves out some steps. After recreating the SSL cert for the Virtual Center server, the service would not start. The document doesn't mention that you have to run the vpxd.exe -p command. Also, changing the ESX host server SSL certs is not as easy as the document explains. We tried replacing those certificates but could not reconnect the ESX hosts back to the Virtual Center server. We received the error "the ssl certificate of the remote host could not be validated." We followed the instructions on the pdf and after many attempts and much research we could not get the ESX hosts to connect back to the Virtual Center. We simply deleted the self signed certs we created and restarted the mgmt-vmware service and the hosts created their own self signed certs and then we were able to get them to reconnect to the virtual center server.

Does anybody have some advice on changing the SSL certs on the hosts?

Reply
0 Kudos
scerazy
Enthusiast
Enthusiast
Jump to solution

Same here, changing ESX ssl certificates gives hard time to reconnect this host to VC again

Seb

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

As it happens, I just went through this process for my benefit yesterday and the documentation is admitedly a bit lacking. We need to get the doc updated with some missing steps.

Here is probably your issue the file created by the Windows CA was not created in text form and the file needs to be converted to the proper format for the VC agent (vpxa) to understand it. To do this, you need to login to your ESX host and change to the /etc/vmware/ssl directory and issue the following commands. You will be using the included OpenSSL tools installed within the ESX service console.

openssl x509 –text –in rui.crt –out rui.text (this will put the file in the proper format)

mv rui.crt /tmp/rui.crt-old (this is to backup the original)

mv rui.text rui.crt (this is to replace the file)

Please try this and let me know if it helps.

BTW...if you find anything else missing from the doc, let me know.

Reply
0 Kudos
scerazy
Enthusiast
Enthusiast
Jump to solution

I already have the correct rui.key & rui.crt, as I use them on the VC server (apart from the VC problem not understanding correctly wildcard certificates with chain)

where they are OK

I had to give up the testing for now till I have my test ESX server back in the rack (do not feel good trying it on the live servers)

Seb

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

The ESX hosts need the rui.crt file to be in a different format that VC does. This is what the instructions I gave should help you do. Put the rui.cft in the correct format.

Reply
0 Kudos
scerazy
Enthusiast
Enthusiast
Jump to solution

OK, that DOES work correctly

The only problem is that ESX as well as VC does NOT understand proper certificate authority issued WILDCARD * certificates that require chain

And that is a pity

Seb

Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

While I am sure Rob will bring this up internally, I strongly urge you to talk to your Official VMware Sales or Support Representative and make a request for improvement to add this feature. Do not rely on just the forums for this to happen, the forums are unfortunately not always effective for getting things improved.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
matzter
Contributor
Contributor
Jump to solution

Thanks for all your help.

I didn't manage to change the database name at all, the best I could do was to change the user names.

Now my db name is RSA (why so ever) for the SSO Service of the vsphere virtualcenter.

Reply
0 Kudos