Hi All,
When connecting to the ESX servers using my VI Client, I get an SSL Security warning stating that there is an untrusted SSL certificate. I've pretrusted the certificate and put it in my Tursted Root Certificate Authorities Store and the security warning still pops up every time I log in to the local ESX hosts (not virtual center). Does anyone know why I continue to receive this warning even though I've pre trusted the root certificate for all my ESX hosts?
Thanks in advance!
As it happens, I just went through this process for my benefit yesterday and the documentation is admitedly a bit lacking. We need to get the doc updated with some missing steps.
Here is probably your issue the file created by the Windows CA was not created in text form and the file needs to be converted to the proper format for the VC agent (vpxa) to understand it. To do this, you need to login to your ESX host and change to the /etc/vmware/ssl directory and issue the following commands. You will be using the included OpenSSL tools installed within the ESX service console.
openssl x509 –text –in rui.crt –out rui.text (this will put the file in the proper format)
mv rui.crt /tmp/rui.crt-old (this is to backup the original)
mv rui.text rui.crt (this is to replace the file)
Please try this and let me know if it helps.
BTW...if you find anything else missing from the doc, let me know.
Hello,
When connecting to the ESX servers using my VI Client, I get an SSL Security warning stating that there is an untrusted SSL certificate. I've pretrusted the certificate and put it in my Tursted Root Certificate Authorities Store and the security warning still pops up every time I log in to the local ESX hosts (not virtual center). Does anyone know why I continue to receive this warning even though I've pre trusted the root certificate for all my ESX hosts?
Refer to http://www.vmware.com/pdf/vi_vcserver_certificates.pdf for some help on this. But also this depends on how you 'pre-trusted' the certificates. Also, are you pre-trusting the certificates given to you from VMware or using your own CA? THe VIC does not like 'self-signed' certificates.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll
Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links
I have referred to that pdf and it told me that I could simply pre trust the default certificates presented to me from the ESX hosts. Even after putting them in my certificate manager I still get the warning. We did replace the original certificate for virtual center with our own Self Signed cert and that fixed that problem, but according to the pdf you've referred me to it says that all we have to do is pre trust them.
Side note after pretrusting them, if I view the cert it says that it is ok, but the error message still appears when logging on.
Thanks!
Hello,
Side note after pretrusting them, if I view the cert it says that it is ok, but the error message still appears when logging on.
That is very interesting. Perhaps one of the VMware Employees on this forum could comment?
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll
Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links
By the way, for the sake of those reading this thread the pdf we've been talking about leaves out some steps. After recreating the SSL cert for the Virtual Center server, the service would not start. The document doesn't mention that you have to run the vpxd.exe -p command. Also, changing the ESX host server SSL certs is not as easy as the document explains. We tried replacing those certificates but could not reconnect the ESX hosts back to the Virtual Center server. We received the error "the ssl certificate of the remote host could not be validated." We followed the instructions on the pdf and after many attempts and much research we could not get the ESX hosts to connect back to the Virtual Center. We simply deleted the self signed certs we created and restarted the mgmt-vmware service and the hosts created their own self signed certs and then we were able to get them to reconnect to the virtual center server.
Does anybody have some advice on changing the SSL certs on the hosts?
Same here, changing ESX ssl certificates gives hard time to reconnect this host to VC again
Seb
As it happens, I just went through this process for my benefit yesterday and the documentation is admitedly a bit lacking. We need to get the doc updated with some missing steps.
Here is probably your issue the file created by the Windows CA was not created in text form and the file needs to be converted to the proper format for the VC agent (vpxa) to understand it. To do this, you need to login to your ESX host and change to the /etc/vmware/ssl directory and issue the following commands. You will be using the included OpenSSL tools installed within the ESX service console.
openssl x509 –text –in rui.crt –out rui.text (this will put the file in the proper format)
mv rui.crt /tmp/rui.crt-old (this is to backup the original)
mv rui.text rui.crt (this is to replace the file)
Please try this and let me know if it helps.
BTW...if you find anything else missing from the doc, let me know.
I already have the correct rui.key & rui.crt, as I use them on the VC server (apart from the VC problem not understanding correctly wildcard certificates with chain)
where they are OK
I had to give up the testing for now till I have my test ESX server back in the rack (do not feel good trying it on the live servers)
Seb
The ESX hosts need the rui.crt file to be in a different format that VC does. This is what the instructions I gave should help you do. Put the rui.cft in the correct format.
OK, that DOES work correctly
The only problem is that ESX as well as VC does NOT understand proper certificate authority issued WILDCARD * certificates that require chain
And that is a pity
Seb
Hello,
While I am sure Rob will bring this up internally, I strongly urge you to talk to your Official VMware Sales or Support Representative and make a request for improvement to add this feature. Do not rely on just the forums for this to happen, the forums are unfortunately not always effective for getting things improved.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll
Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links
Thanks for all your help.
I didn't manage to change the database name at all, the best I could do was to change the user names.
Now my db name is RSA (why so ever) for the SSO Service of the vsphere virtualcenter.