VMware Cloud Community
jeffj2000
Enthusiast
Enthusiast

InCommon SSL certs will not work with vCenter v8

We are trying to create our first custom machine_cert with vCenter v8 and we keep running into a "weak signature" error We are using InCommon to sign the csr that we create from vCenter does anyone else use InCommon? The root/intermediate chain is signed with SHA384 but is only 2048 bits. We just dont know enough about this to know what is wrong. We have created many certs for vCenter v7 using the method.

Reply
0 Kudos
4 Replies
maksym007
Expert
Expert

How exactly and from where are you trying to generate a new Cert Request? 

From what I see this is the first problem with certs in vSphere8. In case you sending cert request to Microsoft cert authority check if template correct one. 

Reply
0 Kudos
jeffj2000
Enthusiast
Enthusiast

I have created the csr using the certificate manager and also in the GUI and then upload it to the InCommon registrar to sign it as I have always done in v7 and when I upload the cert and chain either in cli or GUI I get the same error it was signed using a weak algorithm. I just can't see that it is a weak algorithm on my side as InCommon is a widely used registrar. Thank you.

Reply
0 Kudos
jeffj2000
Enthusiast
Enthusiast

We found the issue. InCommon was still cross-signing with a sha1 legacy root. We had to create a new certificate without that, 

Reply
0 Kudos
jmeg8r16
Contributor
Contributor

How exactly did you regenerate without the sha1 signing cert?  I have tried a few times and, so far, no success. The new cert installs fine, but it still tries to use the sha1 cert.  I must be missing something in the process.

Reply
0 Kudos