VMware Cloud Community
hkevin
Contributor
Contributor
‎01-06-2015 09:54 AM

ssl security alert when adding ESXi into vCenter after replace CA signed on vCenter and ESXi

Good morning,

Here is my issue:  after replace default ssl cert on both vCenter and ESXi (5.5), adding ESXi host into vCenter pops up security alert.'Unable to verify the authenticity of the specified host.....' with 2 options 'Yes' and 'No'. I just click 'No' and got Error - 'The SSL Certificate of the remote host could not be validated'.

Details :

I used CA Windows Server 2012 standalone to issue ssl cert for both vCenter and ESX

I followed VMware KB 2057223 for implement ssl cert on vCenter.

For implement cert ssl ESXi, I followed VMware KB 2015499

From my windows desktop box, I imported RootCA from CA Server 2012, and can directly connect vCenter or ESXi through vSphere client without any security alert.

So my expectation is when adding ESXi into vCenter, it should not have security alert because both vCenter and ESXi got ssl cert from same CA Windows Server.

Thanks in advance for any help.

Message was edited by: hkevin I also tried to reformat cert for vCenter properly communicate with ESXi and not resolve the issue. https://communities.vmware.com/thread/185460

0 Kudos
2 Replies
hkevin
Contributor
Contributor
‎01-06-2015 11:27 AM

My guess is that I have to import rootCA from CA Windows Server 2012 on my vCenter Appliance. I tried copy cachain.pem into /etc/ssl/certs then reboot vCenter and still having security alert when adding ESXi into vCenter.

0 Kudos
hkevin
Contributor
Contributor
‎01-06-2015 04:17 PM

After do research, I think that I got my issue sorted out.

Here are my steps:

1. Log on CA Windows Server > Run > mmc > File > Add or Remove Snap-ins > Certificates > Add > Computer Account > Local computer > Finish.

2. Expand Cetificates > Personal > Certificates > choose certificate > All tasks > Export > Next > yes, export the private key > export File format  > next

3. type password and choose location for file.

After done above 3 steps, I have <file.pfx> file.

4. Copy this file into vCenter Appliance /etc/ssl/certs (use winscp)

5. Run command `openssl pkcs12 -in <file.pfx> -out <file.pem>

6. sshing to vCenter Linux appliance && cd /etc/ssl/certs

7. Run command :  ln -s <file.pem> `openssl x509 -hash -noout -in <file.pem>`.0

However, I do not still quite understand details on it and hope someone will do better explain.

Thanks.

0 Kudos