Success3
Enthusiast
Enthusiast

Need help with 6.5 certificates.

Hello,

I am attempting to replace our hosts certificates. Here's what I am doing:

1) Created an openssl config file on the host and used openssl to generate a CSR

2) Had that signed by a Microsoft CA.

3) Imported the cert on my 6.5 host and it showed up fine on the host.

4) Attempted to add the host into VCSA 6.5 and received error "unable to get local issuer certificate".

I've changed the certmgmt mode for vcsa to custom as well.

Thanks in advance.

12 Replies
daphnissov
Immortal
Immortal

You're not following the right procedure in that case. Once you update the cert on the ESXi host, you have to import it into VECS on the vCSA to establish trust. Since you're not using VMCA, this is an entirely manual process. I'd recommend you read the documentation that covers certificate management of ESXi hosts.

Success3
Enthusiast
Enthusiast

Thanks. However, I've followed the steps as listed but I still receive the following error while attempting to add the host to vCenter. Also, restarted the services on the VCSA.

"Unable to get local issuer certificate"

Does it matter if the host & vCenter are not joined to the domain? Does the vCenter root cert need to be replaced with a signed one from the CA before this work?

0 Kudos
daphnissov
Immortal
Immortal

That shouldn't matter, but have you configured the vCSA to trust the root CA cert which signed the ESXi certs?

That aside, do you have a hard requirement to replace ESXi certs even though they're joined to a vCenter? I see this quite often where people think they need to replace host certs and when you get down to it, they find they don't. So what is your objective with implementing PKI? What are the true requirements?

0 Kudos
Success3
Enthusiast
Enthusiast

So that's probably my mistake. I added the esxi signed cert to the Trusted store. You're saying I need to add the actual CA root cert to the Trusted store?

Hosts must have custom CA signed certificates. From my understanding only the hosts need to have signed certs; not positive on the requirement for vCenter yet.

0 Kudos
daphnissov
Immortal
Immortal

Yes, vCenter still needs to trust who signed the certs as well. It's odd you would have a requirement to replace ESXi certs yet not vCenter (where users/applications login).

0 Kudos
Success3
Enthusiast
Enthusiast

Cool. Unfortunately ran into another issue....trying to add the cert into the Trusted Roots store gives me error 4294967295 "Can't contact LDAP server"

Seen that before?

0 Kudos
Success3
Enthusiast
Enthusiast

Bump.

I've tried adding the CA cert and the CA chain into the Trusted Roots store but keep getting "LDAP error: Can't contact LDAP server" Win Error: "Operation failed with error -l (4294967295)

Really need to get this figured out.

Thanks..

0 Kudos
daphnissov
Immortal
Immortal

No idea what that has to do with certificate installation/replacement. What LDAP server(s) do you have configured in your SSO configuration? Are any unreachable?

0 Kudos
Success3
Enthusiast
Enthusiast

Not sure either. SSO is joined to my domain no issues there. I can ping from vCenter to my DC and DC to vCenter so they are talking between each other.

Really confused on why it's even caring about LDAP. All I want to do is add a certificate into the store.

0 Kudos
fm2ahmed
Contributor
Contributor

I am getting exactly the same issue. There are some ESXi hosts that need certs signed by our Internal CA.

What do you mean when you say "vCenter still needs to trust who signed the certs as well"?? What do i do on the vCSA 6.5 to get that resolved. At the moment vCSA has got the default signed cert and we just need to change the ESXi hosts certs with custom one's.

0 Kudos
daphnissov
Immortal
Immortal

What do you mean when you say "vCenter still needs to trust who signed the certs as well"??

I mean the vCSA still has to trust who issued the certs and not just the certs themselves. This is standard practice for any PKI system, btw. You need to import the root CA certificate into the vCSA into its trusted root store. If you haven't already, read the documentation that covers this here.

0 Kudos
fm2ahmed
Contributor
Contributor

Many Thanks for clarifying that. I will get in touch with the relevant department and will update once the issue is resolved.

0 Kudos