VMware Workspace ONE Community
ekrejci
Enthusiast
Enthusiast

Applying an SSL Certificate from a Private Certificate Authority generate and error

Hello,

I’m trying to set a SSL cert generated from our internal CA.

I went through the installation documentation at the Applying an SSL Certificate from a Private Certificate Authority chapter (page 72 of http://pubs.vmware.com/horizon-workspace-10/topic/com.vmware.ICbase/PDF/horizon_workspace_10_install...)

When I add the certificate in PEM format, afterwards, and when I log back to the admin web interface, I can see that the new certificate has been applied. But when I want to login, the following error appears:

Error

Request failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I must set back the certificate to generated one to being able to make it work again.

If you have any suggestion, I’m more than welcome because this point is quite blocking to push the infrastructure into pre-production.

Many thanks

Eric

Tags (3)
Reply
0 Kudos
25 Replies
sravuri
VMware Employee
VMware Employee

Hmm, that should do it. Can you send the logs from service-va and connector-va?

Reply
0 Kudos
mjpagan
Enthusiast
Enthusiast

I wonder if your certificate was built correctly.  I did this yesterday and maybe I just got lucky.  I used this article to help me format the certificate format correctly after I had converted my .PFX to a .PEM.  (I needed to open/edit the .PEM to copy and paste the sections into the fields).

http://www.digicert.com/csr-creation-ssl-installation-zimbra.htm#install

Make sure to include the beginning and end tags on each certificate. The result should look like this:

-----BEGIN CERTIFICATE-----
(Your First Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Second Intermediate certificate (if applicable): DigiCertCA2.crt)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

I converted my PFX to a PEM at this website: https://www.sslshopper.com/ssl-converter.html

Mike Pagán MCITP:EA, MCSE, VCAP5-DCA, VCAP5-DCD,VCP 5, VCP5-DT, CCNA, A+
Reply
0 Kudos
rsjensen
Contributor
Contributor

It might be that your internal Root CA (and/or subordinate and issuing CA servers) are not trusted by the connector-va.

To solve that import your Root CA into the trust store on the connector-va:

/usr/java/jre1.6.0_37/bin/keytool -import -trustcacerts -file /tmp/<your-root-CA>.cer -alias <your-alias> -keystore /usr/java/jre-vmware/lib/security/cacerts

password is: changeit

when it prompts for acceptance type yes.

reboot the connector.

Reply
0 Kudos
sravuri
VMware Employee
VMware Employee

The wizardssl.hzn command is supposed to add the cert to the trusted authority list on all VAs.

Reply
0 Kudos
jamgol
Enthusiast
Enthusiast

I've tried the 'wizardssl.hzn' method with three different sets of certs .... same result for all.

Enough playing, I've logged a SR to get it fixed, will let you know what they come up with.

Cheers

Reply
0 Kudos
Schoppert
VMware Employee
VMware Employee

The documentation Eric is referring to is a bit vague.  Eric would you mind listing out the steps you followed or shell history just so I can see what happened ?

Reply
0 Kudos
Schoppert
VMware Employee
VMware Employee

jamgol, if you want to send me a private message with one of the sets of certs that isn't working for you, I can try to reproduce your scenario in order to figure out what is going on.

Reply
0 Kudos
jamgol
Enthusiast
Enthusiast

Done,

Just got a email from support asking for log files from %program files% and to change some registry settings ..... oh dear ... this isn't going to go well.

Let me know what you can make of the cert chain, all appears to be fine to me.

Thanks

Reply
0 Kudos
ekrejci
Enthusiast
Enthusiast

Hi,

I've send the logs to sravuri.

@Schoppert you are more than right when you are saying that the documentation is vague.

what I did was:

generate PEM files with openssl (openssl pkcs12 -in rui.pfx -out gateway.pem -nodes) from pfx generated using VMware's documentation

in the PEM, I have the cert of the gateway, its private key and the public cert of the CA that issued the cert.

then from the gateway.pem I generated a root_ca_cert.pem with our internal CA public cert, a <hostname>_cert.pem and a <hostname>_key.pem.

and finally used the "documentation":

on the configurator, delete *.pem from /usr/local/horizon/conf/

copied my certs to /usr/local/horizon/conf/

and ran /usr/local/horizon/lib/menu/secure/wizardssl.hzn

and finally in the web console of the connector and configurator added (tried) in the  SSL part the cert in the PEM format.

Eric

Reply
0 Kudos
firestartah
Virtuoso
Virtuoso

The VMware documents were terrible to follow so I used Derek Seamans blog postings here: http://derek858.blogspot.co.uk/2012/09/vmware-vcenter-51-installation-part-2.html

Much easier to follow

If you found this or other information useful, please consider awarding points for "Correct" or "Helpful". Gregg http://thesaffageek.co.uk
Reply
0 Kudos
Schoppert
VMware Employee
VMware Employee

Ok, apparently the documentation led you astray.  The documentation wants you to load your own root ca cert + key into that directory and have the wizard script use that cert and key to generate all the vm specific certs.

So, you would create a new root ca + key and copy them into the directory and name the files : root_ca.pem and root_ca_key.pem

Then run the wizardssl script.

If you want to just load your SSL cert ( rooted into a custom CA ) into the gateway as the "customer facing cert" ... but, leave all the internal vApp certs alone ... I need to find the doc for how to add the custom CA to all the machines in the vApp.

Reply
0 Kudos
ekrejci
Enthusiast
Enthusiast

Ok, much clear now.

the thing is that our security team, who are managing our CA, will NEVER give me the private key of our CA. that for sure.

now, what I want to do is exactelly loading our SSL cert into the gateway. so the question is:

how, can an internal CA cert beeing added to the different keystores used by the vApp in order to have the SSL cert trusted all the way down.

if you want, I can use the suggestion of rsjensen to manually import the CA cert:

/usr/java/jre1.6.0_37/bin/keytool -import -trustcacerts -file /tmp/<your-root-CA>.cer -alias <your-alias> -keystore /usr/java/jre-vmware/lib/security/cacerts

I tried in the first place to directly include the CA cert in the configurator wizard:

-----BEGIN CERTIFICATE-----
(SSL Cert)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root CA cert)
-----END CERTIFICATE-----

the import went fine, but I had the error when I wanted to log in the gateway. (see my first entry in the thread)

what should be my next move?

many thanks

Eric

Reply
0 Kudos
ekrejci
Enthusiast
Enthusiast

I just want to add, that I'm not certain that you will find a lot of security admins managing internal CA the will let their private key being used in such platform.

I've just talked with our CISO about this usage. he was quite astonished. he told me that this could highly endanger the SSL/certificate security strategy of our company. just like comodo...

so maybe you should reconsider the way to use SSL certs from corporate CA. just having a mechanism that add the corporate CA to the different keystore present in the vApp.

Eric

Reply
0 Kudos
Schoppert
VMware Employee
VMware Employee

Lets do the following steps :

  1. undo what was done by the documentation 🙂
    1. On the configurator, clear out all certs in /usr/local/horizon/conf/*.pem
    2. run /usr/local/horizon/lib/menu/secure/wizardssl.hzn
    3. This should create a new local CA cert, and generate individual SSL certs for all machines in the vApp.
  2. Install your CA cert on all machines in the vApp.  For each machine, do the following :
    1. copy your CA cert to : /etc/ssl/certs/horizon_private_ca.pem
    2. run c_rehash
    3. on service and connector, run /usr/java/jre1.6.0_37/bin/keytool -import -trustcacerts -file /etc/ssl/certs/horizon_private_ca.pem -alias horizon-private-ca -keystore /usr/java/jre-vmware/lib/security/cacerts
    4. on data run /opt/zimbra/jdk1.7.0_15/jre/bin/keytool -import -trustcacerts -file /etc/ssl/certs/horizon_private_ca.pem -alias horizon-private-ca -keystore /opt/zimbra/jdk1.7.0_15/jre/lib/security/cacerts
  3. Install your SSL cert + chain using the configurator UI
    1. Paste your SSL cert into the text box, followed by the cert chain, and root CA
    2. Paste in the SSL cert private key into that text box

That should be enough to get your vApp up and running using your private CA cert as the customer facing SSL cert on the gateway. 

Note, that when adding another VM to this vApp, you may need to re-do step 2 for that newly added machine.     

Reply
0 Kudos
jamgol
Enthusiast
Enthusiast

Brilliant, I'll try that now and let you know how it goes.

Do you see any reason why I couldn't use a wildcard SSL cert ?

Reply
0 Kudos
mjpagan
Enthusiast
Enthusiast

I used one and it appears to be OK.  I'm still working out some oddities, but so far I do not think they're certificate related.

Mike Pagán MCITP:EA, MCSE, VCAP5-DCA, VCAP5-DCD,VCP 5, VCP5-DT, CCNA, A+
Reply
0 Kudos
jamgol
Enthusiast
Enthusiast

I just read this line:   "Paste your SSL cert into the text box, followed by the cert chain, and root CA" inserted our cert and root cert all in that single box.

I tried doing that without doing anything else ............... problem solved !

Success !

I suspect the work done yesterday with the private and root keys probably helped.

I'm one happy camper ......... now to sort out this load balancer !

Thanks Schoppert, I owe you a beer or 7.

Cheers

Reply
0 Kudos
sravuri
VMware Employee
VMware Employee

Brett, Thanks!

Eric, can you please verify that virtual user functionality is also working fine for you, after following the cert steps that Brett provided? I know you had issues with that, in beta, with certs.

Reply
0 Kudos
eric_krejci
Enthusiast
Enthusiast

Hi,

thank you very much Schoppert for your procedure which is working fine to add SSL certs from internal CA.

just a small tipo on point 2.4 ->  on data run /opt/zimbra/jdk1.7.0_15/jre/bin/keytool -import -trustcacerts -file /etc/ssl/certs/horizon_private_ca.pem -alias horizon-private-ca -keystore /opt/zimbra/jdk1.7.0_15/jre/lib/security/cacerts

the path is in fact:

on data run /opt/zimbra/jdk1.7.0_05/jre/bin/keytool -import -trustcacerts -file /etc/ssl/certs/horizon_private_ca.pem -alias horizon-private-ca -keystore /opt/zimbra/jdk1.7.0_05/jre/lib/security/cacerts

I also had at the end to restart the zimbra service on the data applicance in order to apply new cacerts.

@sravuri, the issue with the virtual users is back, like in the Beta.

do you want the logs of the data appliance?

sincerely

Eric

Reply
0 Kudos