glucot
Contributor
Contributor

Certificate warning when logging in to VC server

Jump to solution

I read another thread that discussed replacing the default certificate used by VC. I want to use the default certificate. I viewed the certificate and started the installation wizard from the view certificate dialog. This doesn't fix the problem. Does anyone have any suggestions?

0 Kudos
1 Solution

Accepted Solutions
RParker
Immortal
Immortal

The certificate allows you to create a trust between your client and the VC. By default there is no secure certificate, which is why the VIC complains. If you install something like verisign, and then use ssl to connect to your host / VC (this is enforced on the VC settings options) you can then know you are establishing a secure connection. If you don't care, or it's not necessary to ensure secure connections (so people can't sniff your console and find out credentials) such as in a public place,you can simple click "ignore' and the check box so it won't bother you anymore.

This is part of VM Ware security initiative to allow the VIC to be used by other people and so they can't "spoof" a connection from a client that isn't certified over a secure connection.

View solution in original post

0 Kudos
7 Replies
cmanucy
Hot Shot
Hot Shot

You should read the warning - you've probably reduced the set of warnings now, but not eliminated them (thus why you still get the message).

If you accepted the signing authority of the cert, that's one step. But if the name doesn't match, that's another problem - and you'll get that warning so long as the hostname doesn't match the certificate.



----

Carter Manucy

---- Carter Manucy
0 Kudos
RParker
Immortal
Immortal

The certificate allows you to create a trust between your client and the VC. By default there is no secure certificate, which is why the VIC complains. If you install something like verisign, and then use ssl to connect to your host / VC (this is enforced on the VC settings options) you can then know you are establishing a secure connection. If you don't care, or it's not necessary to ensure secure connections (so people can't sniff your console and find out credentials) such as in a public place,you can simple click "ignore' and the check box so it won't bother you anymore.

This is part of VM Ware security initiative to allow the VIC to be used by other people and so they can't "spoof" a connection from a client that isn't certified over a secure connection.

0 Kudos
mike_laspina
Champion
Champion

Replacing the Certificate is not trivial so I would not suggest you not go there unless there is a good security reason to do so.

The cert UI ignore is actually a reg entry flag for the host signature and it is located in the following hive for VI25

HKEY_CURRENT_USER\Software\VMware\Virtual Infrastructure Client\Preferences\UI\SSLIgnore

Check to see if it is there.

Maybe something is not installed correctly or there is a permissions issue?

http://blog.laspina.ca/ vExpert 2009
0 Kudos
glucot
Contributor
Contributor

The name mismatch is the problem. I'm surprised the installation of VC didn't produce a cert with correct names. I kno0w I can the box in the UI to ignore the error , this defeats the purpose of using the cert.

0 Kudos
glucot
Contributor
Contributor

If I understand you correctly, you are saying the default behavior of the VC is to expect a secure connection between the VC and the client, but installing the client doesn't generate the correct certificate for this purpose. If I'm not concerned about the error I should just ignore it. Having a network security background, this seems like odd out-of-the-box behavior. But since I am running the client on the same box as VC, I guess I'll just ignore the error.

0 Kudos
glucot
Contributor
Contributor

Once I check the ignore box on the UI, the error message goes away. What I really wanted to do was fix the problem rather than ignore it. I'm going to just ignore the error right now since this isn't in production.

0 Kudos
RParker
Immortal
Immortal

The only way to do this is to get a viable certificate. You would have to setup a certificate server or some other method to authenticate the certificate. If you don't need external access then you shouldn't have to worry about it. They are just issuing a certificate for security purposes, but it doesn't affect service one way or the other, so you can safely ignore it.

If you have verisign or something authenticate certificate or one issued by kerberos on your network, you can use that. Then you have to configure the VC server to communicate or add it to the domain if its not already. This is a lot of trouble for something that you may or may not have a need to allow people that are not part of your organization like contractors, just so the VIC can have a valid certificate. It's for a trust. That's why you can ignore it.