dmaster
VMware Employee
VMware Employee

Replace VMware Virtual Center SSL Certificate with Microsoft CA

Hello All,

I'm trying to replace the default SSL certificates from Virtual Center 2.01 with certificates from my own Microsoft Enterprise root CA..

I followed this howto..

http://edward.aractingi.net/blog/archives/virtualization/[/b]

in this article i'am missing how i get my rui.crt[/b] certificate ?

i am only able to get the rui.pem[/b] , rui.pfx[/b] and rui.key[/b] files

And this howto..

http://www.vmware.com/pdf/vi_vcserver_certificates.pdf[/b]

(I get the feeling that this document is not meant for a Microsoft CA just a local root CA)

in this article i get stuck on page 8 with the line..

openssl ca -out ruit.crt -config openssl.cnf -infiles mycsr.csr

error message[/b]

c:\Program files\openssl\openssl ca -out Webaccess.crt -config openssl.cfg -infiles Webaccess.csr

Using configuration from openssl.cfg

Loading 'screen' into random state - done

unable to load CA certificate

3360:error:0906D06C:PEM routines:PEM_read_bio:

no start line:.\crypto\pem\pem_lib.c:663:Expecting: CERTIFICATE

Was anybody able to replace this certificates ? Who can help me out ?

0 Kudos
58 Replies
masaki
Virtuoso
Virtuoso

the certificates are on the ESX HOST under /etc/vmware/ssl

0 Kudos
RobMokkink
Expert
Expert

I install the openssl tools on the VC server and then do a request to the MS CA website.

When the certificate is in, i use a couple of openssl commands to export it to openssl format, so that VC can use it.

Currently i can't access the documents, when i am home i will post them here.

0 Kudos
dmaster
VMware Employee
VMware Employee

Do i also have to replace the certificates from my esx3 host to get VC2 and Webaccess working with my Microsoft Enterprise root CA ?

according page 4 of the VMware white paper i have to replace rui.key , rui.crt and rui.pfx

i cannot figer out how i get my new rui.crt certificate, probably with openssl but i don't know the exact syntax.. as you can see in the error message..

0 Kudos
Tr0llk1ng
Contributor
Contributor

rui.crt as far as i know is just the Root Certificate to trust. you can check if you open the file on a windows client - it shows the root certificate. (you can also open the PFX with "testpassword" as password.. found this in the pdf above..)

basically i've the same problem afterwards, i've tried to replace the rui files but restart of the Virtual Center Server leads to an unexpected terminate of the service without information why.. Change back to original RUI and everything works fine.

also tested to change PFX password to testpassword or without password, now change..

anybody able to change the ssl certificate of just the web access?

0 Kudos
RobMokkink
Expert
Expert

do this:

install openssl tools on VC server.

generate a new key:

openssl genrsa 1024 > rui.key

Create a signing request:

openssl req -new -key rui.key > rui.csr

Open the rui.csr with a text editor and select all the text.

Issue the certificate on the MS CA and download the cert file to rui.crt

Then convert the rui.crt to rui.pfx with the following command:

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout

pass:testpassword -out rui.pfx

dmaster
VMware Employee
VMware Employee

Hello All,

i managed to replace my virtualcenter 2.01 certificates, so i can use virtualcenter webaccess without getting a warning of untrusted certificates..

+++++++++++++++++

But[/b] what about the certificates : rui.key and rui.crt wich are located on the ESX Server Host (/etc/vmware/ssl/[/b] ) ? Do i have to replace them also ? Do i have to create new certificates for the ESX server host ?

What is the advantage of that ? Is this necessary when you replaced the virtualcenter host certificates ?

+++++++++++++++++

i created a small howto for replacing the VC2 host certificates..

Thanks Rob for your hint about creating the rui.crt certificate..

*********************************************************

Howto - Create new certificates with Openssl and Microsoft Certificate Services Web Enrollment for VirtualCenter 2.01

rui.key

=======

openssl genrsa 1024 > rui.key

rui.csr

=======

openssl req -new -key rui.key > rui.csr -config openssl.cfg

when asked for common name, fill in the hostname or the FQDN of the VirtualCenter server

rui.crt

=======

Goto --> Microsoft Certificate Services Web Enrollment

press --> Request a certificate

then press --> Or, submit an advanced certificate request.

then press --> Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a

base-64-encoded PKCS #7 file.

then paste the contents of rui.csr into the field "Saved Request:"

choose with "Certificate Template:" for "Web Server"

press submit

select "Base 64 encoded"

then download the certificate and rename it to rui.crt

rui.pfx

=======

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -out rui.pfx

Enter Export Password:

Replacing the Certificates on VirtualCenter 2 Host

==================================================

copy the files : rui.key , rui.crt and rui.pfx to C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\

Restart your VirtualCenter server service. This will also restart your Webaccess service..

Message was edited by:

dmaster

0 Kudos
RobMokkink
Expert
Expert

just retested the procedure.

Make sure when you download the certitificate you select base64

When you didn't specified a password on the request you can just issue the following command to create a .pfx

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -out rui.pfx

0 Kudos
RobMokkink
Expert
Expert

hey dmaster you where a little bit faster then me Smiley Wink

0 Kudos
RobMokkink
Expert
Expert

i also replaced the certificates on the esx hosts.

Unfortunaly i doesn't like the new certs.

Can't get the servers in VC anymore.

strange that is didn't test this sooner?

0 Kudos
dmaster
VMware Employee
VMware Employee

What about the ESX Host certificates : rui.key and rui.crt wich are located /etc/vmware/ssl/ ?

Do i have to replace them also ? The are probably not the same like the VirtualCenter Host certificates.

Do i have to create new certificates for the ESX server host on the same way i did on the VC2 host, again with a webserver template ?

What is the advantage of that ?

Is this necessary when you replaced the virtualcenter host certificates ?

0 Kudos
RobMokkink
Expert
Expert

If you want to connect through the webinterface from a client etc.

0 Kudos
dmaster
VMware Employee
VMware Employee

okay.. it's clear for me now.. thanks for the help..

0 Kudos
dmaster
VMware Employee
VMware Employee

problem solved, answer is posted in this topic

0 Kudos
RobMokkink
Expert
Expert

Today iw as rebuilding my test lab and i made a huge error in my post:

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -out rui.pfx

Do this:

openssl pkcs12 -export -in rui.crt -inkey rui.key -name -out rui.pfx

This also fixed a lot of other issues.

0 Kudos
dmaster
VMware Employee
VMware Employee

Hi Rob,

Did you also have the problem that you canno't use the custimization specifications ? because it's complaining about problems with unecrypting the password.. after you changed the SSL certificates of VC2 ?

0 Kudos
RobMokkink
Expert
Expert

sorry no time to test guest customization.

What still is buggy is the vpxa daemon crashes on the esx hosts.

So i left the esx hosts without a certificate.

0 Kudos
Dennis2
Contributor
Contributor

do this:

install openssl tools on VC server.

generate a new key:

openssl genrsa 1024 > rui.key

Create a signing request:

openssl req -new -key rui.key > rui.csr

Open the rui.csr with a text editor and select all the text.

Issue the certificate on the MS CA and download the cert file to rui.crt

Then convert the rui.crt to rui.pfx with the following command:

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout

pass:testpassword -out rui.pfx

My vpxdeamon on VC2.5 keeps freaking out when replacing the certificates with error

2008-01-14 18:33:04.790 'App' 3920 error crypto failure: error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02

2008-01-14 18:33:04.790 'App' 3920 error Failed to decrypt password: applying key to encrypted data failed (likely the wrong key)

I'm using Win32 OpenSSL Light 0.9.8g to generate the keys.

I haven´t used password anywwhere but in the conversion to pfx-file so i suspect there is a bug in the Win32-version.

Can anyone here confirm that this is an issue?

0 Kudos
Dennis2
Contributor
Contributor

I get the same error when generating the certificate with Open SSL 0.9.7a from an ESX 3.0.1 b42829 console.

0 Kudos
Ales
Contributor
Contributor

You try use KB article 'VirtualCenter Server Fails to Start After You Replace Default SSL Certificates with Custom SSL Certificates' ID 1003070

0 Kudos