Hi, I'm trying to head off issues with the temp 2 yr certs installed by VirtualCenter by replacing them with self-signed certificates with a longer expiration date. I've been thru the VMware PDF, and quite a few good blogs on how to do this. I've been able to generate the rui.key and rui.crt files by using
openssl.exe req -new -x509 -nodes -keyout rui.key -out rui.crt -days 3650 -config openssl0081217.cfg
However, I am unable to generate the pfx file using the following, I get a file of 0 bytes:
openssl.exe pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
I've debugged this down to if I do NOT use the -name rui parm on the command, the pfx file generates without being 0 bytes, if I put -name back, it fails. I've tried several iterations, moving the -name to the end of the line, putting the value in quotes -name "rui" and even some recommendations of using -name FQDN (which just totally messes up openssl w/ some internal errors).
From what I can tell, the -name may be an optional parm as -name --> The name (or alias, or friendlyName) to associate to with this certificate and private key in the PKCS1 file. So is it really optional or does it have to be --> -name rui like in the vmware PDF
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
I've also checked and am using the latest OpenSSL version 0.9.8h 28 May 08 which is I think one of the latest versions.
What am I missing or doing wrong? The VMware pdf file on the keys even shows using -name.
BTW, we tested using openssl from the ESX install and the exact same commands work fine, I think there's a bug in OpenSSL on Windows....
Thanks for any assistance as we've been hacking on this for a day now. GC Mobley
Hi skywalker,
First of all, please check your rui.crt file. Is it a DER file or a PEM file?
If not a PEM file, you should convert it with this command :
openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem
Good luck.
Hi, Not sure about the file extension types as I know enough about the SSL keys to be dangerous. How do I discern between them?
As an update, we attempted to run the EXACT same openssl commands on the openssl which installs with ESX and the commands ran fine even with the -name FQDN. The .pfx file was generated with no 0 bytes, so I'm sort of concluding that there's a bug in the openssl.exe (latest version) on Windows when using -name xxxxxx
I simply moved the 3 files from the ESX box, to the new VC box, installed them, configured VC and I think its working.
Later,
GC Mobley, IBM Tivoli