gclinch
Contributor
Contributor

Virtual Center SSL Certificate

Background: I've replaced the default certificate on our Virtual Center server with one from a commercial CA following the the instructions in vi_vcserver_certificates.pdf. However, our preferred certificate supplier uses an intermediate chain; the certificate I have from the CA is signed by an intermediate certificate, which is itself signed by the root. The root is trusted (The CA in this case is ipsCA). Normally you'd need to supply the intermediate certificate to the server for it to hand back along with the child cert - eg, for Apache as well as supplying the CertificateFile and the KeyFile, an additional directive of SSLCertificateChainFile is required.

The real question: How can I configure Virtual Center to also hand back the ca chain bundle to the client, as one does with Apache's CertifcateChainFile directive? I have tried adding the intermediate certificate to the Virtual Center Server's 'Intermediate Certification Authorities' store and restarted the VC service, but it doesn't seem to have made any difference.

I'm assuming this must be something obvious that I'm missing, since I believe many CAs use this intermediate certificate structure.

Any hints?

0 Kudos
15 Replies
whowd
Contributor
Contributor

I'm trying to work through this as well. Does anyone have any ideas?

0 Kudos
kjb007
Immortal
Immortal

Did you include all of the certs in the pfx file?

If you added the intermediate root, did you install that to the service account's cert store or the machine account?

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
whowd
Contributor
Contributor

Yes, I tried adding the root and intermediate CA to the pfx file as well as just the intermediate:

C:\OpenSSL\bin>openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -CAfile IPS-IPSCABUNDLE.CRT -chain -caname root -out rui.pfx

(http://certs.ipsca.com/companyIPSipsCA/IPS-IPSCABUNDLE.crt)

I have not tried adding any of the certs to the windows certifcate stores for the service account or machine account.

w

0 Kudos
kjb007
Immortal
Immortal

Ok, when you view the certificate, do you see the entire chain? If not, you can try adding the certs to the windows machine account certificate store. That way, it's registered throughout windows as well, and may make things easier.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
whowd
Contributor
Contributor

I verified that the pfx contains the ssl cert, the intermediate ipsca cert and the root cert.

I added all three certs to the "personal" certs in the service account and local machine account and added the intermediate cert to the intermediate cert section for both the service account and the local machine account. Still no luck. You can check the cert yourself at https://copper.truman.edu

Thanks!

w

0 Kudos
kjb007
Immortal
Immortal

The intermediate certificate is not trusted by default in your clients, which is the problem. I took your .crt file that you created your pfx out of, and installed that intermediate certificate in my browser, and I get no warnings. Your chain is correct, but since I did not trust the intermedite, until I installed your cert, I received the warning, and saw no authroization chain. After the install, all looked as it should.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
whowd
Contributor
Contributor

Correct, that will prevent the problem if you explicitly add and trust the intermediate CA. However, you should not have to add the intermediate CA to every system. Most modern webservers (IIS, Apache) support chained certificates. The client verifies the intermediate CA that the server supplies and the SSL cert is verified against the intermediate CA.

Perhaps VirtualCenter does not support chained certificates? I would be suprised because as the original poster mentioned this is a fairly common practice.

w

0 Kudos
gclinch
Contributor
Contributor

Some life! - unfortunately this dropped down our list of 'pending disasters' recently, but now I've time to get back to it.

I haven't resolved it here yet - did you get anywhere, whowd? If not I'll try opening an SR - it's not a show-stopper, but it does upset the management a bit.

0 Kudos
whowd
Contributor
Contributor

No, I was never able to make it work. I would be interested to hear the results of your SR - I think the answer might that chained certs are not currently supported.

Thanks,

w

0 Kudos
smbober
Contributor
Contributor

Has anyone gotten to the bottom of this? I am in the same situation but with VMware Server 2.0 RC1

0 Kudos
gclinch
Contributor
Contributor

I'm still working through with VMware Support - we've not got anywhere yet...

0 Kudos
smbober
Contributor
Contributor

Would you please be sure to list the fix/work-around here once you come to

one?

gclinch

<communities-emai

ler@vmware.com> To

No Phone Info <sean.m.bober@seagate.com>

Available cc

Subject

07/28/2008 10:10 New

AM message: "Virtual Center SSL

Certificate"

,

A new message was posted in the thread "Virtual Center SSL Certificate":

http://communities.vmware.com/message/1004545

Author : gclinch

Profile : http://communities.vmware.com/people/gclinch

Message:

0 Kudos
scerazy
Enthusiast
Enthusiast

Exactly same here, wildcard certificate by GoDaddy

Works fine on IIS6, Apache (Windows/Linux), Novell eDirectory

but NOT on VC Tomcat (seeing via https://.. or using VI Client)

Seb

0 Kudos
gclinch
Contributor
Contributor

I've (finally!) received an answer:

It seems that the VirtualCenter product was not designed to handle

intermediate certificates. We have had a couple of other cases of this

from other customers and we have engaged the engineering team.

I don't have an update from them at this time, but will follow up with

them next week for any information they may have.

So it looks like we may be out of luck, at least for the moment.

I'll keep this updated if I hear anything about a fix or release date.

Graham

0 Kudos
scerazy
Enthusiast
Enthusiast

Thanks for this, amazing thet SR needed to be opened to lear that the product does not support it

(as if it could not be in the documentation...)

Really silly IMHO, just about anything that relies on SSL can accept intermediate certificates

(this is mostly how certificates are done)

Seb

0 Kudos