Background: I've replaced the default certificate on our Virtual Center server with one from a commercial CA following the the instructions in vi_vcserver_certificates.pdf. However, our preferred certificate supplier uses an intermediate chain; the certificate I have from the CA is signed by an intermediate certificate, which is itself signed by the root. The root is trusted (The CA in this case is ipsCA). Normally you'd need to supply the intermediate certificate to the server for it to hand back along with the child cert - eg, for Apache as well as supplying the CertificateFile and the KeyFile, an additional directive of SSLCertificateChainFile is required.
The real question: How can I configure Virtual Center to also hand back the ca chain bundle to the client, as one does with Apache's CertifcateChainFile directive? I have tried adding the intermediate certificate to the Virtual Center Server's 'Intermediate Certification Authorities' store and restarted the VC service, but it doesn't seem to have made any difference.
I'm assuming this must be something obvious that I'm missing, since I believe many CAs use this intermediate certificate structure.
Did you include all of the certs in the pfx file?
If you added the intermediate root, did you install that to the service account's cert store or the machine account?
Yes, I tried adding the root and intermediate CA to the pfx file as well as just the intermediate:
C:\OpenSSL\bin>openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -CAfile IPS-IPSCABUNDLE.CRT -chain -caname root -out rui.pfx
I have not tried adding any of the certs to the windows certifcate stores for the service account or machine account.
Ok, when you view the certificate, do you see the entire chain? If not, you can try adding the certs to the windows machine account certificate store. That way, it's registered throughout windows as well, and may make things easier.
I verified that the pfx contains the ssl cert, the intermediate ipsca cert and the root cert.
I added all three certs to the "personal" certs in the service account and local machine account and added the intermediate cert to the intermediate cert section for both the service account and the local machine account. Still no luck. You can check the cert yourself at https://copper.truman.edu
The intermediate certificate is not trusted by default in your clients, which is the problem. I took your .crt file that you created your pfx out of, and installed that intermediate certificate in my browser, and I get no warnings. Your chain is correct, but since I did not trust the intermedite, until I installed your cert, I received the warning, and saw no authroization chain. After the install, all looked as it should.
Correct, that will prevent the problem if you explicitly add and trust the intermediate CA. However, you should not have to add the intermediate CA to every system. Most modern webservers (IIS, Apache) support chained certificates. The client verifies the intermediate CA that the server supplies and the SSL cert is verified against the intermediate CA.
Perhaps VirtualCenter does not support chained certificates? I would be suprised because as the original poster mentioned this is a fairly common practice.
Some life! - unfortunately this dropped down our list of 'pending disasters' recently, but now I've time to get back to it.
I haven't resolved it here yet - did you get anywhere, whowd? If not I'll try opening an SR - it's not a show-stopper, but it does upset the management a bit.
Would you please be sure to list the fix/work-around here once you come to
No Phone Info <firstname.lastname@example.org>
AM message: "Virtual Center SSL
A new message was posted in the thread "Virtual Center SSL Certificate":
Author : gclinch
I've (finally!) received an answer:
It seems that the VirtualCenter product was not designed to handle
intermediate certificates. We have had a couple of other cases of this
from other customers and we have engaged the engineering team.
I don't have an update from them at this time, but will follow up with
them next week for any information they may have.
So it looks like we may be out of luck, at least for the moment.
I'll keep this updated if I hear anything about a fix or release date.
Thanks for this, amazing thet SR needed to be opened to lear that the product does not support it
(as if it could not be in the documentation...)
Really silly IMHO, just about anything that relies on SSL can accept intermediate certificates
(this is mostly how certificates are done)