Thanks for the suggestion, that did cross my mind, however the certificate worked fine on IIS, I have now sent through a request to Thawte to revoke the certificate. I think I will now generate the CSR using OpenSSL hopefully that helps.

What I would like to know is has someone successfully replaced the vCenter 5 SSL with one of a pubic SSL purchased from a CA? If So do mind sharing your success and where and what type of SSL you purchased. And I mentioned earlier I purchase a Thawte DV SSL certificate which is only domain validation only, I understand Thawte recently updated all their ROOT CAs, I did by the way update it on the server but still no success.

How can the certificate work fine in IIS if it fails the Thawte certificate check? Strange

My vCenter 5 runs with a DV SSL certificate as well. Since I work for an university we get our certificates signed by the german research network with the german telekom as CA. Worked fine with the documentation you mentioned in your first post.

Regards

Hi Tim, we generated the CSR from a different Windows 2008 server, we installed the SSL and tested it on that server, it seemed to be working fine, although I didn't check it with the SSL checker so not 100% sure, we then exported that into a PFX for the vCenter server and haven't had much success. Do you mind sharing with me how you generated the CSR for your Thawte DV SSL? Thanks for your comments.

Sent from my iPhone

Hi,

I used openssl on a linux server to generate them. Like "openssl req -newkey rsa:2048 -out cert.pem -keyout sec-key.pem -sub '/C=DE/O=......'

Regards

Thanks Tim, appreciate your help.

Sent from my iPhone

Hi Tim, Sorry to bother you, but I have been unsuccessful at replacing my certificate, I have follwoed all the step and and strangely enought my certificate appears just fine and fully trusted with the entire chain if go to https://<myvcenter>:8443 which is the default Tomcat page, so I know the SSL is ok and working, just vCenter doesn't load the chain. Anyway you say you have succesfully replaced your with a Thawte DV SSL on vCenter 5, I have an open SR with VMware they cannot work it out either. I have seen a lot of documentation saying the the opnssl.cnf or cfg file needs to be modified. I would like to know did you need to do this to get your SSL to work?

Hi Nicholas,

you missunderstood me. I didn't use a Thawte certificate. My ceritificates are signed with the German Telekom Root CA 2. But it also just verifies the domain name only, like your cert.

I didn't modify the openssl.cnf since I gave all needed parameters to the program on the command line. If you call openssl without those options, the openssl.cnf is used.

After my certificate request was signed I created the rui.crt, rui.key and rui.pfx out of the .pem certificate and key I got and copied it to C:\ProgramData\VMware\VMware VirtualCenter.

Then I went to http://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 on the vCenter Server and clicked "reloadSslCertificat"e and then "invoke Method" on the popup. After restarting the VMware vCenter Management Webservices, my new certificate was shown when going to https://vcenter-FQDN

Regards,

Tim

Hi Tim,

Thanks for the fast response, I ran the following to generate the CSR

openssl req -new -newkey rsa:2048 -nodes -keyout rui.key -out rui.csr -nodes

After receiving the signed certificate I ran the following command

openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile CACert.crt -name rui -passout pass:testpassword -out rui.pfx

May I ask when you created the PFX file using the command above, did you need to inlcude Intermediate certificate using the -certfile switch in your command?

I beleive this is required, if you need to update the Intermediate certificate chain.

Nicholas wrote:

I ran the following to generate the CSR

openssl req -new -newkey rsa:2048 -nodes -keyout rui.key -out rui.csr -nodes

So you must have configured your req-section in the openssl.cnf, right? Otherwise the certificate wouldn't have a CommonName.

Im almost sure i didn't use the -certfile switch when creating the pfx. Did it months ago and my documentation somethings sucks, so not 100% sure

Regards

Hi Tim,

Still no joy for me, I actually researched this issue and it turns out there are others out there experiencing the same issue, vCenter just does not load the entire certificate chain for commercial SSL certificates, however the Tomcat Web UI on port 8443 does load the certificate chain correctly, therefore fully trusting the SSL providing you inserted the Intermediate CA into the PFX file. Clients would have to pre-trust the certificate to avoid the certificate error. thus defeating the purpose or replacing it with a commercially signed SSL. I also have a VMware SR open, they have replicated the issue in their lab, so now VMware support acknowledge that there is an issue with it as well.

I know you did this while ago but are you certain you and or the clients haven't pre-trusted the SSL you installed? If you vCenter is open to the public you can try an SSL checker like https://ssl-tools.verisign.com just type in  <Your VC URL> to make sure there are not any SSL chain errors.

You see I think the issue hasn't blown out because most people probable generate self-signed and then have clients pre-trusting the SSL, If you read this you will see VMware recommend commercially signed SSL's http://www.vmware.com/files/pdf/techpaper//vsp_41_vcserver_certificates.pdf

Page 2 - "Certificates signed by a commercial certificate authority, such as Entrust or Verisign, are pre‐trusted on the

Windows operating system."

Page 6 - "VMware recommends that you replace default certificates with those signed by a commercial certificate

authority."

Anyway thanks again for your time.

Hi Nicholas,

just wanted to say that we have the same issue here. We use a wildcard certificate by Alphassl (Globalsign) and the chain is complete when you open the URL to vcenter in the browser (Port 443 and 8443), the chain is not complete when you open the vsphere client.

I tried different things (crt, intermediate-crt and root-crt in one file, adding intermediate to certificate store with mmc on server) and the pfx was created with the intermediate-crt included (I think the pfx certificate is used when you open vsphere client?).

Is this a confirmed issue with VMware? I suppose you might run into problems when upgrading to view 5.1 since the documentation says you must use a trusted certificate.

Hi  nicholas1982,

Could you share the SR# as I'm having the same trouble and it would be good if I can reference an existing SR# when I talk to VMware about my issue using a Thawte cert.

Thanks

Hi Nicholas,

Could you please post the SR number?  Right now I can't get the support people to even acknowledge there is a problem or bug in vCenter and they keep on running me around asking questions about how the certificate was made and such.  Even though the screenshots showing the issue between what is presented correctly by tomcat and what vCenter isn't doing clearly shows the problem.  So, if I could reference another SR that would really help.

Hi All,

Since VMware support struggle to communicate these serous issues amongst themselves here is the SR.

SR #12173818605

Good luck to everyone perusing this, it took me about 10 hours on the phone to VMware support to finally get them to acknowledge there was a bug, I do have an email from them advising their development team had the same issue and that it will be fixed in the next release.

I am also having this issue.

Do you know if VMware have fixed this in their 5.0 U1b release?

Thanks