HamR
Enthusiast
Enthusiast

vShield Manager SSL certificate

Can someone please advise the correct syntax for the common name when generating a CSR?

I've tried:

  • the vShield Manager IP address (mgmt interface) - the name and IP address resolve forward and reverse in the DNS

  • the vShield Manager FQDN

  • the vShield Manager short name

  • the vShield Manager canonical name

All attempts return the error, "Please enter correct domain name as common name."

 

The Admin Guide says:

"Enter the name that matches the site name. For example, if the IP address of vShield Manager management interface is 192.168.1.10, enter 192.168.1.10."

Thanks in advance,

HamR

0 Kudos
11 Replies
robert_eckdale
Enthusiast
Enthusiast

Ditto.

Seems strange that others have not run into this.

0 Kudos
wysr
Contributor
Contributor

Hi all

I also ran in this issue. Fortunaetly I found a workaround...:

--> in a browser - I took Opera - login to vShield and open URL:
--> right click --> source
--> Change this:
function checkDomain(nname){
var arr = new Array(
'.com','.net','.org','.biz','.coop','.info','.museum','.name',
'.pro','.edu','.gov','.int','.mil','.ac','.ad','.ae','.af','.ag',
'.ai','.al','.am','.an','.ao','.aq','.ar','.as','.at','.au','.aw',
'.az','.ba','.bb','.bd','.be','.bf','.bg','.bh','.bi','.bj','.bm',
'.bn','.bo','.br','.bs','.bt','.bv','.bw','.by','.bz','.ca','.cc',
'.cd','.cf','.cg','.ch','.ci','.ck','.cl','.cm','.cn','.co','.cr',
'.cu','.cv','.cx','.cy','.cz','.de','.dj','.dk','.dm','.do','.dz',
'.ec','.ee','.eg','.eh','.er','.es','.et','.fi','.fj','.fk','.fm',
'.fo','.fr','.ga','.gd','.ge','.gf','.gg','.gh','.gi','.gl','.gm',
'.gn','.gp','.gq','.gr','.gs','.gt','.gu','.gv','.gy','.hk','.hm',
'.hn','.hr','.ht','.hu','.id','.ie','.il','.im','.in','.io','.iq',
'.ir','.is','.it','.je','.jm','.jo','.jp','.ke','.kg','.kh','.ki',
'.km','.kn','.kp','.kr','.kw','.ky','.kz','.la','.lb','.lc','.li',
'.lk','.lr','.ls','.lt','.lu','.lv','.ly','.ma','.mc','.md','.mg',
'.mh','.mk','.ml','.mm','.mn','.mo','.mp','.mq','.mr','.ms','.mt',
'.mu','.mv','.mw','.mx','.my','.mz','.na','.nc','.ne','.nf','.ng',
'.ni','.nl','.no','.np','.nr','.nu','.nz','.om','.pa','.pe','.pf',
'.pg','.ph','.pk','.pl','.pm','.pn','.pr','.ps','.pt','.pw','.py',
'.qa','.re','.ro','.rw','.ru','.sa','.sb','.sc','.sd','.se','.sg',
'.sh','.si','.sj','.sk','.sl','.sm','.sn','.so','.sr','.st','.sv',
'.sy','.sz','.tc','.td','.tf','.tg','.th','.tj','.tk','.tm','.tn',
'.to','.tp','.tr','.tt','.tv','.tw','.tz','.ua','.ug','.uk','.um',
'.us','.uy','.uz','.va','.vc','.ve','.vg','.vi','.vn','.vu','.ws',
'.wf','.ye','.yt','.yu','.za','.zm','.zw', ".local");
var mai = nname;
var val = true;
var dot = mai.lastIndexOf(".");
var dname = mai.substring(0,dot);
var ext = mai.substring(dot,mai.length);
//alert(ext);
      
if(dot>2 && dot<57)
{
       for(var i=0; i<arr.length; i++)
       {
         if(ext == arr[i])
         {
               val = true;
               break;
         }    
         else
         {
               val = false;
         }
       }
       if(val == false)
       {
                return false;
       }
       else
       {
               for(var j=0; j<dname.length; j++)
               {
                 var dh = dname.charAt(j);
                 var hh = dh.charCodeAt(0);
                 if((hh > 47 && hh<59) || (hh > 64 && hh<91) || (hh > 96 && hh<123) || hh==45 || hh==46)
                 {
                        if((j==0 || j==dname.length-1) && hh == 45)   
                        {
                                alert("Domain name should not begin are end with '-'");
                             return false;
                        }
                 }
               else    {
                        alert("Your domain name should not have special characters");
                        return false;
                 }
               }
       }
}
else
{
     return false;
}      
    return true;
    }

--> to this (yes, you have to delete all these lines!):
function checkDomain(nname){
    return true;
    }

--> click Apply changes in Opera
--> Submit your CSR in the other window (with IP address as CN), then download CSR
--> sign CSR
--> download certificate as DER
--> also download Root Certificate
--> in vShield Manager install Root certificate, then the DER certificate
--> reboot vShield Appliance

For me, that worked.

Hope this helps someone!

Roland

0 Kudos
amusica
VMware Employee
VMware Employee

I have to tell you, it was very reassuiring to see I wasn't the only one with that problem.  However, I approached this a little differently.  I created the CSR with the FQDN and added both the shortname and IP address as Subject Alternative Name on the certificate.

SAN:dns=vshield.domain.int&dns=vshield&dns=10.0.0.10

0 Kudos
wysr
Contributor
Contributor

...ok, your solution is smoother than my hack...

thanks for posting!

0 Kudos
dmaster
VMware Employee
VMware Employee

Hi amusica,

Thanks to your suggestion to insert 3 san dns attributes.  "SAN:dns=vshield.domain.int&dns=vshield&dns=10.0.0.10" the windows c# client does not complain anymore about that my certifcate for vCNS manager is not secure. So that's great news Smiley Wink

But now when connecting to vcenter 5.5 server with the windows c# client. I receive the following message when starting the vShield Manager.

vCNScertificateissue2.jpg

vCNScertificateissue1.jpg

Any suggestions on how to beat this security alert ?

regards,

Dennis

0 Kudos
amusica
VMware Employee
VMware Employee

I have not tried on 5.5 yet, but does your CA (Certificate Authority) have an accessible CRL (Certificate Revocation List)?   Are you using an internal/corporate CA or a known Trusted Root CA (Verisign, CyberTrust, etc.)

0 Kudos
dmaster
VMware Employee
VMware Employee

Hi amusica,

I don't know if my CA has an accesible CRL ? I am using an internal/corporate CA (Windows 2012 enterprise root CA).

That's probably the reason I assume..

From this manual... http://www.vmware.com/pdf/vshield_55_api.pdf I read something regarding the CRL but it doesn't make sense to me ?

Working with Certificate Revocation List (CRL)

Allows you to manage CRLs.

Create a CRL

Creates a CRL on the specified scope.

Example 5-69. Create CRL

Request:

POST https://<vsm-ip>/api/2.0/services/truststore/crl/<scopId>

Request Body:

<trustObject>

<pemEncoding></pemEncoding>

</trustObject>

Query CRL

Retrieves all CRLs certificates for the specified certificate or scope.

Example 5-70. Query CRL

Retrieve certificate object for the specified certificate ID:

GET https://<vsm-ip>/api/2.0/services/truststore/crl/<crlId>

Retrieve all certificates for the specified scope:

GET https://<vsm-ip>/api/2.0/services/truststore/crl/scope/<scopeId>

Delete CRL

Deletes the specified CRL.

Example 5-71. Delete CRL

Request:

DELETE https://<vsm-ip>/api/2.0/services/truststore/crl/<crlId>

When accessing vShield manager from Microsoft Internet Explorer or Google Chrome everything looks fine !! a green lock

vCNScertificateissue3.jpg

Regards,

Dennis

0 Kudos
amusica
VMware Employee
VMware Employee

Just a few things i'd be curious to know.  from Chrome, does it also like (is it green) for the shortname, and IP address?  How does it operate with the Web Client?  Lastly assuming the first answer is yes and yes, and the second answer is it performs the same as the c# client, have you tried unregistering and reregistering the vShield appliance after the certificate was changed?

0 Kudos
dmaster
VMware Employee
VMware Employee

Hi amusica,

Just to confirm the behavior of Chrome.. it also likes the shortname and the IP address. In both cases the lock is green.

In the web client I can't see anything usefull for vShield Manager, also the interface is completely different, but no warnings or messages about a CRL ?

I don't see anything like User VMs or service VMs like you see in the traditional vShield manager which is also very strange ??

Looks like the view for the extention vShield Manager in the new vSphere Web client is not properly working.

vCNScertificateissue4.jpg

vCNScertificateissue5.jpg

I have tried to remove the vShield manager extention from the vcenter server web interface (/mob) and also to reboot the vcenter server. I have even tried to re-entering the vcenter server information within vShield Manager. But all without success.

Regards,

Dennis

0 Kudos
dmaster
VMware Employee
VMware Employee

Hi amusica,

I also replaced the SSL certificate for VMware vSphere Auto Deploy. In there I get the same issue regarding a CRL warning just as I see with vshield manager.

Could it be that my Windows Root CA must be added to some java keystore on the virtual center server ?

Regards,

Dennis

0 Kudos
amusica
VMware Employee
VMware Employee

A few things.  First just as a heads up support may be able to assist with this problem and I cannot guarantee accuracy as I have not tried this.  Now that I said that....

It would be nice if vShield had the same ability to ignore the CRL as VMware View does (http://pubs.vmware.com/view-52/topic/com.vmware.ICbase/PDF/horizon-view-52-installation.pdf) Specifically, "Configuring Certificate Revocation Checking on Server Certificates", while the process would have to be different, it would still be nice.

I have not had the same problem with my CAs (in the past, and the CRLs are published), so if you have someone else who works on the Certs/CA, they may be better suited to help.  I also have made numerous changes over the years, so I am not sure what would help (unfortunately).

However, according to the vShield documentation it would appear that you can a upload a CRL file and not require a CDP.  http://www.vmware.com/pdf/vshield_51_admin.pdf "Add a Certificate Revocation List" page 69.  The prior documentation you provided was for the API which is not relevant for this conversation.

Additionally, MSFT has some documentation that may/may not be helpful.

http://technet.microsoft.com/en-us/library/ee649260(v=ws.10).aspx

http://blogs.technet.com/b/nexthop/archive/2012/12/17/creating-a-certificate-revocation-list-distrib...

http://technet.microsoft.com/en-us/library/cc782162(v=ws.10).aspx

I am sure there is a ton of other documentation.  Please let us know if this was helpful, and if you resolve/get stuck.  As people continue to check this thread from 4/2011  (except the original poster who should have marked the original thread answered :smileysilly:)

0 Kudos