VMware Cloud Community
JohnVUB
Contributor
Contributor
‎04-19-2014 07:35 PM
Jump to solution

certificate installation vcenter 5.5

Hello,

this is a desperate cry for help, i'm ready to hang myself (figure of speach) Smiley Sad

After upgrading all my vsphere components to the latest 5.x version (coming from 5.0) I installed the view connection server en security server as last components.

The view conenction server pointed me to the fact I have to setup certificates.

I've been follwing all steps, detail after detail from this KB:

Implementing CA signed SSL certificates with vSphere 5.x (2034833)

I have setup a AD CA integrated with the AD, made the needed changes to the template for key usage, made the certs, checked the certs, followed the steps to enroll the certs in the SSO

Al fine, all ok....

I'm at the point of Replace the vCenter Server 5.x certificates.:

I did wat is asked and it goes wrong at the point where i'm asked to login to the MOB. (AND I found out that I locked myself out of the vcenter)

So without reloading the sslcert in the MOB, the isregtools is not ending with code:

0

0

... it ends with

9

9

I stopped here to make sure that I do not encrypt my db with the wrong cert.

I edited the VPX-ACCES table and added local credentials, nothing works...

How do I proceed? :smileyshocked:

I have to get all up and running by tuesday or we can't use our pc rooms on faculty 😕

Desperate regards

John

0 Kudos
1 Solution

Accepted Solutions
vNEX
Expert
Expert
‎04-20-2014 12:14 PM
Jump to solution

Hello John,

to get .pem file working with SSL Tool you have to include complete certificate chain in this container...

- Certificates in PEM container must be in x509 (BASE64) ... NOT in DER

- when you open it in text editor they must start with:  -----BEGIN CERTIFICATE----- ends with: -----END CERTIFICATE-----

- If you are using subordinate CA for issuing certificates in your domain you must include its certificate in PEM file!

- All certificates in .PEM file must be in reverse order so when you open the file first must be vCenter server certificate, second Sub CA and last Root CA


You can create PEM container with copy command and keep exact order:


copy /B <path>rui.crt + <path>SubCA64.cer + <path\>RootCA.cer chain.pem

After you will have PEM file created open it and check certificates order, vCenter first, Sub second and Root at the bottom.

Avoid putting some extra blank lines between certificates, there should be no space before and after any certificate.

Once you have chain.pem and private key from vCenter (rui.crt) certificate you can start with SSL Tool.

P.

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.

View solution in original post

0 Kudos
4 Replies
vNEX
Expert
Expert
‎04-20-2014 07:07 AM
Jump to solution

Hi John,

replacing vCenter certificates after 5.1 release has come was always little bit tricky because lots of new components are there (SSO etc.)

Whole process has many manual steps so that's why there is plenty of space to make a mistake.

So that's why VMware come with SSL Automation Tool which simplifies the process in many ways.

Once you have all certificates, private keys and .pem files prepared it's really quick and straightforward to apply them.

No manual steps is needed to refresh trusts between vCenter components everything is done by SSL Automation Tool.

Check it here:

VMware KB: Deploying and using the SSL Certificate Automation Tool 5.5

Only one think is missing in that KB the way how to create .PEM files, although it is simple ...

If you need help with this just ask...

Regards,

Petr

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
JohnVUB
Contributor
Contributor
‎04-20-2014 10:01 AM
Jump to solution

Hello vNEX,

I have indeed only crt and pfx files.

I'll do a Google search to find out how to get the pem format

Thanks

J

EDIT: (for those with the same problem)

openssl x509 -in input.crt -out input.der -outform DER
openssl x509 -in input.der -inform DER -out output.pem -outform PEM

0 Kudos
vNEX
Expert
Expert
‎04-20-2014 12:14 PM
Jump to solution

Hello John,

to get .pem file working with SSL Tool you have to include complete certificate chain in this container...

- Certificates in PEM container must be in x509 (BASE64) ... NOT in DER

- when you open it in text editor they must start with:  -----BEGIN CERTIFICATE----- ends with: -----END CERTIFICATE-----

- If you are using subordinate CA for issuing certificates in your domain you must include its certificate in PEM file!

- All certificates in .PEM file must be in reverse order so when you open the file first must be vCenter server certificate, second Sub CA and last Root CA


You can create PEM container with copy command and keep exact order:


copy /B <path>rui.crt + <path>SubCA64.cer + <path\>RootCA.cer chain.pem

After you will have PEM file created open it and check certificates order, vCenter first, Sub second and Root at the bottom.

Avoid putting some extra blank lines between certificates, there should be no space before and after any certificate.

Once you have chain.pem and private key from vCenter (rui.crt) certificate you can start with SSL Tool.

P.

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
0 Kudos
JohnVUB
Contributor
Contributor
‎04-20-2014 07:17 PM
Jump to solution

Thanks vNEX

It worked out...

0 Kudos