Seems strange that others have not run into this.
For me, that worked.
Hope this helps someone!
I have to tell you, it was very reassuiring to see I wasn't the only one with that problem. However, I approached this a little differently. I created the CSR with the FQDN and added both the shortname and IP address as Subject Alternative Name on the certificate.
...ok, your solution is smoother than my hack...
thanks for posting!
Thanks to your suggestion to insert 3 san dns attributes. "SAN:dns=vshield.domain.int&dns=vshield&dns=10.0.0.10" the windows c# client does not complain anymore about that my certifcate for vCNS manager is not secure. So that's great news
But now when connecting to vcenter 5.5 server with the windows c# client. I receive the following message when starting the vShield Manager.
Any suggestions on how to beat this security alert ?
I have not tried on 5.5 yet, but does your CA (Certificate Authority) have an accessible CRL (Certificate Revocation List)? Are you using an internal/corporate CA or a known Trusted Root CA (Verisign, CyberTrust, etc.)
I don't know if my CA has an accesible CRL ? I am using an internal/corporate CA (Windows 2012 enterprise root CA).
That's probably the reason I assume..
From this manual... http://www.vmware.com/pdf/vshield_55_api.pdf I read something regarding the CRL but it doesn't make sense to me ?
Working with Certificate Revocation List (CRL)
Allows you to manage CRLs.
Create a CRL
Creates a CRL on the specified scope.
Example 5-69. Create CRL
Retrieves all CRLs certificates for the specified certificate or scope.
Example 5-70. Query CRL
Retrieve certificate object for the specified certificate ID:
Retrieve all certificates for the specified scope:
Deletes the specified CRL.
Example 5-71. Delete CRL
When accessing vShield manager from Microsoft Internet Explorer or Google Chrome everything looks fine !! a green lock
Just a few things i'd be curious to know. from Chrome, does it also like (is it green) for the shortname, and IP address? How does it operate with the Web Client? Lastly assuming the first answer is yes and yes, and the second answer is it performs the same as the c# client, have you tried unregistering and reregistering the vShield appliance after the certificate was changed?
Just to confirm the behavior of Chrome.. it also likes the shortname and the IP address. In both cases the lock is green.
In the web client I can't see anything usefull for vShield Manager, also the interface is completely different, but no warnings or messages about a CRL ?
I don't see anything like User VMs or service VMs like you see in the traditional vShield manager which is also very strange ??
Looks like the view for the extention vShield Manager in the new vSphere Web client is not properly working.
I have tried to remove the vShield manager extention from the vcenter server web interface (/mob) and also to reboot the vcenter server. I have even tried to re-entering the vcenter server information within vShield Manager. But all without success.
I also replaced the SSL certificate for VMware vSphere Auto Deploy. In there I get the same issue regarding a CRL warning just as I see with vshield manager.
Could it be that my Windows Root CA must be added to some java keystore on the virtual center server ?
A few things. First just as a heads up support may be able to assist with this problem and I cannot guarantee accuracy as I have not tried this. Now that I said that....
It would be nice if vShield had the same ability to ignore the CRL as VMware View does (http://pubs.vmware.com/view-52/topic/com.vmware.ICbase/PDF/horizon-view-52-installation.pdf) Specifically, "Configuring Certificate Revocation Checking on Server Certificates", while the process would have to be different, it would still be nice.
I have not had the same problem with my CAs (in the past, and the CRLs are published), so if you have someone else who works on the Certs/CA, they may be better suited to help. I also have made numerous changes over the years, so I am not sure what would help (unfortunately).
However, according to the vShield documentation it would appear that you can a upload a CRL file and not require a CDP. http://www.vmware.com/pdf/vshield_51_admin.pdf "Add a Certificate Revocation List" page 69. The prior documentation you provided was for the API which is not relevant for this conversation.
Additionally, MSFT has some documentation that may/may not be helpful.
I am sure there is a ton of other documentation. Please let us know if this was helpful, and if you resolve/get stuck. As people continue to check this thread from 4/2011 (except the original poster who should have marked the original thread answered )