2 Replies Latest reply on Feb 26, 2020 10:54 AM by ChrisFD2

    vCenter root ca denyed by OSX Catalina with Chrome

    niculescu Lurker

      Hello,

      The Mac OSX Catalina impose new rules on the certificates and/or Google Chrome.

      When using Chrome i get a NET::ERR_CERT_REVOKED, and i can't override. If using Safari or Firefox it works.

      i've added the Root CA in the osx trusted list, but still Chrome refuse to obey. (yes, there is a hack in chrome to bypass but its not nice)

      anyhow: my actual question is, can i regenerate the root ca, with all the rules imposed by Catalina?

      looking around the vcenter i can generate the root ca on another machine, then import it in the Certificate Manager, and hopefully it will propagate and the re-issue all the esxi certs.

      it should work?

      A nicer way would be that at the next vcenter upgrade (ah i'm using 6.5 latest update in 2019) to include this process (i think)

      would an upgrade to vcenter 6.7 solve this issue?

       

      The certif rules are:

      "Apple has introduced a series of new requirements for SSL certificates to be accepted by Catalina, documented at https://support.apple.com/en-us/HT210176. To summarize here:

      • Key size must be at least 2048 bits.
      • Hash algorithm must be SHA-2 or newer.
      • DNS names must be in a SubjectAltName, not in the CN field only.


      For certificates issued after 2019-07-01:

      • The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID.
      • The validity period may not be longer than 825 days."

       

      Cheers and a Happy New Year!!!!

       

      Ciprian