CA-signed SSL certificates on vCenter 5.1 installation (server or device)

Similar Questions

• Red vCenter - unable to check CA (PSC) signed SSL certificate vCenter VMware

  I am trying to deploy a new Horizon view 7 based on vSphere environment 6 U2 to replace our pod 5.3 view existing. I have a Windows Server vCenter Server with separate PSC of Windows. I used the PSC signed the SSL certificate for vCenter and downloaded and added the certificate authority root for the required workstations and servers via Group Policy. If I navigate to vCenter from your desktop with CA root installed all is well on the HTTPS front. I added this vCenter Server in my environment view but it appears in red on the dashboard view. I clicked on the vcenter Server and checked the certificate, but at no time should you go green. The two connection servers have the CA root installed and if I launch a browser from the connection to the server itself, then navigate to the vCenter FQDN certificate is approved.

  Any ideas?

  I cannot create pools for this reason that the view is not currently communicate with vCenter as well and it won't let me choose a virtual machine model.

  If you need to know more details please let me know and I'll happily supply.

  Thanks in advance.

  Having re-read the Horizon view documentation 7 to confirm that I had taken the correct steps already, I decided to restart both of my new server connection, that solved the problem. My vCenter server now shows in green in the dashboard and I was able to successful deployment of desktop computers.

• Sefl-signed ssl certificate is not possible?

  Hi all
  
  the ILO is not yet possible to let flex' webservice or httpservice to connect to a
  WebService https secured by a self-signed certificate? There is absolutely no reason
  for me to buy a 'real' certificate just for encryption purposes.
  I installed crossdomain.xml on the target server, the Web service works well when pasting
  the URL in the browser and I have installed the certificate in IE (which I use here), then
  is no error and shows the OWL small lock in the address bar. But Flex refuses to work,
  except for run the application locally (means by clicking on "run" in flex builder).
  I'm using Flex 2.01 so important.
  
  So, could someone help me? Or Flex so ignorant for self-signed webservices?
  
  Good bye
  sysFor

  Hi sysfor,

  I am using the appropriate production and development self-signed SSL certificates in & don't test, no problems so far.
  Flex/Flash is not the authentication of SSL certificates - this task is delegated to the browser.

  So I suppose you are faced with a different type of problem - your crossdomain.xml is not configured correctly.
  Have you checked the log of policyfiles.txt?
  Another point, you're probably doing is called direct URL (https://myhost/path). Instead, you must use a relative path. For example if your swf file has been downloaded from the server myhost, then he should just make the calls in / path.

  See you soon,.
  Dmitri.

• Replacement of the SSL certificate in vCenter Server Heartbeat with a new certificate

  Realized the SSL certificates on my vsphere vCenter Server 5.5 environment change, but now I'm looking to deploy vmware vCenter Server HeartBeat service, but I have the following doubts.

  1. it is necessary to perform the exchange of currently used SSL certificate in my environment. ()http://kb.vmware.com/selfservice/microsites/search.do?language=en_US & cmd = displayKC & externalId = 2013041( )

  KB article talking about amendment of the certificate of a vCenter Server Heartbeat deployed... If the vCSHB are not deployed and yet, you don't need to worry... just go ahead with the installation and the new vCenter server certificate will be recognized by vCSHB.

• Thunderbird does not recognize a self-signed SSL certificate

  Dear support,

  I have a very strange problem that I don't understand.

  I run a server ISP offering IMAP and TLS/SSL HTTPS encryption. Both services use the same SSL certificate issued by RapidSSL/GeoTrust Server edward.ennabe.de

  When I open an https connection to the server, Firefox correctly solves the certificate chain and use the certification authority root Equifax (which is correct).
  However, when I try to connect to a mailbox via Thunderbird, all I get in the hierarchy of certificates is my server edward.ennabe.de. I don't think that it's "working as intended", or is it?

  Is something wrong with my Thunderbird or My Dovecot configuration? What is really strange that firefox recognizes it correctly.

  Thanks in advance

  Kind regards

  ZeroEnna

  In Thunderbird, click the 'Détails' tab in the display of the certificate.
  See all certificates of CA listed in the field "Certificate hierarchy" also installed in your Thunderbird certificate store?
  When checking this look for the tab 'authorities '.
  If there are no certificates listed in the missing chain in the Thunderbird certificate store (for some reason any), you can try to export it in Firefox and import them into Thunderbird.

• Does anyone know if the version of Cisco Clean Access Server supports the 4.1 (8) SHA - 256 signed SSL certificates?

  Yes, I know they are very old servers and technically, we should move away from CASES in total. But unfortunately, it's an environment I inherited, and I am now dealing with issues.  Because of the requirement to move away from sha - 1 signed certificates that I need to replace my existing certs, certs signature sha-256.  But before I do that I would like to know if anyone knows if CASE version 4.1 (8) supports SHA - 256 certificates?  I did check the release notes, but there is no mention of the supported versions of SHA, etc..  I tried TACS but no joy there either, etc..

  Hello Rafael,.

  SHA - 2 signed the certificate of support was added in 4.7.2 for SCS and CAM.

  We have filed a default document to have it documented in the release notes.
  CSCud99946    Note of support for the NAC should say we support certs of SHA - 2

  Kind regards

  Jousset

• HPDM: HPDM replace self signed SSL certificates for server HDPM and master repository

  I am trying to replace the automatically generated self-signed certificates (issued to DM) issued by DM server HDPM and master repository.  I'm NOT arbitration FTPS, HTTPS embedded HPDM or CERT Thin Client Agent server.

  I already have CERT for the installation of our own internal domain CA for FTPS in IIS and the built-in Apache HTTPS server.  These work properly and pass tests of repository for both protocols.  I also have questions for Thin Clients of our internal CA very well.

  I am interested in the HPDM real server cert and cert master repository. These are generated automatically when the two services start.  They use a very weak MD5 hash and key RSA 1024.  I can't find any documentation around that, with the exception of troubleshooting, in which you can remove these certificates restart services and they will be regenerated.

  Here are the paths certs\key
  HPDM % install Path%\MasterRepositoryController\Controller.crt (Cert repository)

  HPDM % install Path%\MasterRepositoryController\Controller.key (repository key)

  HPDM % install Path%\MasterRepositoryController\Client.crt (HPDM Server Cert)

  HPDM % install Path%\Server\Bin\hpdmskey.keystore (Both HPDM server and repository Certs and keys) (not sure what format it is in.  It is not PEM and P12 ok I can say)

  There are also some HPDM % install Path%\Server\bin\hpdmcert.key.  Don't know what it is.  It's the key to the server HPDM but deleting it does nothing and it is never re auto generated in one of my tests.

  I am able to replace the Controller.crt and keys with my own files CA internal those emitted very well.  The service started and no errors occur.  However if I replace the Client.cert (HPDM Server Cert) with my own service will start but there are Socket SSL errors in repository logs and the HPDM server could not connect to the master repository. I have no idea where the key file is supposed to be for HPDM Server Cert.

  Can anyone help with this?  I can't find the configuration files for the service to generate their own certificates.  If I did I would try at least to change the config to do not use MD5.

  Hello

  These certiricates between HPDM server and MRC are not designed for customizable. Please submite one scenario if you have concerns of security on it.

  Just for info:

  hpdmcert. Key is for communication between the server HPDM and gateway HPDM

  hpdmskey.keystore is for communication between the server HPDM and MRC

  server_keystore is for the commhucation between HPDM server and the Console HPDM

• SSL certificates?

  Is it mandatory to configure/install CA signed SSL certificates in vCenter upgrade 5.1 to 5.5?  I don't remember doing this for 5.1 install.

  Thank you.

  Dan M.

  No it's not mandatory... free signed certificates are always present if you don't not CA signed those...

  Concerning

  Girish

• How to get SSL certificates installed on VMware vCenter 6.0 device

  Hiya,

  I haveen strugling to SSL certificates installed for a few days now, it always seems to fail on the vpxd_servicecfg command.

  I followed tuts like: https://myvirtualife.net/2014/04/01/how-to-replace-default-vcsa-5-5-certificates-with-microsoft-ca-signed-certificates/

  There are more out there, but they all simular to the other. I followed it to the letter, but all I get is:

  vCenter: / ssl/vCenterSSO # / usr/sbin/vpxd_servicecfg change chain.pem rui.key certificate

  VC_CFG_RESULT = 650

  The only thing I can emagine is that there is a difference in vcenter 5.5 and 6.0, but else then I have don't know how to solve this problem.

  Can anyone help?

  Kind regards.

  This could be something a lot of your time, but I suggest you go to the k related in detail.

  VMware KB: Replacement of default certificates with CA-signed SSL certificates in vSphere 6.0

• VCSA 6.0: Replace external SSL by CA signed CERT certificates

  We would like to use third CA signed SSL certificates for our components of vSphere external (e.g. vSphere Web Client, web console,...), so that users with access vSphere need not trust to internal CA certificates. VSphere 5.5, there was a complicated but workable solution .

  For vSphere 6, some documentation on VMCA is available and it looks to replace Certificates SSL of Machine with personalized certificates, but I'm not completely sure if it's the best/recommended approach. Specifically, it seems that this approach always replaces a number of internal certificates, although I prefer to replace only the external certificates.

  Does anyone have experience with this?

  Looks like the way to go is by using the Certificate Manager tool (/ usr/lib/vmware-vmca/bin /-Certificate Manager) with option 1, replace the certificate of Machine SSL with certificate custom.

  Unfortunately, this generates an error:

  Error when changing Machine SSL Cert, please visit /var/log/vmware/vmcad/certificate-manager.log for more information.

  And the log shows:

  2015 03-13 T 22: 31:28.906Z INFO-Manager certificates command executed successfully

  2015 03-13 T 22: 31:28.906Z INFO-Manager certificates certificate backup created successfully

  2015 03-13 T 22: 31:28.907Z INFO-Manager certificates command duration: [' / usr/lib/vmware-vmafd/bin/dir-cli ', 'trustedcert', 'release', '-cert ',' / root/ssl/chain.crt', '-password ',' *']

  2015 03-13 T 22: 31:28.920Z INFO-Certificate Manager output of the command: -.

  2015 03-13 T 22: 31:28.921Z - Manager of certificates of ERROR

  2015 03-13 T 22: 31:28.921Z ERROR-certificate error when replacing Manager machine SSL Cert, please visit /var/log/vmware/vmcad/certificate-manager.log for more information.

  2015 03-13 T 22: 31:28.921Z certificate {} ERROR-Manager

  'resolution': null,

  'detail':]

  {

  'args':]

  ""

  ],

  "id": "install.ciscommon.command.errinvoke",

  "localized": "an error has occurred during the call to the external command:", "

  "translatable": "an error has occurred during the call to the external command: '%s' (0)»

  },

  "Error while publishing cert using dir - cli."

  ],

  'componentKey': null,

  'problemId': null

  }

  Not very useful, but the execution of this command for us to clarify:

  vc: ~ # /usr/lib/vmware-vmafd/bin/dir-cli trustedcert release - cert /root/ssl/chain.crt

  Enter the password for [email protected]:

  The file [/ root/ssl/chain.crt] contains more than 1 certificate

  If you want to publish a certificate chain, use the command "trustedcert post" with the option - string indicator.

  dir - cli failed. Possible error 13: Errors:

  LDAP error: confidentiality required

  Win Error: Operation failed with error ERROR_INVALID_DATA (13)

  Ah! We need - channel flag because we use a chain of CA certificates instead of a single root certificate. Set him certificate - Library Manager to include this option:

  "" vc: ~ # sed-i's /trustedcert/ / $/ \'--chain\', / ' /usr/lib/vmware/site-packages/cis/certificateManagerOps.py

  And possibly check this line 434 was edited to add this indicator:

  vc: ~ # vim + 434 /usr/lib/vmware/site-packages/cis/certificateManagerOps.py

  Now, all that's left is Manager certificates running again to take advantage of our CA-signed Cert!

• vCenter 5.5 Virtual Appliance and SSL certificates

  I currently have vCenter 5.5 under Windows 2008 R2.  I've been thinking to replace my Windows with the appliance vCenter vCenter virtual.

  I have read the documentation on the SSL certificates for vCenter.  I bought a RapidSSL SSL certificate on my current server vCenter.  It seems that everything is working correctly, but the documentation I read says I need a different cert for various services such as inventory, Journal browser and AutoDeploy Service.

  VCenter requires there really that many different certificates?

  Yes, each component of vCenter server requires unique SSL certificate:

  Reference:http://www.vmware.com/files/pdf/techpaper/vsp_51_vcserver_esxi_certificates.pdf

  See also: http://pubs.vmware.com/vsphere-55/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-55-security-guide.pdf

• SSL certificate for the Security Server external facing

  Dear all,

  Today, I bought an external SSL certificate of DigitCert for our security server. I imported the certificates in the personal certificate (computer account) on the Security Server store. DigiCert provided three certificates, root CA, CA server and the other with the name of our domain. I renamed the vdm to the friendly name of the existing self-signed certificate and used the friendly name for the certificate vdm has our domain name. Subsequently, I rebooted consulting on the Security server. They are all released on except the "Display Blast Secure Gateway" service which entered the suspended state.

  On our facility, we have a connection to the server and a security server. To the Security Server, we use a different domain name for connecting to the server. We have an internal PKI and the connection to the server uses an SSL certificate.

  connection to the server = server01.internaldomain.com

  Security Server = server02.externaldomain.com

  Why the certificate cannot be loaded to view Blast Secure Gateway? I missed something?

  Thank you

  Edy

  I solved it. It was with the private key of the certificate. This is the reason that the Blast Secure Gateway could not load.

• See 4.5 Security server problems since installing SSL certificate

  I'm having some very strange problems with my view view connection Server 4.5 (front and back) running. I hope someone could shed some light on the problem, because I have tried everything I know to do this job properly.

  Before installing a certificate self-signed server of external connection again, I was running the default VMware certificate. Everything worked very well in this configuration. I installed a new self-signed certificate and now I'm having intermittent problems, the connection to the server:

  1. in the connection from a windows machine I CAN reach the site URL/HTTP to download the client from the view. Once I run the client to view I got the following error: failed connection to connect to the server view. Network error.

  2. I tried to connect via the IP address of the server, ensure that the external URL is correct (everything worked fine before the installation of the SSL certificate).

  3. completely removed security server and reinstalled, restart the services etc. Still not connect on some machines. Connecting from a Wyse compatible iPad still works, never a problem.

  4. If I connect the VPN of the company on the machine that does not work, then launches the Client to view and connect everything works as it should. When I disconnect the VPN and try to connect again, I can connect very well! So I need to connect to the VPN to connect to browse... its really weird. I checked DNS etc and everything is identical with the default certificate. I did so that machines that have problems approve the certificate and I also followed the Cisco ASA firewall logs, I do not see happneing anything different between periods of work and does not.

  Someone at - he never lived something along these lines or can think of anything I can try?

  Thank you!

  I came across this same thing.  The conflict is between the customer to view and your new self-signed SSL certificate.  More precisely the thing causing the problem is the version of the wininet.dll file provided with IE8.  The wininet.dll file provided with IE8 causes some kind of conflict with the customer view 4.5 (if using other SSL certificate that the server generated one) and will not allow the client to view 4.5 software to connect to your server security.  I reported this to VMware (2 weeks ago) so that they should be aware of the problem.

  If you remove your new SSL certificate and return to the one created by the display server then everything works perfectly again.  If you are using a machine with IE6 or IE7 XP remove IE8, it also works very well.  I tried taking the file wininet.dll from XP SP3 IE6 machine and restore this file after installing IE8 and everything seemed to work ok, but probably not the best solution.

  Bottom line is until VMware resolves the conflict with their client to view, you may not use any SSL certificate (other than that of the server is) If you are going to connect to windows machines running IE8 or newer.

• Installation of on IOS SSL certificates

  Having a problem with an SSL certificate (DigiCert) on a Cisco 2811 running IOS 124 - 24.T4.

  I can get the certificates, intermediate and certificates of server installed fine unsing the a trustpoint created. Web ssl site works very well for IE browsers, and other types of browsers get errors. When I do a verification of the SSL certificate it shows that the "the server does not send the certificate requires intermediary" (see attachment). I feel that I have followed is available as well. Any suggestion is appreciated.

  It's the best information I could find to follow. They are specifically for Go-Daddy certs, but I think it would be the same process for all.

  http://bytesolutions.com/support/knowledgebase/KB_Viewer/Smid/622/articleid/21/reftab/195/t/installing-GoDaddy-SSL-certificates-on-a-Cisco-IOS-router-using-CLI.aspx

  Thank you

  BR

  Hello

  If you have several CA certificates, you must authenticate the trustpoint containing the CERT of identity using the immediate intermediate cert and then use other trustpoints to import the other CA certs one by one.

  So, basically, we need to follow the following configuration to import the CA 3 certificate and the certificate of identity on the router:

  1.  Create root trustpoint >> >> Crypto ca trustpoint root >> Enrollment terminal >> >> chain-validation stop >> >> revocation-check none >> >> Crypto ca authenticate root >> (this will prompt to paste in the PEM/base64 of the Root CA certificate) >> Quit after you paste the Root CA certificate. >> >> >> 2.  Create intermediate trustpoint for the primary intermediate certificate >> >> crypto ca trustpoint intermediate-primary >> enrollment terminal >> >> chain-validation continue root >> >> revocation-check none >> >> crypto ca authenticate intermediate-primary >> (this will prompt to paste in the PEM/base64 of the Primary Intermediate CA certificate) >> Quit after you paste the intermediate primary certificate. >> >> >> 3.  Create intermediate trustpoint for the secondary intermediate certificate >> >> crypto ca trustpoint intermediate-secondary >> enrollment terminal >> keypair >> chain-validation continue intermediate-primary >> >> crypto ca authenticate intermediate-secondary >> (this will prompt to paste in the PEM/base64 of the Secondary Intermediate CA certificate) >> Quit after you paste the intermediate secondary certificate. >> >> 4.  Import the IDentity certificate >> >> crypto ca import intermediate-secondary certificate >> (paste the ID certificate PEM/base64 here) 

• Replaced the SSL appliance - VMware vCenter Support Assistant device certificate

  Hello

  I need replace the certificate in the device wizard helps VMware vCenter but get the error below aa.

  
  

  Key file is empty, it does contain a private key or contained an unsupported key type. Supported key types are PCKS #1 and PKCS #8.

  
  

  However, the official documentation of the product on page 19 is 20 below the procedure.

  
  

  
  

  Replace your vCenter Support Assistant SSL certificate uses a self-signed certificate. You can change your SSL certificate in accordance with the policy of your company for SSL certificates. Procedure

  1 in a Web browser, go to the IP address of the device.

  2. connect the unit to Support Assistant vCenter.

  3 click the tab settings of VA.

  4 under the SSL Configuration, in the private key (.pem) text box, click on choose a file.

  5 in the file browser window, navigate to the directory that contains your certificate, select the private key (*.pem) that corresponds to the certificate chain and click Open.

  VMware, Inc. 19 if your private key is protected by a password in the password key text box, type the password.

  7 in the certificate (.pem, .p7b) string text box, click on choose a file to select your certificate chain file.

  8 in the file browser window, navigate to the directory that contains your certificate chain, select your Certificate SSL (*.pem, *.p7b) chain and click Open. NOTE If you try to add an expired certificate, a warning message indicates that you are not allowed to add the certificate.

  9. click on apply to apply the changes.

  Could someone help me.

  
  

  Hi, peaple.

  After several tries, I had success in the process of exchange of certificate VSA.

  1 - the DNS configuration was wrong.

  2 - certified should be the key (RSA private key format) published the .pem file must be trained using the service certificate + certificate of certification authorities.