Expired STS signing Cert in vCenter 5.5

We have a vCenter 5.5 deployment, who worked with the certificates generated by an internal CA for Microsoft. The cert was is about to expire, so we created a new string and then generated all new certificates for all services. However, do not mention the vCenter 5.5 items in the KB (or I completely missed the section ) to update the signing certificate chain STS. So now, here we are, one day after that the certificate has expired, and we cannot access vSphere.

Any ideas on how to upgrade 'manually' signing cert m? (I.e. use CLI to upgrade a key file, or something.) All references I can find just point to the Web Update Client, but I can't access the Web Client because the logon fails because of the signing certificate has expired! Catch-22.

I found a way around the expiration date: time travel. I put the date system for a while before the cert has expired and quickly connected on the web client until the system could be updated to the correct date. I downloaded the new JKS cert chain and am now restart the server (after make sure you he traveled back to our days).

Tags: VMware

Similar Questions

  • Using CA signed CERT on 5.5U2 device and SRM 5.8 vCenter (vPostgres)

    Updated all our vCenters to 5.5U2.  Also upgraded to the latest Vsphere replication as well. No problems.  Everything works fine.

    Tried to (re) install with 5.8 SRM components

    A site uses Windows vCenter, and upgrade went well, using P12 CA cert signed during installation.

    Another site using Vcenter device.  When you install SRM 5.8 and p12 cert, receive the following:

    ---

    Could not validate the certificate:

    Details:

    VMware vCenter Site Recovery Manager of the customer are not approved by vCenter Server.

    ---

    and unable to continue

    Tried to install the intermediate certificate on the host Windows SRM.  Also tried to add the intermediate certificate in the P12 cert but the message on the cert is not wrong.

    Think it's something to do with the intermediate cert not given on the server vCenter, so unable to completely validate the cert chain.  Do not know if this can be installed on vCenter device is able to validate the string in this way.

    Recorded a call about that, but I was wondering if anyone has encountered this and that she might have a work around.

    Hi Joel,

    To put done SRM trust certificates in vCenter Server, you must do the following:

    1 copy the cert CA (not sure if only the intermediary would be enough or the entire string) file in/etc/ssl/certs in Vcenter device

    2. run c_rehash in Vcenter device console

    Kind regards

    Asen

  • Setting up Certification Authority (CA) signed certificates for vCenter Server Appliance 6

    Hi all

    Recently, I managed to migrate to vCenter Server Appliance 6. 5.5, there was a large KB (2057223) on Configuring Certificate Authority (CA) signed certificates for vCenter Server Appliance. I tried to do as it says configure the certificate for v6.

    Unfortunately, I understand that some services such as lighttpd are changed in version.

    Can anyone provide a new instruction for the v6?

    Thank you

    Thank you. That helped me to see the idea. However, the explanation in the pages that was not complete. I had to search for more.

    This blog helped me solve my problem with the generated certificate:

    http://longwhiteclouds.com/2015/03/22/vSphere-6-using-Vmca-as-a-subordinate-CA/

  • Replace self-signed CERT with CA Cert signed

    I have a vCAC 6.1 environment.  I use the vCAC documentation to replace the self signed CERT CERT.  When I get to this step in the documentation it fails - VCloud Automation Center Library

    Is the below error telling me there is a problem with the wstvcacapp01 cert?  Problem RemoteCertificateNameMismatch?

    C:\Program Files (x 86) \VMware\vCAC\Web API\ConfigTool > Vcac - Config.exe DownloadRootCertificates - Pkcs7CertPath "C:\Program Files (x 86) \VMware\vCAC\Web API\SSO.p7b"-v

    System.Data.Services.Client.DataServiceQueryException: An error occurred during the processing of this request. -> System.Data.Services.Client.DataServiceClientException: <! DOCTYPE html >

    < html >

    < head >

    < title > certificate is not approved (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203DBC8256FDB2326A8EA

    C < /title >

    < name meta = "viewport" content = "width = device-width" / > "

    < style >

    body {do-family: "Verdana"; police-weight: normal; do-size: .7em; color: black ;}}

    p {do-family: "Verdana"; font-weight: normal; color: black; margin-top:-5px}}

    b {font family: "Verdana"; make-weight: bold; color: black; margin-top:-5px}}

    H1 {do-family: "Verdana"; police-weight: normal; do-size: 18pt; color: Red}

    H2 {do-family: "Verdana"; police-weight: normal; do-size: 14pt; color: Maroon}

    pre {font family: "Consolas", "Lucida Console", Monospace; do-size: 11pt; margin: 0; padding: 0.5em line-height: 14pt}

    . Marker {make-weight: bold; color: black; text-decoration: none ;}}

    .version {color: gray ;}}

    . Error {margin-bottom: 10px ;}}

    . Expandable {text-decoration: underline; make-weight: bold; color: navy; cursor: hand ;}}

    @media screen and (max-width: 639px) {}

    pre {width: 440px; overflow: auto; white-space: pre-wrap; dressing: break-Word ;}}

    }

    @media screen and (max-width: 479px) {}

    pre {width: 280px ;}}

    }

    < / style >

    < / head >

    < body bgcolor = "white" >

    < span > < H1 > server error in ' / repository ' Application. < hr width = 100% size =-1 color = silver > < / H1 >

    < h2 > < i > certificate is not reliable (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203DBC8256FDB232

    6A8EAC < /i > < / h2 > < / span >

    < police = "Helvetica, Geneva, Arial, SunSans-Regular, without-serif ' > '"

    < b > Description: < /b > an unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and its origin

    in the code.

    < br > < br >

    < b > Details of Exception: < /b > VMware.Cafe.UntrustedCertificateException: certificate is not reliable (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR = CTIW, O = NJVC, L = Ofal

    LON, S = HE, C = us fingerprint: 9A80D1EC61170B87C4203DBC8256FDB2326A8EAC < br > < br >

    < b > error Source: < /b > < br > < br >

    < table width = 100% bgcolor = "#ffffcc" >

    < b >

    < td >

    < code >

    An unhandled exception is generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception below stack trace.

    < code >

    < table >

    < /tr >

    < /table >

    < br >

    < b > Stack Trace: < /b > < br > < br >

    < table width = 100% bgcolor = "#ffffcc" >

    < b >

    < td >

    < code > < pre >

    [UntrustedCertificateException: certificate is not reliable (RemoteCertificateNameMismatch).] Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203D

    BC8256FDB2326A8EAC]

    System.Net.TlsStream.EndWrite (IAsyncResult asyncResult) + 8277683

    System.Net.ConnectStream.WriteHeadersCallback (IAsyncResult ar) + 213

    [WebException: the underlying connection was closed: an unexpected error occurred on a send.]

    System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) + 8286956

    System.Net.Http.HttpClientHandler.GetResponseCallback (IAsyncResult ar) + 98

    [HttpRequestException: an error occurred when sending the request.]

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; & lt; GetResource & gt; b__0 & gt; d__3.MoveNext () + 601

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; RetryWebRequestWrapper & gt; d__97.MoveNext () + 1144

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; GetResource & gt; d__7'1. MoveNext() + 692

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; CreateSecurityTokenServiceAsync & gt; d__2f. MoveNext() + 366

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; GetHolderOfKeyTokenAsync & gt; d__4.MoveNext () + 321

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; CreateDefaultSecurityContextAsync & gt; d__34.MoveNext () + 306

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; CreateAsync & gt; d__1d'1. MoveNext() + 397

    System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (Task task) + 144

    System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (Task task) + 84

    VMware.Cafe. & lt; CreateAsync & gt; d__1a'1. MoveNext() + 330

    [AggregateException: one or more errors occurred.]

    System.Threading.Tasks.Task'1.GetResultCore (Boolean waitCompletionNotification) + 5863512

    DynamicOps.Repository.Runtime.SecurityModel.CafeSecurityProvider... ctor (SecurityModelContext CurrentContext) + 172

    DynamicOps.Repository.Runtime.SecurityModel.SecurityModelContext... ctor (String ConnectionString) + 202

    DynamicOps.Repository.Runtime.Common.RepositoryRuntime.Initialize () + 812

    [HttpException (0x80004005): one or more errors occurred.]

    System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode (HttpContext context, HttpApplication app) + 12639357

    System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS (appContext, HttpContext context, MethodInfo [managers] IntPtr) 175

    System.Web.HttpApplication.InitSpecial (HttpApplicationState State, MethodInfo [managers], IntPtr appContext, HttpContext context) + 304

    System.Web.HttpApplicationFactory.GetSpecialApplicationInstance (IntPtr appContext, HttpContext context) + 404

    System.Web.Hosting.PipelineRuntime.InitializeApplication (IntPtr appContext) + 475

    [HttpException (0x80004005): one or more errors occurred.]

    System.Web.HttpRuntime.FirstRequestInit (HttpContext context) + 12656404

    System.Web.HttpRuntime.EnsureFirstRequestInit (HttpContext context) + 159

    System.Web.HttpRuntime.ProcessRequestNotificationPrivate (IIS7WorkerRequest wr, HttpContext context) + 12496021

    < / pre > < / code >

    < table >

    < /tr >

    < /table >

    < br >

    < hr width = 100% size = 1 = silver color >

    < b > Version information: < /b > Microsoft .NET Framework Version: 4.0.30319; ASP.NET Version: 4.0.30319.34237

    < / make >

    < / body >

    < / html >

    <!--

    [UntrustedCertificateException]: certificate is not reliable (RemoteCertificateNameMismatch). Subject: CN = wstvcacapp01.cticore.local, OR is CTIW, O = NJVC, L is Ofallon, S = HE, C = US footprint digital: 9A80D1EC61170B87C4203

    DBC8256FDB2326A8EAC

    at System.Net.TlsStream.EndWrite (IAsyncResult asyncResult)

    at System.Net.ConnectStream.WriteHeadersCallback (IAsyncResult ar)

    [WebException]: the underlying connection was closed: an unexpected error occurred on a send.

    at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult)

    at System.Net.Http.HttpClientHandler.GetResponseCallback (IAsyncResult ar)

    [HttpRequestException]: an error occurred when sending the request.

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    to VMware.Cafe.JsonRestClient. <>c__DisplayClass1 1. < < GetResource > b__0 > d__3.MoveNext)

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    at d__97.MoveNext (VMware.Cafe.JsonRestClient). < RetryWebRequestWrapper >

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    to VMware.Cafe.JsonRestClient. < GetResource > d__7'1. MoveNext()

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    to VMware.Cafe.ComponentRegistryClientFactory. < CreateSecurityTokenServiceAsync > d__2f. MoveNext()

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    at d__4.MoveNext (VMware.Cafe.ComponentRegistryClientFactory). < GetHolderOfKeyTokenAsync >

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    at d__34.MoveNext (VMware.Cafe.ComponentRegistryClientFactory). < CreateDefaultSecurityContextAsync >

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    to d__1d'1. MoveNext() VMware.Cafe.ComponentRegistryClientFactory. < CreateAsync >

    -End of the stack trace from the old location where the exception was thrown-

    to System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (task task)

    to System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (task task)

    to d__1a'1. MoveNext() VMware.Cafe.ComponentRegistryClientFactory. < CreateAsync >

    [AggregateException]: one or more errors occurred.

    to System.Threading.Tasks.Task'1.GetResultCore (Boolean waitCompletionNotification)

    to DynamicOps.Repository.Runtime.SecurityModel.CafeSecurityProvider... ctor (SecurityModelContext currentContext)

    to DynamicOps.Repository.Runtime.SecurityModel.SecurityModelContext... ctor (String connectionString)

    at DynamicOps.Repository.Runtime.Common.RepositoryRuntime.Initialize)

    [HttpException]: one or more errors occurred.

    at System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode (HttpContext context, HttpApplication app)

    at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS (IntPtr appContext, HttpContext context, managers of MethodInfo [])

    to System.Web.HttpApplication.InitSpecial (HttpApplicationState State, MethodInfo [managers], IntPtr appContext, HttpContext context)

    at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance (IntPtr appContext, HttpContext context)

    at System.Web.Hosting.PipelineRuntime.InitializeApplication (IntPtr appContext)

    [HttpException]: one or more errors occurred.

    to System.Web.HttpRuntime.FirstRequestInit (HttpContext context)

    at System.Web.HttpRuntime.EnsureFirstRequestInit (HttpContext context)

    at System.Web.HttpRuntime.ProcessRequestNotificationPrivate (HttpContext context, IIS7WorkerRequest wr)

    ->

    at System.Data.Services.Client.QueryResult.ExecuteQuery)

    to System.Data.Services.Client.DataServiceRequest.Execute [TElement] (DataServiceContext, QueryComponents queryComponents context)

    -End of the exception stack trace internal-

    to System.Data.Services.Client.DataServiceRequest.Execute [TElement] (DataServiceContext, QueryComponents queryComponents context)

    to System.Data.Services.Client.DataServiceQuery'1.Execute)

    to System.Data.Services.Client.DataServiceQuery'1.GetEnumerator)

    to System.Linq.Enumerable.FirstOrDefault [TSource] (IEnumerable 1 source)

    at System.Data.Services.Client.DataServiceQueryProvider.ReturnSingleton [](Expression expression) TElement

    to System.Linq.Queryable.FirstOrDefault [TSource] (IQueryable 1 source)

    at DynamicOps.Repository.CafeClientAbstractFactory.LoadComponentRegistryUri)

    to System.Lazy'1.CreateValue)

    to System.Lazy'1.LazyInitValue)

    at DynamicOps.Repository.CafeClientAbstractFactory.get_CafeUri)

    at VMware.Cafe.ComponentRegistryClientFactory.ctor (ICafeServiceClientFactoryFactory abstractFactory)

    at DynamicOps.Repository.CafeClientAbstractFactory.CreateClientFactory)

    to System.Lazy'1.CreateValue)

    to System.Lazy'1.LazyInitValue)

    at VMware.Cafe.Client.Registration.DownloadRootCertificates (String rootEncryptionCertPath, String rootSigningCertPath, String pkcs7Path)

    to VMware.VcacConfig.ComponentRegistryCommands.DownloadRootCertificates.Execute (CommandLineParser Analyzer)

    WARNING: Zero return Code. The command failed.

    I could be totally wacky, but the first thing vcac devices and server identity must be in pem format.

    Sounds the root string that you import.

    I say the following:

    http://www.virtualizationteam.com/cloud/generating-certificates-for-the-identity-appliancevcac-appliance.html

    This will tell you how to create certificates and import them.

  • VCSA 6.0: Replace external SSL by CA signed CERT certificates

    We would like to use third CA signed SSL certificates for our components of vSphere external (e.g. vSphere Web Client, web console,...), so that users with access vSphere need not trust to internal CA certificates. VSphere 5.5, there was a complicated but workable solution .

    For vSphere 6, some documentation on VMCA is available and it looks to replace Certificates SSL of Machine with personalized certificates, but I'm not completely sure if it's the best/recommended approach. Specifically, it seems that this approach always replaces a number of internal certificates, although I prefer to replace only the external certificates.

    Does anyone have experience with this?

    Looks like the way to go is by using the Certificate Manager tool (/ usr/lib/vmware-vmca/bin /-Certificate Manager) with option 1, replace the certificate of Machine SSL with certificate custom.

    Unfortunately, this generates an error:

    Error when changing Machine SSL Cert, please visit /var/log/vmware/vmcad/certificate-manager.log for more information.

    And the log shows:

    2015 03-13 T 22: 31:28.906Z INFO-Manager certificates command executed successfully

    2015 03-13 T 22: 31:28.906Z INFO-Manager certificates certificate backup created successfully

    2015 03-13 T 22: 31:28.907Z INFO-Manager certificates command duration: [' / usr/lib/vmware-vmafd/bin/dir-cli ', 'trustedcert', 'release', '-cert ',' / root/ssl/chain.crt', '-password ',' *']

    2015 03-13 T 22: 31:28.920Z INFO-Certificate Manager output of the command: -.

    2015 03-13 T 22: 31:28.921Z - Manager of certificates of ERROR

    2015 03-13 T 22: 31:28.921Z ERROR-certificate error when replacing Manager machine SSL Cert, please visit /var/log/vmware/vmcad/certificate-manager.log for more information.

    2015 03-13 T 22: 31:28.921Z certificate {} ERROR-Manager

    'resolution': null,

    'detail':]

    {

    'args':]

    ""

    ],

    "id": "install.ciscommon.command.errinvoke",

    "localized": "an error has occurred during the call to the external command:", "

    "translatable": "an error has occurred during the call to the external command: '%s' (0)»

    },

    "Error while publishing cert using dir - cli."

    ],

    'componentKey': null,

    'problemId': null

    }

    Not very useful, but the execution of this command for us to clarify:

    vc: ~ # /usr/lib/vmware-vmafd/bin/dir-cli trustedcert release - cert /root/ssl/chain.crt

    Enter the password for [email protected]:

    The file [/ root/ssl/chain.crt] contains more than 1 certificate

    If you want to publish a certificate chain, use the command "trustedcert post" with the option - string indicator.

    dir - cli failed. Possible error 13: Errors:

    LDAP error: confidentiality required

    Win Error: Operation failed with error ERROR_INVALID_DATA (13)

    Ah! We need - channel flag because we use a chain of CA certificates instead of a single root certificate. Set him certificate - Library Manager to include this option:

    "" vc: ~ # sed-i's /trustedcert/ / $/ \'--chain\', / ' /usr/lib/vmware/site-packages/cis/certificateManagerOps.py

    And possibly check this line 434 was edited to add this indicator:

    vc: ~ # vim + 434 /usr/lib/vmware/site-packages/cis/certificateManagerOps.py

    Now, all that's left is Manager certificates running again to take advantage of our CA-signed Cert!

  • installation of licenses for unit 3 expiration vSphere ESX 4 &amp; 1 vCenter server

    Hello

    I have a problem with the installation of vSphere for unit 3 licenses expired ESX 4 & 1 Server vCenter.

    I have server unit 3 ESX 4 & 1 vCenter server is installed on the evaluation version that all were connected and works well.

    Today, I saw evaluation is expired and I have installed a license purchased for vCenter, now works well... & out of server ESX 3 1 automatically

    Get connected & I have including the license key for this ESX box... but I was not able to enter a license key for other areas of ESX4 2.

    So what I did is I connected ESX4 directly from vSphere client & entered a license key, its activated, but when I disconnected and tried to connect

    Yet once vcenter, it does not say "your ESX Server license has expired.

    So my question is why I can't bring back boxes ESX4 to vCenter?, what could be the possible solution?

    Help, please.

    Thank you

    Rashid

    You can enter all vCenter licenses (all series numbers) and then just assign a particular series (or licenses of serial number) via vCenter.

    ---

    MCSA, MCTS, VCP, VMware vExpert 2009

    http://blog.vadmin.ru

  • Replacement of the SSL Cert - 5/vCenter vCenter Inventory Service

    Running on this issue during our next generation vCenter infrastructure 5 out.  I was wondering if someone else ran into the front.

    We create certificates signed internally and use these certificates to the virtual service centre and the inventory service.  I stop the vCenter service, replace the vCenter CERT, reset the DB password and then start the vCenter service.  Works very well and am able to connect to vCenter, but when I go to start the inventory (CERT for untouchables inventory service) service fails.  I worked with this in our lab, and he the certs could be replaced separated from another.  All ideas are welcome.

    Thank you

    When generate you your own pfx, what was the password?

    It must be "testpassword".

      openssl pkcs12 -export -in ./certs/rui.crt -inkey ./private/rui.key -name rui -passout pass:testpassword -out ./certs/rui.pfx

    If this is not the case, the inventory service does not start.

  • SHA - 256 signed Cert for SSL VPN

    I get an error when you try to install an identity certificate that is signed with SHA256 on an ASA 5520 with 8.3 (2) running.  I get "ERROR: cannot analyse or check the imported certificate.»  The correct string of authority is in place, and if I install a cert signed SHA1 of the same company with the same string, it works fine.  Are the ASAs able to import CERT signed SHA256?  Must the CSR be generated differently if you want to import a certificate signed SHA256?

    Hello

    The ASA are not currently able to import signed SHA256 certificates in the 8.3 code.    It should be available some time soon - talk to your team account for more details.

    -Jason

  • Red vCenter - unable to check CA (PSC) signed SSL certificate vCenter VMware

    I am trying to deploy a new Horizon view 7 based on vSphere environment 6 U2 to replace our pod 5.3 view existing. I have a Windows Server vCenter Server with separate PSC of Windows. I used the PSC signed the SSL certificate for vCenter and downloaded and added the certificate authority root for the required workstations and servers via Group Policy. If I navigate to vCenter from your desktop with CA root installed all is well on the HTTPS front. I added this vCenter Server in my environment view but it appears in red on the dashboard view. I clicked on the vcenter Server and checked the certificate, but at no time should you go green. The two connection servers have the CA root installed and if I launch a browser from the connection to the server itself, then navigate to the vCenter FQDN certificate is approved.

    Any ideas?

    I cannot create pools for this reason that the view is not currently communicate with vCenter as well and it won't let me choose a virtual machine model.

    If you need to know more details please let me know and I'll happily supply.

    Thanks in advance.

    Having re-read the Horizon view documentation 7 to confirm that I had taken the correct steps already, I decided to restart both of my new server connection, that solved the problem. My vCenter server now shows in green in the dashboard and I was able to successful deployment of desktop computers.

  • Replace the certificate SSL of Insight Log with a CA signed cert

    I'm trying to generate a cert for Insight Log using the method described in this blog post (below) using an automated batch file

    http://www.derekseaman.com/2012/09/VMware-vCenter-51-installation-part-2.html

    The chain.pem file resulting includes my cert and chain cert CA.  When I try to add to the Insight Journal, it is said that the cert is invalid.  Is that you guys can provide suggestions on how to change this piece of lot code to use Log Insight?  The meat of the lot is listed below (I just left aside all the variables that are defined in advance)

    CD /d %Cert_Path%\loginsight

    % OpenSSL_BIN % genrsa 2048 > rui.key

    % OpenSSL_BIN % req-out rui.csr - rui.key - new config key - loginsight.cfg

    Certreq-submit - q - f config "% nom_autorite_de_certification %" attrib-"CertificateTemplate: % Cert_Template % ' rui.csr rui.crt

    % OpenSSL_BIN % pkcs12-export - in rui.crt - inkey rui.key - certfile % CA_Cert_Chain % - name rui-out rui.pem

    copy/b rui.crt + % CA_Cert_Chain % chain.pem

    You must have a file that contains the key and the string, otherwise you will get an error. This command:

    % OpenSSL_BIN % pkcs12-export - in rui.crt - inkey rui.key - certfile % CA_Cert_Chain % - name rui-out rui.pem

    Creates a file, but rui.pem is incorrect. It is actually creating a rui.pfx (see at the bottom of this link: The Most Common orders OpenSSL). I think the problem is that you have the - flag of knots at the end of the command (see what is the purpose - nodes in the openssl argument? - Stack Overflow). A visual way to check is to open the .pem and ensure one contains a section – BEGIN RSA PRIVATE KEY. The chain.pem does not work and the rui.pem is binary, because these two will fail. I hope this helps!

  • WaveMaker 6.5 and vCO 5.1 - default self signed CERT

    This is a little off topic, but I'm curious to know if anyone out there connected WaveMaker 6.5.x (web service) to vCO 5.1 (SOAP or REST) when the vCO is configured using the default self-signed certificates SSL (vanilla vCO 5.1 device).

    I get the following error even after the importation of the "localhost.localdom" of vCO cert in my Java keystore/restart WaveMaker:

    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: building way PKIX failed: sun.security.provider.certpath.SunCertPathBuilderException: could not find the path of valid certification for target asked

    Looks like real certs should work or if you have them signed by your own CA, but this isn't the case with the application out-of-the-box vCO.

    Related links:

    http://mighty-virtualization.blogspot.com/2012/09/WaveMaker-handling-SSL-certificates.html?showComment=1351627607456#c2610948026372492253

    http://dev.WaveMaker.com/forums/?q=node/8424

    Hello!

    I think that the host name of the certificate must match the host name you are trying to reach.

    The default certificate localhost.localdom works so that, if you try to connect to vCO with localhost.localdom (it might be useful a quick shot, edit the file hosts on your system wavemaker :-))

    To change the certificate on vCO to match the real hostname of the box of vCO, see here:

    http://www.vcoteam.info/learn-VCO/work-with-VCO-over-SSL.html

    http://EnterpriseAdmins.org/blog/virtualization/VCO-appliance-and-SSL-certificates/

    After chaning and removing the old and import a new keystore wavemaker it should work... Let us know! :-)

    As workaround heavyweights: you can skip using WaveMaker webService tool and create your own JavaService. See an example here: http://blog.mightycare.de/en/2012/06/wavemaker-spring-and-vmware-infrastructure/

    PS: The example he uses the old SOAP API of vCO, but you get the feeling (and links to java for the new REST API of https://yourvcoserver:8281/api/docs/downloads.html

    PPS: It's in German, but you can download the sample project at the end of the article. If you need a discussion translation/more about this, let me know...

    See you soon,.

    Joerg

  • How to sign out in vCenter server without prompting the user to confirm?

    Hi all

    I'm new to VMware Tools/products.

    I use the following command to disconnect from the server vcenter,

    Disconnect-VIServer-Server *-Force

    the above command invites me to confirm the disconnection. but I don't want to confirm/prompt.

    Is it possible to log out without confirmation?

    Try to unplug-VIServer-confirm: $false...

    / Rubeck

  • ACS SE and Self sign Cert

    How can I get the certificate generated automatically from the SE of GBA. Is the only option for FTP? I already have the TEC installed on the ACS but I need to get a copy of it.

    You need FTP. To get it, there is no other choice.

    Kind regards

    ~ JG

    Note the useful messages

  • With the help of a cert publicly signed on ASA 5505

    I am wanting to use a certificate signed by a digicert or verisign on my ASA so that anyconnect not frreak with untrusted cert.

    I created the CSR and I downloaded the certificate, but it still shows the untrusted self-signed cert old.  Where I'm wrong?

    You must apply the certifiacte on the external interface where you ahev enabled webvpn

    Here's what you need to do

    ASDM

    Step 5. Configure WebVPN to use the newly installed certificate

    Procedure ASDM

    1. Click Configuration, and then click device management.

    2. Expand Advancedand then expand SSL settings.

    3. Under the terms of the certificates, select the interface that is used to terminate WebVPN sessions.

      In this example, the external interface is used.

    4. Click change.

    5. In the drop-down list certificate, select the certificate installed in step 4.

    6. Click OK.

    7. Click apply.

      Your new certificate should now be used for all WebVPN sessions ending on the specified interface.

    Otherwise, you can do command line:

    ssl trust-point my.trustpoint outside

    where

    my.trustpoint is your certificate trustname that you have defined.
    


    
You also need to make sure that you complete the certifiacte chain in ASA as well.
    

    Kindly let me know if that helps.

    Kind regards

    Bad Boy

    P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

  • VCenter 5.5 install question for vCenter single sign on Information

    During the new installation of Vcenter Server on Windows 2008 R2 SP1, I get "Error 29102"

    My DNS and reverse DNS work; It is again first Vcenter server and it refers to the log file does not exist anywhere vm_ssoreg.log don't know why her attempt to find a look up of service which does not yet exist on the system

    Using the fully qualified name or IP give the same message and I was careful to not use of ' not to use these "characters tried different passwords to be sure

    Not sure I like this new feature

    Had to just go back and install custom in the proper order:

    vCenter finger Sign-On

    vCenter Inventory Service

    vCenter Server

    Installation used Simple was at the origin of the questions so I uninstalled but did not use the condition of things now work

    Mike

Maybe you are looking for

  • Can't find my music

    I've recently updated iTunes, now when I open any of my playlists are there it shows albums but he had the icon cloud over them, as if I download them all about the cloud.  I can't figure out how to get my music to show upward, as I had initially bee

  • How to store of rMBP?

    Hey,. I leave my rMBP for a month and I want to avoid the battery capacity lost... so except to stop, how load should I leave? I have been thinking about 65%, is it OK?

  • IPhone update and now no Safari

    Just updated to latest iOS and now I have no access to the Internet through Safari. It just hangs there and then said the server could not be contacted or something like that, but I'm at home on wi - fi by typing this? Am based in Australia (Sydney).

  • NI 9401 pulse width measurement.

    Hello I'm not sure that I understand very well the pinout diagram. At the present time, I have a NI9401 in a NI 9172 chassis. DIO0 and DIO1 are connected at the gates of light. I have an opto switch and I want to measure the pulse width when an objec

  • Windows Vista Home Premium with SP2 and IE9 guard reinstall KB890830

    It is there no error code actually after every time it is said installed successfully. Computer HP CNX72415hd model Any ideas.