Red vCenter - unable to check CA (PSC) signed SSL certificate vCenter VMware

Similar Questions

• CA-signed SSL certificates on vCenter 5.1 installation (server or device)

  I recently updated my 5.0 to 5.1 ESXi ESXi hosts and they all kept CA-signed SSL certificates that I installed previously. I did a new install of vCenter 5.1 server where the box even ran SSO, inventory, vCenter Server and Manager Update Services. After installing, everything worked perfectly except that none of the vCenter services used my CA-signed SSL certificate - only 5.1 ESXi hosts had these.

  So, I followed the instructions in replacing default vCenter 5.1 and ESXi certificates PDF found at http://www.vmware.com/resources/techresources/10318. The document is terrible. For example, page 10 lists the locations by three default certificates SSL on Windows 2008. None of these paths are correct. The first a typo of extra space between "Program" and "Data" and the other two say "Program Files" when they should have been "ProgramData". This is just the beginning of the problems.

  If you follow the instructions to the letter, you'll break vCenter. I got frustrated and thought I'd give the vCenter 5.1 device a shot. With regard to the Certificates SSL signed by CA, it was worse. The vCenter 5.1 device can even automatically generate a new SSL certificate if you change the host name (turn on generation auto-certificat, change of hostname and restart). It gives an error 653 during the boot process and keeps the original of the certificate. Even bother trying the steps on page 18 of the above-mentioned guide - you will get just the same mistake 653.

  It seems to me that VMware did not all tests around the CA-signed SSL certificate on vCenter 5.1 installation. It's amazing to me that the installation of the SSL certificate is so tedious for ESXi and vCenter when vShield Manager 5.1 has a very simple process that works well (and is similar to the installation procedure for Certificate SSL on the DRAC, ASR, breeding various firewalls, etc.).

  I did a lot of research on Google and found various articles on the installation of the SSL certificate, but most were based on GA pre - 5.1 products. If you have any installation of certificates SSL CA-signed success with vCenter Server or device 5.1 GA, let me know how you got around some of these issues. Please indicate if your vCenter Server or device will run on a 5.1 GA ESXi host as well. Please do not answer about vCenter 5.0 - I had no problem with SSL certificates (other than it was more painful to be).

  Thanks in advance,

  Nate

  Finally I managed to install giving him to 127.0.0.1 instead of the period of INVESTIGATION, accessible from the outside of the vCenter server, it's very well in my case the vCenter and VUM server are on the same VM but its not exactly ideal for deployments of more large.

• Sefl-signed ssl certificate is not possible?

  Hi all
  
  the ILO is not yet possible to let flex' webservice or httpservice to connect to a
  WebService https secured by a self-signed certificate? There is absolutely no reason
  for me to buy a 'real' certificate just for encryption purposes.
  I installed crossdomain.xml on the target server, the Web service works well when pasting
  the URL in the browser and I have installed the certificate in IE (which I use here), then
  is no error and shows the OWL small lock in the address bar. But Flex refuses to work,
  except for run the application locally (means by clicking on "run" in flex builder).
  I'm using Flex 2.01 so important.
  
  So, could someone help me? Or Flex so ignorant for self-signed webservices?
  
  Good bye
  sysFor

  Hi sysfor,

  I am using the appropriate production and development self-signed SSL certificates in & don't test, no problems so far.
  Flex/Flash is not the authentication of SSL certificates - this task is delegated to the browser.

  So I suppose you are faced with a different type of problem - your crossdomain.xml is not configured correctly.
  Have you checked the log of policyfiles.txt?
  Another point, you're probably doing is called direct URL (https://myhost/path). Instead, you must use a relative path. For example if your swf file has been downloaded from the server myhost, then he should just make the calls in / path.

  See you soon,.
  Dmitri.

• Does anyone know if the version of Cisco Clean Access Server supports the 4.1 (8) SHA - 256 signed SSL certificates?

  Yes, I know they are very old servers and technically, we should move away from CASES in total. But unfortunately, it's an environment I inherited, and I am now dealing with issues.  Because of the requirement to move away from sha - 1 signed certificates that I need to replace my existing certs, certs signature sha-256.  But before I do that I would like to know if anyone knows if CASE version 4.1 (8) supports SHA - 256 certificates?  I did check the release notes, but there is no mention of the supported versions of SHA, etc..  I tried TACS but no joy there either, etc..

  Hello Rafael,.

  SHA - 2 signed the certificate of support was added in 4.7.2 for SCS and CAM.

  We have filed a default document to have it documented in the release notes.
  CSCud99946    Note of support for the NAC should say we support certs of SHA - 2

  Kind regards

  Jousset

• Thunderbird does not recognize a self-signed SSL certificate

  Dear support,

  I have a very strange problem that I don't understand.

  I run a server ISP offering IMAP and TLS/SSL HTTPS encryption. Both services use the same SSL certificate issued by RapidSSL/GeoTrust Server edward.ennabe.de

  When I open an https connection to the server, Firefox correctly solves the certificate chain and use the certification authority root Equifax (which is correct).
  However, when I try to connect to a mailbox via Thunderbird, all I get in the hierarchy of certificates is my server edward.ennabe.de. I don't think that it's "working as intended", or is it?

  Is something wrong with my Thunderbird or My Dovecot configuration? What is really strange that firefox recognizes it correctly.

  Thanks in advance

  Kind regards

  ZeroEnna

  In Thunderbird, click the 'Détails' tab in the display of the certificate.
  See all certificates of CA listed in the field "Certificate hierarchy" also installed in your Thunderbird certificate store?
  When checking this look for the tab 'authorities '.
  If there are no certificates listed in the missing chain in the Thunderbird certificate store (for some reason any), you can try to export it in Firefox and import them into Thunderbird.

• HPDM: HPDM replace self signed SSL certificates for server HDPM and master repository

  I am trying to replace the automatically generated self-signed certificates (issued to DM) issued by DM server HDPM and master repository.  I'm NOT arbitration FTPS, HTTPS embedded HPDM or CERT Thin Client Agent server.

  I already have CERT for the installation of our own internal domain CA for FTPS in IIS and the built-in Apache HTTPS server.  These work properly and pass tests of repository for both protocols.  I also have questions for Thin Clients of our internal CA very well.

  I am interested in the HPDM real server cert and cert master repository. These are generated automatically when the two services start.  They use a very weak MD5 hash and key RSA 1024.  I can't find any documentation around that, with the exception of troubleshooting, in which you can remove these certificates restart services and they will be regenerated.

  Here are the paths certs\key
  HPDM % install Path%\MasterRepositoryController\Controller.crt (Cert repository)

  HPDM % install Path%\MasterRepositoryController\Controller.key (repository key)

  HPDM % install Path%\MasterRepositoryController\Client.crt (HPDM Server Cert)

  HPDM % install Path%\Server\Bin\hpdmskey.keystore (Both HPDM server and repository Certs and keys) (not sure what format it is in.  It is not PEM and P12 ok I can say)

  There are also some HPDM % install Path%\Server\bin\hpdmcert.key.  Don't know what it is.  It's the key to the server HPDM but deleting it does nothing and it is never re auto generated in one of my tests.

  I am able to replace the Controller.crt and keys with my own files CA internal those emitted very well.  The service started and no errors occur.  However if I replace the Client.cert (HPDM Server Cert) with my own service will start but there are Socket SSL errors in repository logs and the HPDM server could not connect to the master repository. I have no idea where the key file is supposed to be for HPDM Server Cert.

  Can anyone help with this?  I can't find the configuration files for the service to generate their own certificates.  If I did I would try at least to change the config to do not use MD5.

  Hello

  These certiricates between HPDM server and MRC are not designed for customizable. Please submite one scenario if you have concerns of security on it.

  Just for info:

  hpdmcert. Key is for communication between the server HPDM and gateway HPDM

  hpdmskey.keystore is for communication between the server HPDM and MRC

  server_keystore is for the commhucation between HPDM server and the Console HPDM

• How to get SSL certificates installed on VMware vCenter 6.0 device

  Hiya,

  I haveen strugling to SSL certificates installed for a few days now, it always seems to fail on the vpxd_servicecfg command.

  I followed tuts like: https://myvirtualife.net/2014/04/01/how-to-replace-default-vcsa-5-5-certificates-with-microsoft-ca-signed-certificates/

  There are more out there, but they all simular to the other. I followed it to the letter, but all I get is:

  vCenter: / ssl/vCenterSSO # / usr/sbin/vpxd_servicecfg change chain.pem rui.key certificate

  VC_CFG_RESULT = 650

  The only thing I can emagine is that there is a difference in vcenter 5.5 and 6.0, but else then I have don't know how to solve this problem.

  Can anyone help?

  Kind regards.

  This could be something a lot of your time, but I suggest you go to the k related in detail.

  VMware KB: Replacement of default certificates with CA-signed SSL certificates in vSphere 6.0

• VCSA 6.0: Replace external SSL by CA signed CERT certificates

  We would like to use third CA signed SSL certificates for our components of vSphere external (e.g. vSphere Web Client, web console,...), so that users with access vSphere need not trust to internal CA certificates. VSphere 5.5, there was a complicated but workable solution .

  For vSphere 6, some documentation on VMCA is available and it looks to replace Certificates SSL of Machine with personalized certificates, but I'm not completely sure if it's the best/recommended approach. Specifically, it seems that this approach always replaces a number of internal certificates, although I prefer to replace only the external certificates.

  Does anyone have experience with this?

  Looks like the way to go is by using the Certificate Manager tool (/ usr/lib/vmware-vmca/bin /-Certificate Manager) with option 1, replace the certificate of Machine SSL with certificate custom.

  Unfortunately, this generates an error:

  Error when changing Machine SSL Cert, please visit /var/log/vmware/vmcad/certificate-manager.log for more information.

  And the log shows:

  2015 03-13 T 22: 31:28.906Z INFO-Manager certificates command executed successfully

  2015 03-13 T 22: 31:28.906Z INFO-Manager certificates certificate backup created successfully

  2015 03-13 T 22: 31:28.907Z INFO-Manager certificates command duration: [' / usr/lib/vmware-vmafd/bin/dir-cli ', 'trustedcert', 'release', '-cert ',' / root/ssl/chain.crt', '-password ',' *']

  2015 03-13 T 22: 31:28.920Z INFO-Certificate Manager output of the command: -.

  2015 03-13 T 22: 31:28.921Z - Manager of certificates of ERROR

  2015 03-13 T 22: 31:28.921Z ERROR-certificate error when replacing Manager machine SSL Cert, please visit /var/log/vmware/vmcad/certificate-manager.log for more information.

  2015 03-13 T 22: 31:28.921Z certificate {} ERROR-Manager

  'resolution': null,

  'detail':]

  {

  'args':]

  ""

  ],

  "id": "install.ciscommon.command.errinvoke",

  "localized": "an error has occurred during the call to the external command:", "

  "translatable": "an error has occurred during the call to the external command: '%s' (0)»

  },

  "Error while publishing cert using dir - cli."

  ],

  'componentKey': null,

  'problemId': null

  }

  Not very useful, but the execution of this command for us to clarify:

  vc: ~ # /usr/lib/vmware-vmafd/bin/dir-cli trustedcert release - cert /root/ssl/chain.crt

  Enter the password for [email protected]:

  The file [/ root/ssl/chain.crt] contains more than 1 certificate

  If you want to publish a certificate chain, use the command "trustedcert post" with the option - string indicator.

  dir - cli failed. Possible error 13: Errors:

  LDAP error: confidentiality required

  Win Error: Operation failed with error ERROR_INVALID_DATA (13)

  Ah! We need - channel flag because we use a chain of CA certificates instead of a single root certificate. Set him certificate - Library Manager to include this option:

  "" vc: ~ # sed-i's /trustedcert/ / $/ \'--chain\', / ' /usr/lib/vmware/site-packages/cis/certificateManagerOps.py

  And possibly check this line 434 was edited to add this indicator:

  vc: ~ # vim + 434 /usr/lib/vmware/site-packages/cis/certificateManagerOps.py

  Now, all that's left is Manager certificates running again to take advantage of our CA-signed Cert!

• My 5s iphone suddenly showed no service, then I made an attempt to update to ios and itunes connected, now iphone is not enable and display cannot connect to the server and in itunes it shows unable to check your device.please help me

  My 5s iphone suddenly showed no service, then I made an attempt to update to ios and itunes connected, now iphone is not enable and display cannot connect to the server and in itunes it shows unable to check your device.please help me

  Assuming that you have a valid SIM card in the phone, it is more often symptomatic of a phone that has been hacked or jailbroken to unlock.

  Where do you have the phone first?

• Error code: 80070490 (Windows is unable to check the updates)

  I get the error code 80070490 (windows is unable to check the updates) I did a system restore, full scan, virus, malware, rootkit, adware and spy ware.  Downloaded and installed the suggested fix for this issue on the microsoft site.  Nothing seems to help.  Any suggestions?

  Hello Pstrjohn,

  Thank you for your message.  You can also click HERE for more information about the Windows Update error Code: 80070490.

  See you soon

  Jason H. Engineer Support of Microsoft answers visit our Microsoft answers feedback Forum and let us know what you think.

• Volume on the taskbar was hidden without changing the setting.__Try to reset the taskbar of the notification area, but the volume box is gray and unable to check the brandname.

  Volume on the taskbar was hidden without changed the setting.
  Try to reset the taskbar of the notification area, but the volume box is gray and unable to check the brandname.

  Volume on the taskbar was hidden without changed the setting.
  Try to reset the taskbar of the notification area, but the volume box is gray and unable to check the brandname.

  Missing notification icons:
  3 ways to recover...
  (1.) the easy way, if you're lucky:
  Right click on the task bar > click Properties > at the top, click on Notification area > can you put a check mark on the network? If so, you're done.

  If it is unclickable.
  2.) use this tutorial:
  http://www.Vistax64.com/tutorials/106787-notification-area-system-icons.html
  Depending on the version of Vista, you have, use the method two or three.
  One when you're done, return to #1 above and click on the box.

  3.) do a restore ysytem. Choose the date at which the icon was present under your restore point.
  Here is the tutorial:
  http://www.Vistax64.com/tutorials/76905-System-Restore-how.html

  t-4-2

• Example: HP Officejet 6310: unable to check ink level hp officejet 6310 windows 8.1

  I'm unable to check the ink level on hp officejet 6310 8.1 Windows - HP Solution Center is not available on this PC.

  Hello

  Downlaod and follow the HP printer install wizard below, it will get and the installation of the full features software. This includes the HP Solution Center Software:

  http://ftp.HP.com/pub/softlib/software12/COL50403/MP-122330-1/hppiw.exe

  Please let me know of any changes,

  Shlomi

• SG300-28 import self-signed SHA2 certificate to the SSL Protocol (including the format? How do I?)

  1. What is the format a certificate and private key combination should play during import to use SSL?

  2. how actually import you - via CLI or web interface.

  I'm trying to import an SSL certificate that is self-signed in the SG300-28 to secure the connection to the web interface of the switch. The certificate is signed by my own 'certification authority' / custom root certificate.

  I tried to do it via the graphical interface of web management (security > SSL server > server SSL authentication) and the command-line via SSH. I will detail my exact process below. I had no problem importing a certificate created in the same way to the Cisco RV320 router, although the web interface is different.

  How to create a certificate that is accepted by the switch?

  (Image Active) firmware version: 1.4.0.88

  My approach:

  1. OpenSSL 1.0.1f January 6, 2014; on an ubuntu 14.04 machine
  2. Create my own, certificate of self-signed root:

   openssl genrsa -out rootCA.key 2048 openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem

  3. create a private key and the real certificate and sign them using the rootCA.pem:

   openssl genrsa -out switch.key 2048 openssl req -new -key switch.key -out switch.csr openssl x509 -req -in switch.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out switch.crt -days 3500

  for later use, export the public key of the switch.key - file using

   openssl rsa -in switch.key -pubout > switch.pubkey

  4. open the web interface of the switch and check for the SSL settings (Security > SSL server > server SSL authentication).

  4.1 click "import certificate".

  4.2 paste the contents of the switch.crt file in the ' certificate:'-textbox

  4.3 to import pair of RSA keys

  4.4. Paste the contents of the switch.pubkey file in the public key field

  4.5 by selecting the 'Clear text' radiobutton control and paste the contents of the inside switch.pubkey

  4.6 click 'apply '.

  4.7 receive an error message 'invalid key head '.

  The private key looks like this (oviously, I created a new one for this example):

   -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA3gOvNzKqULXnT7zL9fl4KJAZMo5eYHfwPSN0wl385na37oHz [23 more lines truncated] aB7Pooa60anjIVJmlSIp4WJ8U+52BMKJZ5rqHnJ1sBBo1zpAtcdspg== -----END RSA PRIVATE KEY-----

  I also receive a header invalid key error when you try to import the private via CLI SSH key using:

   switch(config)#crypto key import rsa

  I also converted the certificate and the private in PKCS12 and then back to the PEM key that gives me the following private key "head" which is not always accepted when pasting in the CLI:

   Bag Attributes localKeyID: FE 24 88 34 66 BE E9 DB CE 4E 91 23 2C 0E 03 B1 A7 58 32 24 Key Attributes:  -----BEGIN PRIVATE KEY----- MIIEvgIBA[...] -----END PRIVATE KEY-----

  What key header miss / what am doing wrong in general?

  It seems that ' import key cryptographic rsa "command is not suitable for import SSL key related private, but rather for the importation of SSH keys. Code "key header is missing" means that switch expects anything other than "-----BEGIN RSA PRIVATE KEY-----", for example the headers that you can see after the execution of ' view keys cryptographic rsa "(- START PRIVATE KEY ENCRYPTED SSH2-).

  To get your SSL certificate installed, you have two options:

  The CLI option:

  • create a RSA private key with command

   switch(config)#crypto certificate 2 generate key-generate 1024

  • create the certificate request with

   switch#crypto certificate 2 request

  (don't forget to provide all information for this order, including '' cn '' and so on). Note that this command must be executed inside the privileged mode and not in mode configuration as the previous command.

  • After you run this command, you'll get sign certificate request (CSR). Copy and paste it into the new file on the server that hosts your certification authority.
  • now sign this CSR file with the command that you have already used:

   openssl x509 -req -in switch.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out switch.crt -days 3500

  • After signing to just open the file "switch.crt" and copy all content between BEGIN and END section including.
  • and import this certificate with order

   switch(config)#crypto certificate 2 import

  • and finally for your certificate to be active, do it with the following command:

   switch(config)#ip https certificate 2

  WebGUI option:

  Here, the procedure is similar to the CLI:

  • You must click on "Generate certificate request" in the "Security-> SSL server-> server SSL authentication" section, fill in all necessary data and click on "Generate certificate request."
  • you will get CSR data you need to paste into the server with the certificate of the CA.
  • sign the certificate with the command openssl similar as mentioned previously
  • and import a certificate with maintaining "import RSA Key-Pair" unchecked.

  Personally I've never managed to get imported both key and certificate from the outside.

• Error update vcenter SSL certificate?

  Hello people,

  I've recently upgraded to vcenter 5.1 U1a successfully.

  I'm following VMware articles and a popular blog to prepare and run the certificate VMware 1.0 automation tool.

  http://www.derekseaman.com/2012/09/VMware-vCenter-51-installation-part-2.html

  http://www.derekseaman.com/2013/04/using-VMware-vCenter-certificate.html

  Everything was pretty smooth up until I have to replace the the vcenter Server SSL certificate.  Option 2 vcenter update ssl.  See the attached photo.

  After the error, my vcenter service will not start.

  I tried to reset the password of database using vpxd.exe - p, but vcenter still does not start.

  I also checked that the correct service ID is matched between vpxd.cfg and LS_ServiceID.prop.

  Stuck at this point.  I have since went instant return, but try to see if anyone has any suggestions?

  Could this be type a bad password?

  Thank you!

  
  

  You mentioned the KB as well?

  http://KB.VMware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalID=2048202

  Concerning

  Girish

• Unable to connect to the MKS: the certificate of the remote host has these problems:

  Hello

  We have a host of ESXi 4 cluster running any vSphere 4.1.  Recently, I started to upgrade to update 2 and all the additional fixes.  After the upgrade of the vCentre server to the latest version (or maybe before I can't noticed) an of are hosts began to show the following error whenever I tried to connect to the console of any guest on this host.

  Unable to connect to the MKS: the certificate of the remote host has these problems:

  It lists any problems at all and no error display in the event log that it simply does not work.  I had a prod around the internet and found nothing.  I then rebuilt the host to exclude and the problem remains.

  Any help would be much appreciated.

  Thanks in advance

  David

  If you can connect to the Console remotely using VMware Infrastructure (VI) Client connected directly to the host, take a look at vmware KB to connect to a remote virtual machine fails with the error: the certificate of the remote host has these problems

  but more generally - remove host to vCenter inventory and then add the host to the back, take a look at opening in the console of the virtual machine after a new installation of ESXi or ESX fails with the error: the host certificate chain is not complete and could not connect to the MKS: the certificate of the remote host has these problems