VSphere 5.1.0b certificates
I have built a vCenter 5.1.0a server and you need to apply certificates to it. My research led me to the blog of Derek Seamans and its not for the installation of certificates. I plan on rebuilding my Server 5.1.0a vCenter using vCenter 5.1.0b to take advantage of a key store. My question is in the certificate template. The site says "vSphere 5.0 and earlier versions had a requirement for additional certificate (non-repudiation) which is not necessary in vSphere 5.1.» This is not in 5.1 but I want to set some 4.1U2 to the vCenter hosts so I can pass them to ESXi 5.1. Anyone know if this will be a problem if I don't check the repudiation on my model of Web server?
Thanks for the knowledge.
I forgot to thank Derek for this excellent blog and enforcement of certificates to vSphere 5.1.
http://derek858.blogspot.com/2012/09/VMware-vCenter-51-installation-part-1.html
THANKS DEREK!
Tags: VMware
Similar Questions
-
NSX 6.1.2 and vCenter product 6.0
Someone at - he managed to configure NSX 6.1.2 to work with vCenter device 6.0?
I can configure the recording vCenter in the NSX Manager Interface with no questions. But the Web Client vCenter fails to display the section of the NSX. I'm not sure that the plug-in is working properly.
Will not work and not supported.
See thread vSphere 6-The SSL certificate of service of m cannot be verified
Kind regards
Roland
-
Help with weird Vcenter SSL cert issues?
Hi all
We set up just a new Vcenter server with 2 ESX4 host. Everything works fine, but when we loging to the DNS name of the server (virtual server) it invites for the SSL cert twice. Once for the DNS name of the virtual server and a time for the IP address. If we connect via the IP instead of the DNS name it only inspires us once. We do not use currently an SSL certificate then just click on ignore twice, but it's a strange slow that I have not seen before and that he could use some direction?
What is a DNS problem? or a problem / setting in vCenter. Any help would be greatly appricated.
Thanks again,
Double guest is normal when VUM is enabled.
In our environment, we installed the SSL certificates for main vCenter (without prompts for main VC) and then just installed/ignored these messages for VUM plugin. The reasoning is that only a few admins will activate the Crossover plugin. Most users have no need for this.
If you do not enable SSL at all you can try this to switch them off at the vSphere client.
You can right-click on your viclient--> properties--> find the target: on my system is "C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe.
Adding a switch '-j' heard ' in the end do like:
'C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe'-i Yes
I understand there is no way to disable the vCenter level alerts. This must be done at the level of the vSphere client or SSL certificates must be configured. It is of course your call concerning the safety of your CA.
-
vSphere 6 - SSL certificate service STS cannot be verified
Hello
Someone at - it NSX working with vSphere 6?
When I try to connect NSX Manager for the search of vCenter service I get the following error.
"The NSX Management Serviceoperation failed. (Failed to initialize of the Clients of STS. (Cause première: Certificat SSL le service STS ne peut être vérifiée) '
Any idea on why this is happening?
The NSX Version: 6.1.2 Build 23182
vCenter Version: 6.0 Build 2155940
Thank you
David
There is no supported version of the NSX out right now. 6.1.2 will not work.
See it please:
"....
Compatibility considerations
vSphere 6.0:
Compatible versions of vCloud Director (vCD) and NSX for vSphere (NSX - v) will be available soon. If your environment has NSX - v or vCD, VMware recommends pending the availability of these compatible versions before you begin your upgrade to vSphere.
..."
6.1.3 should be out soon... (I can't give you day unfortunately)
Kind regards
Roland
-
vSphere SSL for the Web Client (device vCenter) certificate error
Hello
I installed ESXi 5.5 and right once I deployed the device vCenter. After the configuration and a few reboots, I navigates to the web client, and I get this error when I try to logon:
"Based on the current configuration, the authentication server's SSL certificate was not reliable."
I have until this google everything on the subject and outside tutorials on how to change certificates in the Windows version of vCenter, nothing on the device of vCenter. I was happy when I found the 'Certificate regeneration enabled' checkbox, but that did not help either. I can test successfully SSO settings in the control panel of vCenter.
Everyone please?
Edit: I should also mention that I am not able to connect to vCenter with the vSphere client. I get the "Cannot complete the connection by incorrect username or password". I use [email protected] as user name.
Have you tried that? VMware KB: Troubleshooting the vCenter Server Appliance with Single Sign-On login
-
Cannot save vSphere Web Client after the replacement of the SSL certificate
Hi all
I have followed the Articles of Derek Seaman on the replacement of all the certificates in vSphere 5.1 and have since turned to the VMware KB Articles. I replaced the certificates for the SSO, the inventory Service and vCenter Server with no problems (other than having to use OpenSSL-Win64 for vCenter certificate that I could not get the x 86 version certificate of work, makes no sense, but I'll take the small victory).
If you follow the guide of vmware to replace the web service certificate, http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC & docType = kc & docTypeID = DT_KB_1_1 & externalId = 2035010, I get to step 12, enter the VMware vSphere Client Web back to vCenter Single Sign On and the following error:
##########################
D:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool > regTool.cmd registerService - cert "C:\ProgramData\VMware\vSphere Web Client\ssl" - ls - url ( https://(Server URL): 7444/lookupservice/sdk - username admin@system-domain - password (password) - dir 'D:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool\sso_conf' - ip "*." ' * ' - serviceId-file 'D:\Program Files\VMware\Infrastructure\vSphereWebClient\serviceId'
No file properties not found
Initialization of provider of record...
SSL certificates for https://vsphere.au.ray.com:7444/lookupservice/sdk
SSL certificates for https://vsphere.au.ray.com:7444 / sso-adminserver/sdk
Unhandled exception trying to escape: null
Return code is: OperationFailed
100##########################
VMware technical support suggested I uninstall all components, delete all databases and try again. I have done this and have exactly the same result.
Has anyone seen elsewhere or managed to solve?
Chris
So, I managed to solve this problem. Not sure that this applies to everyone, but my problem was caused by registering using among other names of the subject in the SSL certificate for the SSO rather than the common name of the certificate.
For example, the server name is server1.company.com. It is the common name of the certificate. But one of SAN of the certificate has been "vSphere.company.com". If I used this other name in one of the component records that they would fail. I found that I have to use the common name. Even if the alternative names of job access to via your browser web, there is no certificate warning, if the registration of components using these names, it would fail.
It seems crazy that you can use any of the San... then why allow us to make?
Initially, I tried to replace the authentication certificate ONLY when the town was called vsphere.company.com, rather than the hostname of the server, and which is installed. However, try to install the Web Client would fail. When you come to the step where you have to accept the certificate of SSO, the installation fails because the common name of the certificate does not have the host name of the SSO server. It seems insane to me... why the host name of the server running the SSO should still come in when all calls are over HTTPS is simply absurd!
I confirmed this with VMware Technical Support and they checked my conclusions.
-
vSphere 4.0U2 to 4.1U1 with the SSL certificate has expired?
I want to upgrade our vSphere vCenter server and ESXi 4.0 4.1 U1 U2 hosts, but my vCenter SSL cert has expired. If this cert has expired a negative impact on the upgrade? Will be the upgrade of mint a cert again for me?
If the cert has expired will not harm the upgrade, in order to obtain a new certificate in place, it would be better to do it now or wait until I'm in 4.1 U1? I expect to use free signed certificates. Thank you.
the expired cert will not affect the upgrade. It is advisable to do the update/change certs after that you are on 4.1U1.
-
In vsphere 6.0 MEM Setup error
Hi, I keep getting the following error message when you try to install 1.3 MEM in vsphere 6.0:
Could not bind vmk1 one iSCSI adapters.
He has always worked with vsphere 5.5. This problem occurred with all my knots including installed costs, if I try to manually bind the ports it works.
Hello
VMware has made some changes in ESXi v6.0 for SSL certificates. The release MEM notes mentions this problem and other problems known.
Here's an exercise for the release notes.
Configuration of SSL certificates
If the SSL certificate for each host is added with the controls specified by VMware, some commands may not work correctly when running the command setup.pl script. Refer to the VMware documentation for more information about adding certificates.
See also the following VMware article:kb.vmware.com/.../2108416
Kind regards
Don
-
As a result of this post...
Configuration of VMware vSphere 6.0 CA VMware as a subordinate certification authority
.. .we have now installed a brand-new VCSA. This is a clean install.
"In accordance with the recommendation of support, I am now trying to do ' Option 1: certificate to replace Machine SSL with certificate custom" using a Microsoft CA
This is the error message:
2016 07-13 T 15: 24:25.268Z of INFORMATION serial number of the certificate manager before replacement: < redacted >
2016 07-13 T 15: 24:25.268Z of INFORMATION: < redacted Certificate Manager after replacement serial number >
2016 07-13 T 15: 24:25.268Z INFO-Certificate Manager footprint before replacement:< redacted >
2016 07-13 T 15: 24:25.268Z INFO-Certificate Manager footprint after replacement:< redacted >
2016 07-13 T 15: 24:25.268Z certificate MACHINE_SSL_CERT certificate INFORMATION-Manager replaced successfully. Serial number and the fingerprint has changed.
2016 07-13 T 15: 24:44.90Z ERROR-certificate error when replacing Manager machine SSL Cert, please visit /var/log/vmware/vmcad/certificate-manager.log for more information.
2016 07-13 T 15: 24:44.91Z "lstool record" has no certificate ERROR Manager: 1
A pension case is ongoing. But if someone has any ideas?
<>rant
It is incredibly frustrating that something (replacement of a SSL certificate) that should be so simple is so hard.
It's extremely annoying to know that the Certificate Manager is able to completely screw up a VCSA.
How VMware is justified in the marketing of this new approach ver.6 as a 'simplification' of the management of SSL certificates?
< / end of rant >
Thank you
Robert
This has been fixed by an Incident of Support VMware
I don't know how to fix them, but it took over 2 days (except "waiting for a response" time)
-
Configuration of VMware vSphere 6.0 CA VMware as a subordinate certification authority
I'm trying to do it according to the kb
2112016
It still fails. I get the error message looks like this in the logs:
2016 07-12 T 17: 52:24.720Z ERROR-2016-07 Certificate Manager-12 T 17: 52:20.636Z certificate of update for the extension "com.vmware.vim.eam".
2016 07-12 T 17: 52:24.720Z ERROR-certificate error during replace operation Manager of Cert, please visit /var/log/vmware/vmcad/certificate-manager.log for more information.
2016 07-12 T 17: 52:24.720Z certificate {} ERROR-Manager
'resolution': null,
'detail':]
{
'args':]
"" 2016 07-certificate update 12 T 17: 52:20.636Z to \"com.vmware.vim.eam\" extension\n""
],
"id": "install.ciscommon.command.errinvoke",
"localized": "an error has occurred during the call to the external command: ' 2016-07-certificate update 12 T 17: 52:20.636Z for \"com.vmware.vim.eam\ ' extension\n' «,»
"translatable": "an error has occurred during the call to the external command: '%s' (0)»
},
"Error of update of certificate for the solution: com.vmware.vim.eam.
],
'componentKey': null,
'problemId': null
}
2016 07-12 T 17: 52:24.721Z INFO-Certificate Manager Performing root Cert price reduction...
It's on vSphere with the VCSA (not Windows vCenter) correspondent 6.0U2
Among the things I've tried:
- Using a unique name for each .cfg creating CSR
- Change the eam .properties file to remove the entry "localhost" and substituting a FULL domain name
All that can be said, it does not work the way they should be in the KB. I was treated and this is a brand new facility.
I use option (2) - i.e. the possibility to replace the certificate root with a custom cert signed by Microsoft and then the VCSA generates all remaining certificates.
I have a case of VMWare support in the meantime. Just wondering if anyone has any ideas.
Oh - I also tried the naming conventions names mentioned here, that made no difference either:
At a loss.
Thank you
After a pension case, the answer is: throw your VCSA and create a new
It seems that if you use option 2 on a new installation, you can corrupt your SSL certificates and kiss goodbye to your VCSA (unless you have some shots of her)
The recommendation that I now have to use option 1 instead.
-
Unable to connect target - vSphere replication Sites
I hope someone here can help me understand a problem connecting between my two servers of VRM.
Background:
After passage of 6.0U2 5.5, I had problems with re-login Site Recovery Manager. Because SRM was not really in use yet (testing), I decided to redeploy fresh from the base, including replication of vSphere components.
After removing all the rehearsals and not record old vSphere replication devices, I transferred the latest packages of EGGS to the VRM. Everything was fine. I have updated certificates for certificates customized our company certification and placed the root certificate in the file /opt/vmware/hms/security/hms-truststore.jks . Then, I recorded each VRM with their respective vCenters and had no problems.
Both VRM active lounge and OK in vSphere replication of the Web Client:
When you attempt to connect to the target Site, the following error is received:
But then in the list of tasks, it ends with success and shows the connection, but with a connection problem error:
This is the architecture of our PSC and vCenters and each VRM. All use of our certification of Enterprise SSL certificates:
There is no firewall between one of these servers.
HMS logs are attached here as well.
Any help would be appreciated.
Thank you
After that I originally posted this, a new version of vSphere replication was released. After the upgrade to the latest version, my problem magically disappeared.
-
computer vCenter 6.0u2 - Certificate Tool - CSR certificate
Hello
Following the instructions here: https://kb.vmware.com/selfservice/search.do?cmd=displayKC & docType = kc & docTypeID = DT_KB_1_1 & externalId = 2112277
I want to generate machine CSR of the PSC.
So, option 1 to replace the Machine SSL, continue through. However, instead of the expected 'machine_ssl.csr' and 'machine_ssl.key', I find myself with 'vmca_issued_csr.csr' and 'vmca_issued_key.key '.
This seems odd, because it is what I expected for option 2, option 1.
Option 5 (replace user solution certs), generates:
- 'machine.csr '.
- "vsphere - webclient.csr" on the PSC
and
- 'machine.csr '.
- "vsphere - webclient.csr.
- "vpxd.csr" and
- "vpxd - extensions.csr" on the node of vCenter correctly...
But I expect to machine - ssl.csr somewhere.
No example of the PSC:
< host name >: / usr/lib/vmware-vmca/bin #. -Certificate Manager
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| Welcome to vSphere Certificate Manager 6.0 * |
| |
| -Choose the operating mode |
| |
| 1. Replace the SSL of Machine certificate with certificate of custom |
| |
| 2. replace VMCA root certificate with Custom signature |
| Certificate and replace all certificates |
| |
| 3. replace the SSL certificate with certificate VMCA Machine |
| |
| 4 regenerate a new certificate root VMCA and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom certificate |
| |
| 6. Replace Solution user with certificates VMCA certificates |
| |
| 7 redo the last operation performed by the old re-publication |
| certificates |
| |
| 8 reset all certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note: Use Ctrl-D to complete.
Option [1-8]: 1
Please provide valid SSO and VC privileged user credentials to perform certificate operations.
Enter the username [[email protected]]:[email protected]
Enter the password:
1. generate the certificate signing forced and new keys for the certificate SSL of Machine
2. the import or the personalized certificates and new key to replace the certificate SSL of Machine existing
The option [1 or 2]: 1
Please provide a directory location to write the CSR (s) and the PrivateKey (s) to:
Path to the output directory: / tmp/ssl/2
file certool.cfg exist, you want to reconfigure: Option [Y/N]? : N
2016-07 - 05T 03: 19:38.388Z order: [' / usr/lib/vmware-vmca/bin/certool ', '-genkey', '-privkey', ' /vmca_issued_key.key', '-pubkey ',' / tmp/pubkey.pub ']
2016-07 - 05T 03: 19:38.604Z done by running the command
2016-07 - 05T 03: 19:38.604Z order: [' / usr/lib/vmware-vmca/bin/certool ', '-gencsr', '-privkey', ' /vmca_issued_key.key', '-pubkey ',' / tmp/pubkey.pub ', '-config ',' / var/tmp/vmware/certool.cfg', '-csrfile ',' / tmp/ssl/2 /vmca_issued_csr.csr']
2016-07 - 05T 03: 19:38.717Z done by running the command
CSR generated: / tmp/ssl/2 /vmca_issued_csr.csr
1. continue to import custom certificates and new keys for the certificate SSL of Machine
2 output-Certificate Manager
The option [1 or 2]: 2
usatca4273: / usr/lib/vmware-vmca/bin # cd/tmp/ssl/2
usatca4273: / tmp/ssl/2 # ls
vmca_issued_csr. CSR vmca_issued_key.key
< host name >: / tmp/ssl/2 #.
Certool.cfg the contents hidden as for a customer.
The .csr returned to the request of the machine (vmca_issued_csr.csr) is now the new name for the machine - ssl.csr, or something is strange is going on with the update 2?
So it turns out that "vmware_issued_csr.csr" is the new "machine - ssl.csr. Curiously called, so I asked the KB update to reflect this change.
-
Just improved 5.0 to 6.0u2 vcenter. How do eliminate you the web client certificate error?
We were a vSphere 5.0 shop for many years and enjoyed the client c# 4.0, 4.1 and 5.0 then days. We just upgraded 6.0 Update 2 this week and although always, we are primarally used to the c# client and will use it for a while to come, I am getting used to the web client for the new features that are available only in it, such as SRM and VR.
I was able to click through the numours of screens of reminder to get via Firefox after all these certificate warnings and even easier just click the one or two things in Chrome or IE to get in. But how could eliminate total certificate errors? Example, now I'm with Chrome, but the https:// in the address bar is red with a slash through it.
In most all other device based on web or connection we have, as HP iLO, Dell iDrac etc... usually, we create a CSR on this device and it present our internal Windows certificate authority and recover a file to go back to the device. Is it possible to do this with the web client? We have a certificate of 'Server Web 2' model that generates the sha256 return certificate and inherently all field devices to trust him because the area is important our root certificate authority.
Also, we are running services such as replication vSphere and SRM, I would not change certificate affects only or same vSphere Update Manager. We have two sites HQ and DR.
I ended up getting rid of the cert errors by following this page: 6 replacement vSphere SSL certificate / implementation by using the Certificate Manager-automation tool
I followed the procedures for "Certificate of Machine (Reverse HTTP Proxy) replace with certificate custom" and just that. I didin 't' t mess with root VMCA with custom signature certificate certificate because its seems to me like he wanted to do an endless number of the signature of the certificate request and keys. But the first option considered for our internal Windows CA took care of her.
For replication of vSphere 6.1.1 that I had to turn off the virtual devices from replication via customer web vSphere vSphere and then put them back on. Then connect to their URL of web management (port 5490) and make the reconnection to the vsphere on the connection tab, where he was invited to accept the new certificate.
For AUVS I had to run the VMwareUpdateManagerUtility.exe under C:\Program Files (x 86) \VMware\Infrastructure\Update Manager and to the third option of re - register to vCenter, and then restart the service.
Surprisingly, SRM sites remained paired although I've read that some people have trouble with it. I'm on 6.0 update 2 and I think one of the questions was fixed in 6.0 Update 1 b.
-
Red vCenter - unable to check CA (PSC) signed SSL certificate vCenter VMware
I am trying to deploy a new Horizon view 7 based on vSphere environment 6 U2 to replace our pod 5.3 view existing. I have a Windows Server vCenter Server with separate PSC of Windows. I used the PSC signed the SSL certificate for vCenter and downloaded and added the certificate authority root for the required workstations and servers via Group Policy. If I navigate to vCenter from your desktop with CA root installed all is well on the HTTPS front. I added this vCenter Server in my environment view but it appears in red on the dashboard view. I clicked on the vcenter Server and checked the certificate, but at no time should you go green. The two connection servers have the CA root installed and if I launch a browser from the connection to the server itself, then navigate to the vCenter FQDN certificate is approved.
Any ideas?
I cannot create pools for this reason that the view is not currently communicate with vCenter as well and it won't let me choose a virtual machine model.
If you need to know more details please let me know and I'll happily supply.
Thanks in advance.
Having re-read the Horizon view documentation 7 to confirm that I had taken the correct steps already, I decided to restart both of my new server connection, that solved the problem. My vCenter server now shows in green in the dashboard and I was able to successful deployment of desktop computers.
-
How to get SSL certificates installed on VMware vCenter 6.0 device
Hiya,
I haveen strugling to SSL certificates installed for a few days now, it always seems to fail on the vpxd_servicecfg command.
I followed tuts like: https://myvirtualife.net/2014/04/01/how-to-replace-default-vcsa-5-5-certificates-with-microsoft-ca-signed-certificates/
There are more out there, but they all simular to the other. I followed it to the letter, but all I get is:
vCenter: / ssl/vCenterSSO # / usr/sbin/vpxd_servicecfg change chain.pem rui.key certificate
VC_CFG_RESULT = 650
The only thing I can emagine is that there is a difference in vcenter 5.5 and 6.0, but else then I have don't know how to solve this problem.
Can anyone help?
Kind regards.
This could be something a lot of your time, but I suggest you go to the k related in detail.
VMware KB: Replacement of default certificates with CA-signed SSL certificates in vSphere 6.0
Maybe you are looking for
-
cannot find siri on iphone or use 5 not in settings
cannot find Siri on I - phone 5 not in the settings or use...
-
"+ __flash__argumentsToXML (arguments, 0) +" ")) ;}'" close = "function () {return eval (instance." "(CallFunction (" "+ __flash__argumentsToXML (arguments, 0) +" ")) ;}. Open = "function () {return eval (instance." "(CallFunction (" "+ __flash__argu
-
I have cable and I am unable to keep a connection with my router from apple. I continue to connect to the router cable. According to the last medium to the cable company they have disconnected their my wireless gateway router. The bridge in the ro
-
A hard drive the HP dv2915nr laptop was dead. Installed a new hard drive and use the HP recovery CD. installs for 4 hours and then stops: Windows could not complete installation. Please re - install Windows again. Each facility is 4 hours. Because an
-
I turned off my computer and turned it back and got the opinion that no audio output device is installed. I tried to restore, and who do not have work then went experienced help and AutoCorrect. I always have problems?