VUM 6.0, replacement of SSL certificates

Similar Questions

• replace the SSL certificate in Dell OMSA 7.2

  My University is compels me to replace the Dell's SSL certificate in OMSA with a certificate from a certification authority.  We use InCommon.

  I generated a certificate using Microsoft IIS request.  InCommon generated the certificate and got sent back links to a variety of formats.

   as PKCS#7 Base64 encoded:
      Other available formats:
         as PKCS#7 Bin encoded:
         as X509, Base64 encoded:
         as X509 Certificate only, Base64 encoded:
         as X509 Intermediates/root only, Base64 encoded:
         as X509 Intermediates/root only Reverse, Base64 encoded
  
  Does anyone know what kind of certificate I need, and exactly how to install it in the apache server that runs Dell OMSA.
  

  Ok.  I have an answer.

  As far as I know, the interface Dell OMSA itself does not have to import the intermediate certificates (returns an error) and cannot be used to create a useful CSR (signature request) because you can't specify your own institutional settings. Our CA would not authenticate the CSR request generated by the Dell OMSA interface, even if it would incorporate new certificates (which she seems to fail at the).

  The simplest approach is to generate a CSR in Windows IIS, the authenticated certificate back from your CA, and then to export to a .pfx file (private, final, intermediate entity certificate and certificates root key, extended attributes).

  Use IBM tool called keyman (download www.ibm.com/developerworks).  Use the version of Windows.

  It can convert a .pfx file in a keystore apache in 3 easy steps.  1. create a new key file

  2 import the .pfx file 3. Save the key file.

  Tips on the internet suggest keeping all the passwords the same - pfx export, keystore, key, etc.

  Edit the server.xml file in the apache server to use your new password.

  Only downside is that your password will be readable text in the server.xml file.  In the original file server.xml file Dell used system tools or java to hide passwords.

• Replace the SSL certificate in VMware appliance identity

  Hello

  I followed the steps to replace the device of identity, a certificate signed by a CA (latest version 2.2.1.0)

  Everything went well and I have included the private key and the certificate chain complete with the device of the expected identity.

  However when I close all browsers and access the identity unit his shows always the default signed certificate (despite the tab SSL showing otherwise!)

  I rebooted the device and replaced with a new certificate, but this made no difference. Am I missing something?

  See here the response of GrantOrchardVMware vRA: certificate does not appear to extend to the port 5480.

  Essentially of 5480 runs using a different web server certificate is not installed in when you update it. There is a way to update the certificate for the site of 5480 which can be found here vCloud Automation Center Documentation Center

• Can't connect to SSL certificate re VMware Update Manager - utility

  In the context of http://KB.VMware.com/selfservice/microsites/search.do?cmd=displayKC & docType = kc & docTypeID = DT_KB_1_1 & externalId = 2037581 , I'm at step 7 where I enter the credentials for the VMwareUpdateManagerUtility.exe. It just hangs and ends by mistake.  I copied the new certificate SSL files above.  I have 2 errors different no matter what I try.

  Error 1: "cannot run vciInstallUtility."
  Error 2: "error: unknown vCenter Server error."
  For "vCenter Server IP address or name", I tried < FQDN vcenter >: 80, < vCenter IP >: 80, < vCenter fake DNS in the hosts file >: 80 and they all hang on for a few minutes and then give one of the errors.  VUM is installed on a separate computer vCenter virtual.  I did a complete reinstall of VUM.  I use vCenter and VUM 5.1.0 installation media - rates from 880471 since that's our motto.  I checked that port 80 is correct using this query on VCDB, SELECT VALUE FROM VPX_PARAMETER WHERE NAME = "WebService.Ports.http";.  Any suggestions?

  I gave up, uninstalled VUM server, re-installed on the vCenter server administrator, used 127.0.0.1 and VUM finally got with valid SSL certificates.  As part our design, we didn't have the same server as vCenter VUM but I found myself with no other choice.

• Manager certificates 're-record of lstool' failed: 1 / VCSA Certificate Manager Option 1: certificate to replace Machine SSL with certificate custom

  As a result of this post...

  Configuration of VMware vSphere 6.0 CA VMware as a subordinate certification authority

  .. .we have now installed a brand-new VCSA. This is a clean install.

  "In accordance with the recommendation of support, I am now trying to do ' Option 1: certificate to replace Machine SSL with certificate custom" using a Microsoft CA

  This is the error message:

  2016 07-13 T 15: 24:25.268Z of INFORMATION serial number of the certificate manager before replacement: < redacted >

  2016 07-13 T 15: 24:25.268Z of INFORMATION: < redacted Certificate Manager after replacement serial number >

  2016 07-13 T 15: 24:25.268Z INFO-Certificate Manager footprint before replacement:< redacted >

  2016 07-13 T 15: 24:25.268Z INFO-Certificate Manager footprint after replacement:< redacted >

  2016 07-13 T 15: 24:25.268Z certificate MACHINE_SSL_CERT certificate INFORMATION-Manager replaced successfully. Serial number and the fingerprint has changed.

  2016 07-13 T 15: 24:44.90Z ERROR-certificate error when replacing Manager machine SSL Cert, please visit /var/log/vmware/vmcad/certificate-manager.log for more information.

  2016 07-13 T 15: 24:44.91Z "lstool record" has no certificate ERROR Manager: 1

  A pension case is ongoing. But if someone has any ideas?

  <>rant

  It is incredibly frustrating that something (replacement of a SSL certificate) that should be so simple is so hard.

  It's extremely annoying to know that the Certificate Manager is able to completely screw up a VCSA.

  How VMware is justified in the marketing of this new approach ver.6 as a 'simplification' of the management of SSL certificates?

  < / end of rant >

  Thank you

  Robert

  This has been fixed by an Incident of Support VMware

  I don't know how to fix them, but it took over 2 days (except "waiting for a response" time)

• Replaced the SSL appliance - VMware vCenter Support Assistant device certificate

  Hello

  I need replace the certificate in the device wizard helps VMware vCenter but get the error below aa.

  
  

  Key file is empty, it does contain a private key or contained an unsupported key type. Supported key types are PCKS #1 and PKCS #8.

  
  

  However, the official documentation of the product on page 19 is 20 below the procedure.

  
  

  
  

  Replace your vCenter Support Assistant SSL certificate uses a self-signed certificate. You can change your SSL certificate in accordance with the policy of your company for SSL certificates. Procedure

  1 in a Web browser, go to the IP address of the device.

  2. connect the unit to Support Assistant vCenter.

  3 click the tab settings of VA.

  4 under the SSL Configuration, in the private key (.pem) text box, click on choose a file.

  5 in the file browser window, navigate to the directory that contains your certificate, select the private key (*.pem) that corresponds to the certificate chain and click Open.

  VMware, Inc. 19 if your private key is protected by a password in the password key text box, type the password.

  7 in the certificate (.pem, .p7b) string text box, click on choose a file to select your certificate chain file.

  8 in the file browser window, navigate to the directory that contains your certificate chain, select your Certificate SSL (*.pem, *.p7b) chain and click Open. NOTE If you try to add an expired certificate, a warning message indicates that you are not allowed to add the certificate.

  9. click on apply to apply the changes.

  Could someone help me.

  
  

  Hi, peaple.

  After several tries, I had success in the process of exchange of certificate VSA.

  1 - the DNS configuration was wrong.

  2 - certified should be the key (RSA private key format) published the .pem file must be trained using the service certificate + certificate of certification authorities.

• VCSA 6.0: Replace external SSL by CA signed CERT certificates

  We would like to use third CA signed SSL certificates for our components of vSphere external (e.g. vSphere Web Client, web console,...), so that users with access vSphere need not trust to internal CA certificates. VSphere 5.5, there was a complicated but workable solution .

  For vSphere 6, some documentation on VMCA is available and it looks to replace Certificates SSL of Machine with personalized certificates, but I'm not completely sure if it's the best/recommended approach. Specifically, it seems that this approach always replaces a number of internal certificates, although I prefer to replace only the external certificates.

  Does anyone have experience with this?

  Looks like the way to go is by using the Certificate Manager tool (/ usr/lib/vmware-vmca/bin /-Certificate Manager) with option 1, replace the certificate of Machine SSL with certificate custom.

  Unfortunately, this generates an error:

  Error when changing Machine SSL Cert, please visit /var/log/vmware/vmcad/certificate-manager.log for more information.

  And the log shows:

  2015 03-13 T 22: 31:28.906Z INFO-Manager certificates command executed successfully

  2015 03-13 T 22: 31:28.906Z INFO-Manager certificates certificate backup created successfully

  2015 03-13 T 22: 31:28.907Z INFO-Manager certificates command duration: [' / usr/lib/vmware-vmafd/bin/dir-cli ', 'trustedcert', 'release', '-cert ',' / root/ssl/chain.crt', '-password ',' *']

  2015 03-13 T 22: 31:28.920Z INFO-Certificate Manager output of the command: -.

  2015 03-13 T 22: 31:28.921Z - Manager of certificates of ERROR

  2015 03-13 T 22: 31:28.921Z ERROR-certificate error when replacing Manager machine SSL Cert, please visit /var/log/vmware/vmcad/certificate-manager.log for more information.

  2015 03-13 T 22: 31:28.921Z certificate {} ERROR-Manager

  'resolution': null,

  'detail':]

  {

  'args':]

  ""

  ],

  "id": "install.ciscommon.command.errinvoke",

  "localized": "an error has occurred during the call to the external command:", "

  "translatable": "an error has occurred during the call to the external command: '%s' (0)»

  },

  "Error while publishing cert using dir - cli."

  ],

  'componentKey': null,

  'problemId': null

  }

  Not very useful, but the execution of this command for us to clarify:

  vc: ~ # /usr/lib/vmware-vmafd/bin/dir-cli trustedcert release - cert /root/ssl/chain.crt

  Enter the password for [email protected]:

  The file [/ root/ssl/chain.crt] contains more than 1 certificate

  If you want to publish a certificate chain, use the command "trustedcert post" with the option - string indicator.

  dir - cli failed. Possible error 13: Errors:

  LDAP error: confidentiality required

  Win Error: Operation failed with error ERROR_INVALID_DATA (13)

  Ah! We need - channel flag because we use a chain of CA certificates instead of a single root certificate. Set him certificate - Library Manager to include this option:

  "" vc: ~ # sed-i's /trustedcert/ / $/ \'--chain\', / ' /usr/lib/vmware/site-packages/cis/certificateManagerOps.py

  And possibly check this line 434 was edited to add this indicator:

  vc: ~ # vim + 434 /usr/lib/vmware/site-packages/cis/certificateManagerOps.py

  Now, all that's left is Manager certificates running again to take advantage of our CA-signed Cert!

• Cannot save vSphere Web Client after the replacement of the SSL certificate

  Hi all

  I have followed the Articles of Derek Seaman on the replacement of all the certificates in vSphere 5.1 and have since turned to the VMware KB Articles. I replaced the certificates for the SSO, the inventory Service and vCenter Server with no problems (other than having to use OpenSSL-Win64 for vCenter certificate that I could not get the x 86 version certificate of work, makes no sense, but I'll take the small victory).

  If you follow the guide of vmware to replace the web service certificate, http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC & docType = kc & docTypeID = DT_KB_1_1 & externalId = 2035010, I get to step 12, enter the VMware vSphere Client Web back to vCenter Single Sign On and the following error:

  ##########################

  D:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool > regTool.cmd registerService - cert "C:\ProgramData\VMware\vSphere Web Client\ssl" - ls - url ( https://(Server URL): 7444/lookupservice/sdk - username admin@system-domain - password (password) - dir 'D:\Program Files\VMware\Infrastructure\vSphereWebClient\SsoRegTool\sso_conf' - ip "*." ' * ' - serviceId-file 'D:\Program Files\VMware\Infrastructure\vSphereWebClient\serviceId'

  No file properties not found
  Initialization of provider of record...
  SSL certificates for https://vsphere.au.ray.com:7444/lookupservice/sdk
  SSL certificates for https://vsphere.au.ray.com:7444 / sso-adminserver/sdk
  Unhandled exception trying to escape: null
  Return code is: OperationFailed
  100

  ##########################

  VMware technical support suggested I uninstall all components, delete all databases and try again. I have done this and have exactly the same result.

  Has anyone seen elsewhere or managed to solve?

  Chris

  So, I managed to solve this problem. Not sure that this applies to everyone, but my problem was caused by registering using among other names of the subject in the SSL certificate for the SSO rather than the common name of the certificate.

  For example, the server name is server1.company.com. It is the common name of the certificate. But one of SAN of the certificate has been "vSphere.company.com".  If I used this other name in one of the component records that they would fail. I found that I have to use the common name. Even if the alternative names of job access to via your browser web, there is no certificate warning, if the registration of components using these names, it would fail.

  It seems crazy that you can use any of the San... then why allow us to make?

  Initially, I tried to replace the authentication certificate ONLY when the town was called vsphere.company.com, rather than the hostname of the server, and which is installed. However, try to install the Web Client would fail. When you come to the step where you have to accept the certificate of SSO, the installation fails because the common name of the certificate does not have the host name of the SSO server. It seems insane to me... why the host name of the server running the SSO should still come in when all calls are over HTTPS is simply absurd!

  I confirmed this with VMware Technical Support and they checked my conclusions.

• Replacement of the SSL certificate in vCenter Server Heartbeat with a new certificate

  Realized the SSL certificates on my vsphere vCenter Server 5.5 environment change, but now I'm looking to deploy vmware vCenter Server HeartBeat service, but I have the following doubts.

  1. it is necessary to perform the exchange of currently used SSL certificate in my environment. ()http://kb.vmware.com/selfservice/microsites/search.do?language=en_US & cmd = displayKC & externalId = 2013041( )

  KB article talking about amendment of the certificate of a vCenter Server Heartbeat deployed... If the vCSHB are not deployed and yet, you don't need to worry... just go ahead with the installation and the new vCenter server certificate will be recognized by vCSHB.

• CA-signed SSL certificates on vCenter 5.1 installation (server or device)

  I recently updated my 5.0 to 5.1 ESXi ESXi hosts and they all kept CA-signed SSL certificates that I installed previously. I did a new install of vCenter 5.1 server where the box even ran SSO, inventory, vCenter Server and Manager Update Services. After installing, everything worked perfectly except that none of the vCenter services used my CA-signed SSL certificate - only 5.1 ESXi hosts had these.

  So, I followed the instructions in replacing default vCenter 5.1 and ESXi certificates PDF found at http://www.vmware.com/resources/techresources/10318. The document is terrible. For example, page 10 lists the locations by three default certificates SSL on Windows 2008. None of these paths are correct. The first a typo of extra space between "Program" and "Data" and the other two say "Program Files" when they should have been "ProgramData". This is just the beginning of the problems.

  If you follow the instructions to the letter, you'll break vCenter. I got frustrated and thought I'd give the vCenter 5.1 device a shot. With regard to the Certificates SSL signed by CA, it was worse. The vCenter 5.1 device can even automatically generate a new SSL certificate if you change the host name (turn on generation auto-certificat, change of hostname and restart). It gives an error 653 during the boot process and keeps the original of the certificate. Even bother trying the steps on page 18 of the above-mentioned guide - you will get just the same mistake 653.

  It seems to me that VMware did not all tests around the CA-signed SSL certificate on vCenter 5.1 installation. It's amazing to me that the installation of the SSL certificate is so tedious for ESXi and vCenter when vShield Manager 5.1 has a very simple process that works well (and is similar to the installation procedure for Certificate SSL on the DRAC, ASR, breeding various firewalls, etc.).

  I did a lot of research on Google and found various articles on the installation of the SSL certificate, but most were based on GA pre - 5.1 products. If you have any installation of certificates SSL CA-signed success with vCenter Server or device 5.1 GA, let me know how you got around some of these issues. Please indicate if your vCenter Server or device will run on a 5.1 GA ESXi host as well. Please do not answer about vCenter 5.0 - I had no problem with SSL certificates (other than it was more painful to be).

  Thanks in advance,

  Nate

  Finally I managed to install giving him to 127.0.0.1 instead of the period of INVESTIGATION, accessible from the outside of the vCenter server, it's very well in my case the vCenter and VUM server are on the same VM but its not exactly ideal for deployments of more large.

• Invalid SSL certificate

  My company uses Citrix Receiver to allow us to connect to the House to work.

  I installed the latest version of the plug of the receiver in and all have El Capitan, I don't go through safari but rather connect by Miss this step and launch citrix directly, pop in my user name, password and rsa token details.

  At this point, I see a message invalid SSL certificate.

  Any ideas how I can check whats wrong, are the certificates stored in the keychain?

  Howdy John!

  Looks like you have a SSL certificate, which plays well with El Capitan. I would use the troubleshooting for this in the following article to help you here:

  OS X El Capitan: If your certificate isn't being accepted

  If a certificate is not accepted, it may have expired or it may be invalid for the way in which it is used. For example, some certificates may be used to establish a secure connection to a server, but not for the signing of a document.

  The most common reason that a certificate is not accepted, is that the root CA certificate is not approved by your computer. To have your computer trust a certification authority, you must add the certificate authority to a keychain and set the certificate of trust setting.

  1. If an application (e.g. Safari) displays the root certificate of the CA as part of the CA message, drag the icon of the certificate root on the desktop.

  2. Drag the certificate on the Keychain Access file, or double-click the certificate file.

  3. Click menu Keychain, choose a set of keys, and then click OK.

     If you are prompted, enter the name and password for an administrator on this computer user.

  4. Select the certificate, and then choose file > read the information.

  5. Click the trust triangle to display the certificate trust policies .

  6. To override the trust policies, choose trust settings that you want to replace in the pop-up menus.

     For more information, see certificate trust policies.

  CLOS

• LabVIEW and SSL certificate

  So I come back on an interesting question that can cause significant problems, unless I can find a reasonable solution.

  Until yesterday a number of software programs that run in a number of remote sites were running all fortunately accessing a database.  This database is accessible via the HTTPS POST and screw HTTPCLIENT, and for the past two years, everything worked fine while having the true flag to check server, the database is part of a site that is all signed and certified.

  However, as of yesterday, they all decide to stop, investigate the server itself it seems that the SSL certificate has switched from the previous period. While browsing the forums of LAVA, I managed to find the reference to the problem with which a LabVIEW ca - bundle.crt file making the obsolete object so not check the validity of the new certificate.

  Now, while there is here a workaround which the server verify the Pavilion from true to FALSE switching, I can do all programs work again, there's the issue of having to update and rebuild several years worth of programs. So I was expecting something that I could do outside of LabVIEW to try to solve the problem, I had considered to replace ca - bundle.crt, but I'm not sure of the validity of this idea.

  So, any ideas are likely to be accepted if they mean that I don't have to go to several versions of LabVIEW.

  TLDR:

  

  I can do something with it to solve the problem?

  

  Welll the good news is that I found a solution. The problem is that I don't know to what extent this solution will get me, it should mean at least I can reach the single database I'm targeting.

  Subsequently to the rear since the database certificate (COMODO) provider I found they provide CA bundle which when used to replace the LabVIEW supplied ca - bundle.crt allows the system HTTP access the database without problem.

  For remote computers, it's probably fine as it is guaranteed to have the only secure site SSL they will try to access the database that I know the data are compatible with. For my development system however it may still remain a problem that I don't know when I'll have to try to access another site certified and whether or not the new authority will work. Although in all fairness for the moment I don't know if the LabVIEW provided one or the other will work.

  I might have to come back to this thread at a later date and to make the point about how everything worked.

• How to install the ssl certificate in windows server 2008?

  Hello

  Can someone give me the steps to install the SSL certificate on my application hosted on windows server 2008 R2?

  Hello

  Although technet.microsoft.com should be the best forum for the problems of server below is a guide on how to install an SSL certificate.

  It will be useful.

  To install your newly acquired in IIS 7 SSL certificate, first copy the file somewhere on the server and then follow these instructions:

  1. Click on the start menu, go to administrativetools and click on Manager of Services Internet (IIS).
  2. Click the server name in the links on the left column. Double-click server certificates.

     

  3. In the Actions column to the right, click Complète Certificate Request...

     

  4. Click on the button with the three points, and then select the server certificate that you received from the certificate authority. If the certificate does not have a .cer file extension, select this option to display all types. Enter a friendly name that you can keep track of certificate on this server. Click OK.

     

  5. If successful, you will see your newly installed in the list certificate. If you receive an error indicating that the request or the private key is not found, make sure that you use the correct certificate and you install it on the same server that you generated the CSR on. If you are sure these two things, you just create a new certificate and reissue or replace the certificate. If you have problems with this, contact your certification authority.

     

  Bind the certificate to a Web site

  1. In the column of links on the left, expand the sites folder, and click the Web site that you want to bind the certificate to click links... in the right column.

     

  2. Click the Add... button.

     

  3. Change the Type to https , and then select the SSL certificate that you just installed. Click OK.

     

  4. You will now see the listed link for port 443. Click close.

     

  Install all the intermediate certificates

  Most of the SSL providers issue certificates of server out of an intermediate certificate so you will need to install the intermediate certificate on the server as well or your visitors will receive a certificate error not approved. You can install each intermediate certificate (sometimes there are more than one) by following these instructions:

  1. Download the intermediate certificate in a folder on the server.
  2. Double-click the certificate to open the certificate information.
  3. At the bottom of the general tab, click the install Certificate button to start the Certificate Import Wizard. Click Next.

     

  4. Select place all certificates in the following store , and then click Browse.

     

  5. Select the Show physical stores checkbox, then expand the Intermediate certificate authorities folder, select the below folder on the Local computer . Click OK. Click Next, and then click Finish to complete the installation of the intermediate certificate.

     

  You may need to restart IIS so that it starts the new certificate to give. You can verify that the certificate is installed correctly by visiting the site in your web browser using https rather than http.

  Links

  • Move or copy an SSL certificate on a Windows Server to another Windows Server
  • How to disable SSL 2.0 in IIS 7
  • How to configure the SSL in IIS 7.0
  • Video tutorials to install an SSL certificate in IIS 7 to NetoMeter

  Kind regards

  Joel

• ACS 3.3 invalid or corrupted SSL certificate installed

  Hello

  I installed a new SSL certificate to replace the old one which was about to expire. After this update of cert, I can access is no longer the ACS server for admin purposes. I get the error "cannot establish connection cifered because the certificate presented by is invalid or damaged. Error code:-8101 "or something similar that the message is in Spanish.

  I tried to restart the CSAdmin service without success. I also watched ath the different CS tools but none of them does this nor is the Guide to GBA.

  Is there a way to remove the certificate from the command line or other?

  AY help would be appreciated because I don't want to reinstall/rebuild the server.

  Thank you

  Niels

  If the EC is 3.3.4 or below then it can be disabled through the registry. 4.x do not have registry settings to tweak.

  For 4.x

  A possible workaround we have is that if a GBA backup taken prior to activation of the HTTPS is there, we can restore the same and work around the problem.

  For 3.3.x

  To restore access using http on your server, you must change the registry setting

  to disable the https. Here's the location of the key "reg":

  HKEY_LOCAL_MACHINE \SOFTWARE \Cisco \CiscoAAAv3.2 \CSAdmin \Config \HTTPSSupport

  Change this value from 2 to 1.

  Kind regards

  ~ JG

  Note the useful messages

• Red vCenter - unable to check CA (PSC) signed SSL certificate vCenter VMware

  I am trying to deploy a new Horizon view 7 based on vSphere environment 6 U2 to replace our pod 5.3 view existing. I have a Windows Server vCenter Server with separate PSC of Windows. I used the PSC signed the SSL certificate for vCenter and downloaded and added the certificate authority root for the required workstations and servers via Group Policy. If I navigate to vCenter from your desktop with CA root installed all is well on the HTTPS front. I added this vCenter Server in my environment view but it appears in red on the dashboard view. I clicked on the vcenter Server and checked the certificate, but at no time should you go green. The two connection servers have the CA root installed and if I launch a browser from the connection to the server itself, then navigate to the vCenter FQDN certificate is approved.

  Any ideas?

  I cannot create pools for this reason that the view is not currently communicate with vCenter as well and it won't let me choose a virtual machine model.

  If you need to know more details please let me know and I'll happily supply.

  Thanks in advance.

  Having re-read the Horizon view documentation 7 to confirm that I had taken the correct steps already, I decided to restart both of my new server connection, that solved the problem. My vCenter server now shows in green in the dashboard and I was able to successful deployment of desktop computers.