VMware Cloud Community
mdh-peraton
Contributor
Contributor
‎12-28-2023 12:39 PM

import certificate failed. What am I missing? 7.0 Update 3.

I am using XCA to build the PKI for a development lab.  I created a self-signed root-ca certificate, then created an issuing-ca certificate signed with the root-ca certificate.   I have performed the following steps:

Please let me know what I have failed to do correctly.  I really want to get everything properly protected.

  1. I put my ESXI box into maintenance mode.
  2. went to Security & Users ->  Certificate
  3. Selected "Import new Certificate"
  4. Pressed Generate FQDN signing request.
  5. copied text to clipboard and wrote into a file esxi01.csr
  6. Imported the CSR into XCA, which was successful
  7. Created a new certificate from that CSR, signed by the issuing-ca 
  8. exported to PEM the root-ca, issuing-ca and fqdn certificates in PEM format
  9. concatenated them site, issuing, root order.
  10. pasted concatenated file.   This resulted in: The generated private key does not match with the public key from the incoming certificate.
  11. concatenated them in root, issuing, site order.
  12. pasted the new concatenation, with the same error resulting.
0 Kudos
3 Replies
mdh-peraton
Contributor
Contributor
‎01-05-2024 07:58 AM

I believe I followed the instructions on this page to the letter.

I have double-checked all the certificates (self-signed root CA, intermediate CA signed by root, CSR created with FQDN option on vsphere client per document; signed by intermediate CA) All look valid to openssl, as well as my Windows endpoint (I have imported root and intermediate as trusted, since my lab certificates should all be trusted by people in my team)

I've stacked the 3 certs (PEM form) in root, intermediate, site and site, intermediate, root order and neither package is accepted.  It complains about private keys.  (Please see attachment).

I don't understand where the problem lies.   

 

Preview file
125 KB
0 Kudos
mhb4ever
Enthusiast
Enthusiast
‎01-06-2024 08:06 AM

please check 
https://communities.vmware.com/t5/ESXi-Discussions/Failed-Cannot-change-the-host-configuration/td-p/...

 jasondrake1978

1. Have your sysadmin generate .pfx and .cer files for the machine you need to update.

2. Download openssl win 64-bit https://www.cloudinsidr.com/content/how-to-install-the-most-recent-version-of-openssl-on-windows-10-...

3. Right click and run openssl as admin in C:\Program Files\OpenSSL-Win64\bin 

4. Get the key file by running the command: pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

5. Convert the key file to pem format by running the command: rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]

6. Get the certificate out of the pfx by running the command: pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]"

7. Add the newly created pem.key and .crt file in C:\Program Files\OpenSSL-Win64\bin, to the server you need to update via gui or winscp.

8. Go to the CMS SERVER

9. Put it into maintenance mode in the host area under actions

10. power off off all VM's

11. Enable SSL in the services tab

12. Exit lockdown mode in services

13. Use winscp and copy the pfx and crt files to the cd /etc/vmware/ssl directory

14. rename the old rui.crt and rui.key files so you have a copy

15. rename the crt and pfx files you uploaded to rui.crt and rui.key

16. reboot

Tags (1)