I am using XCA to build the PKI for a development lab. I created a self-signed root-ca certificate, then created an issuing-ca certificate signed with the root-ca certificate. I have performed the following steps:
Please let me know what I have failed to do correctly. I really want to get everything properly protected.
I believe I followed the instructions on this page to the letter.
I have double-checked all the certificates (self-signed root CA, intermediate CA signed by root, CSR created with FQDN option on vsphere client per document; signed by intermediate CA) All look valid to openssl, as well as my Windows endpoint (I have imported root and intermediate as trusted, since my lab certificates should all be trusted by people in my team)
I've stacked the 3 certs (PEM form) in root, intermediate, site and site, intermediate, root order and neither package is accepted. It complains about private keys. (Please see attachment).
I don't understand where the problem lies.
please check
https://communities.vmware.com/t5/ESXi-Discussions/Failed-Cannot-change-the-host-configuration/td-p/...
jasondrake1978
1. Have your sysadmin generate .pfx and .cer files for the machine you need to update.
2. Download openssl win 64-bit https://www.cloudinsidr.com/content/how-to-install-the-most-recent-version-of-openssl-on-windows-10-...
3. Right click and run openssl as admin in C:\Program Files\OpenSSL-Win64\bin
4. Get the key file by running the command: pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
5. Convert the key file to pem format by running the command: rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]
6. Get the certificate out of the pfx by running the command: pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]"
7. Add the newly created pem.key and .crt file in C:\Program Files\OpenSSL-Win64\bin, to the server you need to update via gui or winscp.
8. Go to the CMS SERVER
9. Put it into maintenance mode in the host area under actions
10. power off off all VM's
11. Enable SSL in the services tab
12. Exit lockdown mode in services
13. Use winscp and copy the pfx and crt files to the cd /etc/vmware/ssl directory
14. rename the old rui.crt and rui.key files so you have a copy
15. rename the crt and pfx files you uploaded to rui.crt and rui.key
16. reboot