VMware Cloud Community
moscheka
Contributor
Contributor
‎02-05-2024 02:57 AM

SSL Certificate cannot be trusted on vcenter 7.0.3 on port 636

Hello Our internal vulnerability scanner had complained about 8 not-trusted certificates. So I created an CSR via vsphere client and created a signed certificate via our CA, downloaded the .prt file, converted it to PEM. Afterwards I have installed the PEM file, as well the root certificate (including intermediate and root). All ports are fine, except port 636. There I still get SSL Certificate cannot be trusted and get "Verify return code: 21 (unable to verify the first certificate)" via openssl.

  • Is there a way to fix the certificate for port 636?
  • Is it possible to disable port 636 inside of vsphere 7 (Not using Active Directory nor Enhanced Linked Mode)?
0 Kudos
3 Replies
NateNateNAte
Hot Shot
Hot Shot
‎02-05-2024 07:21 AM

While you may not be using AD, 636 is still an important port for functionality of vSPhere (vCS) to other products (internal vSPhere SSO authentication) likely in the stack.  So it's not one you want to block. 

On the certificate side, you have options.  The 'fastest' is to accept the risk, but it depends on where your VM stack operates, so that may not be a choice. 

This is a good KB for regenerating certificates, for VCSA (assuming you're running that in v7)

https://kb.vmware.com/s/article/2112283

Hopefully that helps!

0 Kudos
moscheka
Contributor
Contributor
‎02-05-2024 08:41 AM

Self-signed VMCA Certificates are not an option, they are also not secure enough and will also create vulnerabilities, which our scanner won't accept. I have installed a signed certificate as machine SSL certificate, which is working fine for all ports, except 636!

0 Kudos
moscheka
Contributor
Contributor
‎02-14-2024 11:48 PM

On port 636 it cannot handle certificate chains, from my point of view.

0 Kudos