Hello,
this is a desperate cry for help, i'm ready to hang myself (figure of speach)
After upgrading all my vsphere components to the latest 5.x version (coming from 5.0) I installed the view connection server en security server as last components.
The view conenction server pointed me to the fact I have to setup certificates.
I've been follwing all steps, detail after detail from this KB:
I have setup a AD CA integrated with the AD, made the needed changes to the template for key usage, made the certs, checked the certs, followed the steps to enroll the certs in the SSO
Al fine, all ok....
I'm at the point of Replace the vCenter Server 5.x certificates.:
I did wat is asked and it goes wrong at the point where i'm asked to login to the MOB. (AND I found out that I locked myself out of the vcenter)
So without reloading the sslcert in the MOB, the isregtools is not ending with code:
0
0
... it ends with
9
9
I stopped here to make sure that I do not encrypt my db with the wrong cert.
I edited the VPX-ACCES table and added local credentials, nothing works...
How do I proceed? :smileyshocked:
I have to get all up and running by tuesday or we can't use our pc rooms on faculty 😕
Desperate regards
John
Hello John,
to get .pem file working with SSL Tool you have to include complete certificate chain in this container...
- Certificates in PEM container must be in x509 (BASE64) ... NOT in DER
- when you open it in text editor they must start with: -----BEGIN CERTIFICATE----- ends with: -----END CERTIFICATE-----
- If you are using subordinate CA for issuing certificates in your domain you must include its certificate in PEM file!
- All certificates in .PEM file must be in reverse order so when you open the file first must be vCenter server certificate, second Sub CA and last Root CA
You can create PEM container with copy command and keep exact order:
copy /B <path>rui.crt + <path>SubCA64.cer + <path\>RootCA.cer chain.pem
After you will have PEM file created open it and check certificates order, vCenter first, Sub second and Root at the bottom.
Avoid putting some extra blank lines between certificates, there should be no space before and after any certificate.
Once you have chain.pem and private key from vCenter (rui.crt) certificate you can start with SSL Tool.
P.
Hi John,
replacing vCenter certificates after 5.1 release has come was always little bit tricky because lots of new components are there (SSO etc.)
Whole process has many manual steps so that's why there is plenty of space to make a mistake.
So that's why VMware come with SSL Automation Tool which simplifies the process in many ways.
Once you have all certificates, private keys and .pem files prepared it's really quick and straightforward to apply them.
No manual steps is needed to refresh trusts between vCenter components everything is done by SSL Automation Tool.
Check it here:
VMware KB: Deploying and using the SSL Certificate Automation Tool 5.5
Only one think is missing in that KB the way how to create .PEM files, although it is simple ...
If you need help with this just ask...
Regards,
Petr
Hello vNEX,
I have indeed only crt and pfx files.
I'll do a Google search to find out how to get the pem format
Thanks
J
EDIT: (for those with the same problem)
openssl x509 -in input.crt -out input.der -outform DER
openssl x509 -in input.der -inform DER -out output.pem -outform PEM
Hello John,
to get .pem file working with SSL Tool you have to include complete certificate chain in this container...
- Certificates in PEM container must be in x509 (BASE64) ... NOT in DER
- when you open it in text editor they must start with: -----BEGIN CERTIFICATE----- ends with: -----END CERTIFICATE-----
- If you are using subordinate CA for issuing certificates in your domain you must include its certificate in PEM file!
- All certificates in .PEM file must be in reverse order so when you open the file first must be vCenter server certificate, second Sub CA and last Root CA
You can create PEM container with copy command and keep exact order:
copy /B <path>rui.crt + <path>SubCA64.cer + <path\>RootCA.cer chain.pem
After you will have PEM file created open it and check certificates order, vCenter first, Sub second and Root at the bottom.
Avoid putting some extra blank lines between certificates, there should be no space before and after any certificate.
Once you have chain.pem and private key from vCenter (rui.crt) certificate you can start with SSL Tool.
P.
Thanks vNEX
It worked out...