vCenter

 View Only
  • 1.  Installation of custom machine SSL cert for VCSA

    Posted Apr 19, 2024 10:06 AM

    VCSA v7.0.3


    Installation of custom machine SSL cert for VCSA using the /usr/lib/vmware-vmca/bin/certificate-manager.

    Installation of the CA issued cert fails with ‘unable to validate the chain of trust for the provided SSL certificate and Root’.

    The installation process we use is successful in another environment so confident that the chain of trust is correct, but we have noted there is a difference here with the CRL Distribution Point field in the certificate. The PKI system used here has been re-keyed which results in brackets () used in the field e.g. URL=http://pki.example.uk/pki/CA1(2).crl

    When I try to manually retrieve this file from the VCSA command line using a wget http://pki.example.uk/pki/CA1(2).crl resolution fails.
    It seems that the use of brackets causes a problem with the CRL location check on install of a new cert.

    I believe that a rekeyed pki and use of brackets in the url is commonplace and not unusual.

    Has anyone else experienced this issue or able to advise whether this is a specific issue with the resolution of the CRL Distribution Point URL with brackets for vCenter and whether there is a work around?

    Thank you.
    Jason



  • 2.  RE: Installation of custom machine SSL cert for VCSA

    Posted 12 days ago

    Are you able to successfully resolve pki.example.uk from VCSA ? any firewall port blocking the traffic to the destination server ?




  • 3.  RE: Installation of custom machine SSL cert for VCSA

    Posted 11 days ago

    Thanks for the reply. Yes I'm able resolve/get another file (without brackets in the url) e.g. http://pki.example.uk/pki/CA1.crl so I know it's not a firewall or port blocked issue.