vCenter

 View Only
  • 1.  error replacing Machine SSL Certificate

    Posted Oct 04, 2021 05:43 PM


    1. I log into freshly deployed vSphere Client 7.0 Web GUI: https://myvsphereclient.mydomain.co.uk/ui/
    2. Go to Administration -> Certificates -> Certificate Management -> Machine SSL Certificate -> Actions -> Import and Replace Certificate
    3. Choose "Replace with external CA certificate (requires private key)" -> NEXT
    4. Browse to and upload our wildcard multidomain SAN certificate files issued by Sectigo. We happily use the same certificate for dozens of subdomains in dozens of different places including https://www.matrixscience.com
    5. Machine SSL Certificate -> cert.crt
    6. Chain of trusted root certificates -> ssl-bundle.crt
    7. Private Key -> keyfile.key
    8. Click REPLACE

    "Error occurred while fetching tls: Invalid input certificate : The Subject of the provided certificate does not contain the correct CN value"

    Same error when uploading files in .pem format.

    What is it complaining about?

    How to fix it i.e. replace self signed default SSL certificate with our own (without issuing a brand new certificate)?



  • 2.  RE: error replacing Machine SSL Certificate

    Posted Oct 04, 2021 05:55 PM

    https://kb.vmware.com/s/article/2112277

    VMWare does not support wildcards. What I did is just use our internal CA to create my certificate.

    --Alan

     

     



  • 3.  RE: error replacing Machine SSL Certificate

    Posted Feb 07, 2023 08:06 PM

    Slight edit: from the KB article: "VMware does not support the use of wildcard certificates on the vCenter Server." (https://kb.vmware.com/s/article/2112277)

     

    However, stand alone ESXI servers *do* support the use of wildcard certs.

    https://kb.vmware.com/s/article/56441

    https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-122A4236-9696-4E1F-B9E8-738855946A93.html

     

     



  • 4.  RE: error replacing Machine SSL Certificate

    Posted Feb 07, 2023 08:35 PM

    My first time was also very nervous I did not change it properly



  • 5.  RE: error replacing Machine SSL Certificate

    Posted Feb 07, 2023 09:04 PM


  • 6.  RE: error replacing Machine SSL Certificate

    Posted Jun 21, 2023 05:08 PM

    Thanks for that clarification re: esxi vs vcenter.  I first did all my esxi hosts, got them secured, and only vcenter was annoying me and I spent the better part of a day manually setting/copy certs, failing at the GUI, discovering the /usr/lib/vmware-vmca/bin/certificate-manager, finally hitting the "no wildcards" error string... which made zero sense since I'd just used wildcards on the very host vcenter is running on. So annoying.