by Well, I’ve confirmed on my test system, that a Go Daddy wildcard certificate will work on a VI3 (VirtualCenter 2.5 & ESX 3.5) system.
Let’s say you already have a wildcard certificate in place on an IIS web server, and you’d like to use it in your VI3 environment.
First you’ll need to export the cert from your IIS box, using the Certificates snap in.
Right click, then All Tasks, then Export, and Next on the first screen
Select “Yes, export the private key
“Personal Information Exchange – PKCS #12 (.PFX)” should be selected
And “Include all certificates in the certification path if possible” should be checked.
Enter your password here
Enter a filename for the exported cert. I called it wildcard.pfx
Click finish.
Now you’ll need to use OpenSSL to convert the file you just generated.
I ran the openssl.exe from the path on my test system (C:opensslbin)
C:opensslbinopenssl.exe pkcs12 -in wildcard.pfx -out wildcard.txt -nodes. You will be asked for the password you entered when you were exporting the pfx.
Now open the wildcard.txt with Wordpad (notepad won’t work). I use Win32Pad instead.
Grab the portion with the following:
—–BEGIN RSA PRIVATE KEY—–
(Block of Random Text)
—–END RSA PRIVATE KEY—–
And save this (notepad is fine for this) as rui.key
Grab the portion with the following:
—–BEGIN CERTIFICATE—–
(Block of Random Text)
—–END CERTIFICATE—–
And save this (notepad is fine for this) as rui.crt
Make sure you make a backup of the existing keys, in the case that something goes wrong with this process. They are located in the c:Documents and SettingsAll UsersApplication DataVMwareVMware VirtualCenterSSL folder.
Now, rename the wildcard.pfx to rui.pfx. Copy rui.pfx, rui.crt, and rui.key files, to the above folder.
You’ll then need to reinitialize the vpxd password. Run “vpxd.exe -p” again from a Dos box in the following folder:
c:Program FilesVMwareInfrastructureVirtualCenter Server
Then restart your VirtualCenter service.
You should then be able to log into your VirtualCenter server using a wildcard certificate.
Additionally, you can upload the rui.crt and rui.key files to your ESX host (using WinSCP) to the /etc/vmware/ssl/ path. Make sure you back these up too.
I then restarted my ESX 3.5 system, and it started to use the wildcard certificate as well.
As always, If you wish to use this method that I have seen success with, feel free to.
By using the methods I have described, you agree that I will not be held liable for any issues in your environment.
Enjoy.
Thanks for this, but how do you install the CA Intermediate Bundle?
On connecting to VC I get “Windows does not have enough information to verify this certificate”
Any my *.domain.org certificate shows only Go Daddy Secure Certification Authority & nothing above it (and there should be Go Daddy Class 2 Certification Authority and above it Valicert Class 2 Policy Validation Authority (as it shows in properly configured Apache 2)
Seb
I’ll have to dig up my docs on the process.
I just stood up a new test system, and I can try it out on that.
It will be a couple weeks before I get time to it, as I’m not going to be where I can get to it for a while.
I’ll see what I can find, and post it.
I had an extra step, as my certificate was NOT issued for CSR on this Windows server.
With some tweaking I got it working exactly this way.
Or I hoped…. VIClient connects just fine to VC, SSL shows the right info etc, but none of the operations on VMs can be performed due to the bad login. Had to (for now) revert back to original VMware SSL certficates)
Had to follow the last 2 posts from this thread:
http://communities.vmware.com/message/628443#628443
Then it all works
Seb
Sweet!
Glad it worked out for you.