Enabling Server-Certificate Verification for Virtual Infrastructure Clients

Details

This article explains how to enable server-certificate verification on Virtual Infrastructure Clients (VI Clients) after installing VirtualCenter 2.0.1 Patch 1 (Build 33643), VirtualCenter 1.4.1 Patch 1 (Build 33425), VirtualCenter 1.3.1 Patch 2 (Build 35640),or subsequent releases.

Solution

VirtualCenter 2.0.1 Patch 1, VirtualCenter 1.4.1 Patch 1, VirtualCenter 1.3.1 Patch 2, and subsequent releases resolve an issue with server-certificate verification by VirtualCenter clients during the initial SSL handshake. Specifically, the X.509 certificate presented by a server to a client at the beginning of an SSL session was not verified. VirtualCenter 2.0.1 Patch 1, VirtualCenter 1.4.1 Patch 1, VirtualCenter 1.3.1 Patch 2, and subsequent releases resolve this issue for Windows client hosts.

However, certificate verification is not enabled by default for the clients—you must specifically enable server-certificate verification on the Windows client host systems. Before enabling server-certificate verification, you must confirm that your servers have valid certificates and replace defective server certificates as needed. Depending on the type of server certificate, you may also need to pre-trust certificates or root CAs. The final step is enabling server-certificate verification below. These three basic steps are covered in this KB:

Confirming that Server Certificates are Valid
Pre-Trusting Certificates
Enabling Server-Certificate Verification

For more information about VirtualCenter server certificates, including information about how to replace them, see Technical Note, "Replacing VirtualCenter Server Certificates."

Confirming that Server Certificates are Valid

For server-certificate verification to succeed, the certificate's issued-to hostname must match the current fully-qualified domain name of the host presenting that certificate. If these names do not match, you should not enable SSL server-certificate verification until you have replaced the certificate.

The default VirtualCenter server certificates are defective, and must be replaced prior to enabling server-certificate verification.
- If you replace the default self-signed certificates with signed certificates purchased from a commercial certificate authority (CA), you can enable server-certificate verification on your upgraded Windows hosts, as described in Enabling Server-Certificate Verification . (If necessary, see the Technical Note, Replacing VirtualCenter Server Certificates for information about how to create the certificate-signing request (CSR) necessary to obtain a server certificate signed by a commercial CA.)
- To replace the default VirtualCenter server certificates with certificates signed by your own local root CA, see the Technical Note, Replacing VirtualCenter Server Certificates for complete details. You must also pre-trust the root CA used to sign your certificates, prior to enabling server-certificate verification.
The ESX Server host, GSX Server host, and VMware Server host certificates are valid, so you need not replace them. However, these systems' certificates must be pre-trusted on the Windows client host systems, including the VirtualCenter server host, that will connect to them (see Pre-Trusting Certificates for details). Remember that you also replace these certificates with certificates signed by a commercial CA, in which case you will not need to go through the pre-trust step.

Pre-Trusting Certificates

Pre-trusting a certificate or a root CA involves installing the certificate into the trusted store of the Windows client system, prior to attempting any connection to a server that presents a certificate (or a certificate signed by the root CA).

For VI Client or VC Client host systems, you should login to the system using whatever account and credentials you will use to connect to either VirtualCenter Server or ESX Server, and follow the steps below (without using the Run as... option). For VirtualCenter Server host systems, the process is as follows:

Log onto the Windows client host.
Launch the Certificates MMC (Microsoft Management Console) snap-in. For the VirtualCenter Server host system, you must logon as the Windows Administrator:
- Navigate to the %SystemRoot%\System32\ directory on the Windows client system and find the certmgr.msc file.
- Right-click on the certmgr.msc file.
- Select Run as... from the popup menu.
- Enter the Administrator credentials specific to the Windows local Administrator group in the dialog.
- Click OK to continue. The Certificates pane displays.
Install the server certificate or the appropriate root CA into the Windows certificate store:
- Click the Trusted Root Certification Authorities folder in the Certificate pane to select it.
- From the Action menu, select All Tasks followed by Import... to launch the Certificate Import Wizard. The Certificate Import Wizard lets you navigate to the location of the certificate file and import it into the Trusted Root Certification Authorities folder.

Enabling Server-Certificate Verification

Assuming all the servers have valid certificates and that the VirtualCenter server and client software has been upgraded, you can enable server-certificate verification on Windows hosts as follows:

Download the ssl-reg-files.zip (see the link under "Attachments," at the bottom of this article).
Confirm that the MD5 checksum of the download is 3c1db2b15f5294fbfde4fa58420886eb. See Using MD5 Checksums for more information, if necessary.)
Unpack ssl-reg-files.zip to retrieve the two Registry (.reg) Files:
- ssl-enable.reg creates the necessary registry keys and enables SSL server-certificate verification;
- ssl-disable.reg disables SSL server-certificate verification.
Run the ssl-enable.reg file on each of the upgraded Windows client hosts:
- Double-click ssl-enable.reg. A message box displays the text, “Are you sure you want to add the information in ....\ssl-enable.reg to the registry?”
- Click Yes to confirm the change to the Windows registry.
Run the registry file on the VirtualCenter Server host system:
- Double-click ssl-enable.reg. A message box displays the text, “Are you sure you want to add the information in ....\ssl-enable.reg to the registry?”
- Click Yes to confirm the change to the Windows registry.

To ensure that the SSL server-certificate verification works as you expect it to, you can test the process using a non-production Windows client host (either a physical host, or one running as a virtual machine). Doing so before pre-trusting the signing certificate should result in an error message when you attempt to connect to the server. After pre-trusting the signing certificate, you should not see the error message.

Disabling Certificate Verification

If you have problems, use the ssl-disable.reg file to disable server-certificate verification temporarily, until the issue can be resolved. You can disable server-certificate verification at any time, by:

Double-clicking ssl-disable.reg. A message box displays the text, “Are you sure you want to add the information in ....\ssl-disable.reg to the registry?”
Click Yes to confirm the change to the Windows registry.

For more information about VirtualCenter server certificates, including information about how to replace them, see Technical Note, "Replacing VirtualCenter Server Certificates."

Keywords

4646606; VC201; VC141; VC131; VC201 Patch 1; VC141 Patch 1; VC131 Patch 2; Patch 2 Patch 2; urlz; alertz; filez

Attachments

ATTssl-reg-files.zip

Feedback

Actions

KB Article: 4646606
Updated: Apr 3, 2007

Products:
VMware ESX
VMware VirtualCenter
VMware Server
Product Versions:
VMware VirtualCenter 2.0.x
VMware VirtualCenter 1.3.x
VMware VirtualCenter 1.4.x

Knowledge Base

Search the Knowledge Base: