Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides

Search the VMware Knowledge Base (KB)

View by Article ID

After installation of Microsoft Security Advisory update (KB2661254), connection to vCenter Server 4.0.x web services may fail (2037082)

Cause

vCenter Server 4.0.x by default uses RSA certificates which are 512 bits and therefore cause vCenter Server to fail. The update in Microsoft Security Advisory, KB2661254, blocks the use of RSA certificates which are less than 1024 bits long.

Resolution

As of vCenter Server 4.1 RSA Certificates of 2048 bits are used by default, however if a system was upgraded from vCenter 4.0, the certificates are not regenerated and therefore you still may be impacted by this issue. To validate whether your certificate is 1024 bits or higher:

Navigate to the certificate directory. The default path is C:\Users\All Users\VMware\VMware VirtualCenter\SSL\ or For Windows Server 2008, C:\ProgramData\VMware\VMware VirtualCenter\SSL\.
Double-click rui.crt, to open it.
Click Details.
Find Public Key value from the list. The value should be RSA (1024 Bits) or higher. If the value is RSA (512 Bits), you will be impacted by the update in Microsoft Security Advisory KB2661254.

If you are impacted, you can resolve the issue by following one of these steps:

Regenerate the certificate to be at least 1024 bits. To do this:
- For vCenter 4.0,
  - if you are using a self signed certificate, see the Replacing Default Certificates with Self-Signed Certificates section of the Replacing vCenter Server 4.0 Certificates guide.
  - if you are using a commercially signed certificate, see the Replacing Default Certificates with Certificates Signed by a Commercial CA section of the Replacing vCenter Server 4.0 Certificates guide.
- For vCenter 4.1,
  - if you are using a self signed certificate, see the Replacing Default Certificates with Self-Signed Certificates section of the Replacing vCenter Server 4.1 Certificates guide.
  - if you are using a commercially signed certificate, see the Replacing Default Certificates with Certificates Signed by a Commercial CA section of the Replacing vCenter Server 4.1 Certificates guide
- For vCenter 5.0,
  - See the vSphere Security guide and the vSphere Examples and Scenarios guide in the vSphere documentation center.
Undo the changes implemented by the Microsoft Patch to allow weaker certificates to be used again. For more information on options see Microsoft KB, Microsoft Security Advisory: Update for minimum certificate key length (KB2661254).

Additional Information

Microsoft Security Advisory (KB2661254) was initially released in August 2012, as an optional download. As of October 2012, the update was released to customers via Windows update.

Update History

12/13/2012 - Added additional symptom 02/15/2013 - Added vCenter Server 4.1 and 5.x to Products

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

1 2 3 4 5
11 Ratings

1 2 3 4 5
11 Ratings

Actions

Bookmark Document

KB:

Did this article help you?
This article resolved my issue. This article did not resolve my issue. This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)