Knowledge Base

• Confirming that Server Certificates are Valid
• Pre-Trusting Certificates
• Enabling Server-Certificate Verification

Confirming that Server Certificates are Valid

For server-certificate verification to succeed, the certificate's issued-to hostname must match the current fully-qualified domain name of the host presenting that certificate. If these names do not match, you should not enable SSL server-certificate verification until you have replaced the certificate.

• The default VirtualCenter server certificates are defective, and must be replaced prior to enabling server-certificate verification.
• • If you replace the default self-signed certificates with signed certificates purchased from a commercial certificate authority (CA), you can enable server-certificate verification on your upgraded Windows hosts, as described in Enabling Server-Certificate Verification . (If necessary, see the Technical Note, Replacing VirtualCenter Server Certificates for information about how to create the certificate-signing request (CSR) necessary to obtain a server certificate signed by a commercial CA.)
  • To replace the default VirtualCenter server certificates with certificates signed by your own local root CA, see the Technical Note, Replacing VirtualCenter Server Certificates for complete details. You must also pre-trust the root CA used to sign your certificates, prior to enabling server-certificate verification.
• The ESX Server host, GSX Server host, and VMware Server host certificates are valid, so you need not replace them. However, these systems' certificates must be pre-trusted on the Windows client host systems, including the VirtualCenter server host, that will connect to them (see Pre-Trusting Certificates for details). Remember that you also replace these certificates with certificates signed by a commercial CA, in which case you will not need to go through the pre-trust step.

Pre-Trusting Certificates

• Log onto the Windows client host.
• Launch the Certificates MMC (Microsoft Management Console) snap-in. For the VirtualCenter Server host system, you must logon as the Windows Administrator:
• • Navigate to the %SystemRoot%\System32\ directory on the Windows client system and find the certmgr.msc file.
  • Right-click on the certmgr.msc file.
  • Select Run as... from the popup menu.
  • Enter the Administrator credentials specific to the Windows local Administrator group in the dialog.
  • Click OK to continue. The Certificates pane displays.
• Install the server certificate or the appropriate root CA into the Windows certificate store:
• • Click the Trusted Root Certification Authorities folder in the Certificate pane to select it.
  • From the Action menu, select All Tasks followed by Import... to launch the Certificate Import Wizard. The Certificate Import Wizard lets you navigate to the location of the certificate file and import it into the Trusted Root Certification Authorities folder.

Enabling Server-Certificate Verification

Assuming all the servers have valid certificates and that the VirtualCenter server and client software has been upgraded, you can enable server-certificate verification on Windows hosts as follows:

• Download the ssl-reg-files.zip (see the link under "Attachments," at the bottom of this article).
• Confirm that the MD5 checksum of the download is 3c1db2b15f5294fbfde4fa58420886eb. See Using MD5 Checksums for more information, if necessary.)
• Unpack ssl-reg-files.zip to retrieve the two Registry (.reg) Files:
• • ssl-enable.reg creates the necessary registry keys and enables SSL server-certificate verification;
  • ssl-disable.reg disables SSL server-certificate verification.
• Run the ssl-enable.reg file on each of the upgraded Windows client hosts:
• • Double-click ssl-enable.reg. A message box displays the text, “Are you sure you want to add the information in ....\ssl-enable.reg to the registry?”
  • Click Yes to confirm the change to the Windows registry.
• Run the registry file on the VirtualCenter Server host system:
• • Double-click ssl-enable.reg. A message box displays the text, “Are you sure you want to add the information in ....\ssl-enable.reg to the registry?”
  • Click Yes to confirm the change to the Windows registry.

To ensure that the SSL server-certificate verification works as you expect it to, you can test the process using a non-production Windows client host (either a physical host, or one running as a virtual machine). Doing so before pre-trusting the signing certificate should result in an error message when you attempt to connect to the server. After pre-trusting the signing certificate, you should not see the error message.

Disabling Certificate Verification

If you have problems, use the ssl-disable.reg file to disable server-certificate verification temporarily, until the issue can be resolved. You can disable server-certificate verification at any time, by:

• Double-clicking ssl-disable.reg. A message box displays the text, “Are you sure you want to add the information in ....\ssl-disable.reg to the registry?”
• Click Yes to confirm the change to the Windows registry.