Knowledge Base

|
Enabling server-certificate verification for Virtual Infrastructure Clients (4646606)
Details
Solution
- Confirming that Server Certificates are Valid
- Pre-Trusting Certificates
- Enabling Server-Certificate Verification
- Disabling Certificate Verification
Confirming that Server Certificates are Valid
For server-certificate verification to succeed, the certificate's issued-to hostname must match the current fully-qualified domain name of the host presenting that certificate. If these names do not match, you should not enable SSL server-certificate verification until you have replaced the certificate.
- The default VirtualCenter certificates are defective and must be replaced prior to enabling server-certificate verification.
-
-
If you replace the default self-signed certificates with signed certificates purchased from a commercial certificate authority (CA), you can enable server-certificate verification on your upgraded Windows hosts, as described in Enabling Server-Certificate Verification . (See Technical Notes in Replacing VirtualCenter Server Certificates for information about how to create the certificate-signing request (CSR) necessary to obtain a server certificate signed by a commercial CA.)
-
To replace the default VirtualCenter certificates with certificates signed by your own local root CA. (See Technical Notes in Replacing VirtualCenter Server Certificates) You must also pre-trust the root CA used to sign your certificates, prior to enabling server-certificate verification.
-
-
The ESX host, GSX host, and VMware Server host certificates are valid, so you need not replace them. However, these systems' certificates must be pre-trusted on the Windows client host systems, including the VirtualCenter host, that will connect to them (see Pre-Trusting Certificates for details). Remember that you also replace these certificates with certificates signed by a commercial CA, in which case you will not need to go through the pre-trust step.
Pre-Trusting Certificates
For Virtual Infrastructure Client or VirtualCenter Client host systems, you should login to the system using whatever account and credentials you will use to connect to either VirtualCenter or ESX, and follow the steps below (without using the Run as... option). For VirtualCenter Server host systems, the process is as follows:
-
Login to the Windows client host.
-
Launch the Certificates MMC (Microsoft Management Console) snap-in. For the VirtualCenter host system, you must login as a Windows Administrator:
-
Locate %SystemRoot%\System32\certmgr.msc on the Windows client.
-
Right-click on the certmgr.msc file.
-
Select Run as... from the popup menu.
-
Enter the Administrator credentials specific to the Windows local Administrator group in the dialog.
-
Click OK to continue. The Certificates pane displays.
-
-
Install the server certificate or the appropriate root CA into the Windows certificate store:
-
Click the Trusted Root Certification Authorities folder in the Certificate pane.
-
Select Action > All Tasks > Import... to launch the Certificate Import Wizard. The Certificate Import Wizard lets you navigate to the location of the certificate file and import it into the Trusted Root Certification Authorities folder.
-
Enabling Server-Certificate Verification
Assuming all servers have valid certificates and that the VirtualCenter server and client software has been upgraded, you can enable server-certificate verification on Windows hosts as follows:
-
Download the ssl-reg-files.zip (see the link under "Attachments," at the bottom of this article).
-
Confirm that the MD5 checksum of the download is 3c1db2b15f5294fbfde4fa58420886eb.
-
Unpack ssl-reg-files.zip to retrieve the two Registry (.reg) Files:
-
ssl-enable.reg creates the necessary registry keys and enables SSL server-certificate verification.
-
ssl-disable.reg disables SSL server-certificate verification.
-
-
Run the ssl-enable.reg file on each of the upgraded Windows client hosts:
-
Double-click ssl-enable.reg. A prompt asking, “Are you sure you want to add the information in ....\ssl-enable.reg to the registry?” appears.
-
Click Yes to confirm the change to the Windows registry.
-
-
Run the registry file on the VirtualCenter host system:
-
Double-click ssl-enable.reg. A prompt asking, “Are you sure you want to add the information in ....\ssl-enable.reg to the registry?” appears.
-
Click Yes to confirm the change to the Windows registry.
-
To ensure that the SSL server-certificate verification works as you expect it to, you can test the process using a non-production Windows client host (either a physical host, or one running as a virtual machine). Doing so before pre-trusting the signing certificate should result in an error message when you attempt to connect to the server. After pre-trusting the signing certificate, you should not see the error message.
Disabling Certificate Verification
If you have problems, use Cto disable server-certificate verification temporarily, until the issue can be resolved. To disable server-certificate verification:
-
Double-click ssl-disable.reg. A prompt asking, “Are you sure you want to add the information in ....\ssl-disable.reg to the registry?” appears.
-
Click Yes to confirm the change to the Windows registry.
Note: Refer to the VirtualCenter Configuration portion of the Basic System Administration Guide to enable or disable the Verify host SSL certifications option. To change these options in VirtualCenter, click Administration > VirtualCenter Management Server Configuration > SSL.
Keywords
Attachments
Request a Product Feature
- Updated:
- Categories:
- Languages:
- Product Family:
- Product(s):
- Product Version(s):

