• You experience the symptoms in Issues viewing Storage Views, Performance Overview, and Hardware Status when OpenSSL 1.0.0 version or higher is used to create self-signed certificates (1025966).
• Your certificates have expired and you need to regenerate new certificates.
  
  

Caution: This article is specifically for vSphere 4.x .

• If you are using vSphere 5.0, see Implementing CA signed SSL certificates with vSphere 5.0 (2015383).
• If you are using vSphere 5.1, see Implementing CA signed SSL certificates with vSphere 5.1 (2034833).
  

• at java.lang.Thread.run(Thread.java:619)
  Thread-2 ERROR com.vmware.vim.common.lifecycle.InitializerExecutor] Initialization error; attempt 2 will begin in 60 seconds...
  java.util.concurrent.ExecutionException: java.lang.IllegalStateException: com.vmware.vim.common.vdb.VdbException: Error decrypting password
  at java.util.concurrent.FutureTask$Sync.innerGet(FutureTask.java:222)
  at java.util.concurrent.FutureTask.get(FutureTask.java:83)
  at com.vmware.vim.common.lifecycle.InitializerExecutor$MonitorCallback.run(Unknown Source)
  at java.lang.Thread.run(Thread.java:619)
  Caused by: java.lang.IllegalStateException: com.vmware.vim.common.vdb.VdbException: Error decrypting password
  at com.vmware.vim.common.lifecycle.InitializerExecutor$MonitorCallback$1.run(Unknown Source)
  at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
  at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
  at java.util.concurrent.FutureTask.r
  
  Or
  
  
• SEVERE: Error starting endpoint
  java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
  at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1277)
  at java.security.KeyStore.load(KeyStore.java:1185)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:344)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:263)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:473)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:413)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:129)
  at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:503)
  at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:526)
  at org.ap
  
  Or
  
  
• SEVERE: Catalina.start:
  LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
  at org.apache.catalina.connector.Connector.start(Connector.java:1138)
  at org.apache.catalina.core.StandardService.start(StandardService.java:531)
  at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
  at org.apache.catalina.startup.Catalina.start(Catalina.java:583)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
  Jun 9, 2011 1:49:45 PM org.apache.

Installing OpenSSL

1. Download and install 0.9.8y version of OpenSSL for Win32 or Win64 (depending on if the operating system is 32-bit or 64-bit). Keep the default location during install.
   
   Note: Some CA servers only accept 2048-bit keys. In this case, replace both instances of 1024 below with 2048.
   
   
2. If prompted, download and install Microsoft Visual C++ 2008 Redistributable Package, click here for Windows 32bit OS or here for Windows 64bit OS .
   
   

   Note: The preceding links were correct as of October 8, 2014. If you find the links are broken, please provide feedback and a VMware employee will update the link.

3. Edit openssl.cfg file in openssl\bin:
   
   under [ CA_Default ]: dir = .
   
   under [ req ] change: default_bits = 1024
   
   under [ req ] change: default_keyfile = rui.key

Generating a default certificate

To generate a default certificate:

1. Open the OpenSSl application using a command prompt:
   
   cd c:\openssl\bin
   
   Note: Ensure to Run as administrator when opening the command prompt.
   
   
2. To generate the rui.key file, run the command:
   
   openssl genrsa 1024 > rui.key
   
   
3. To generate the rui.crt file, run the command:
   
   openssl.exe req -new -x509 -days 3650 -sha1 -nodes -key rui.key -out rui.crt -config openssl.cfg
   
   Note: After running the openssl.exe req -new command you are asked to enter this information
4. • country code (for example, US)
   • state (for example, New Jersey)
   • city (press Enter to leave blank or enter a city name)
   • OU (press Enter to leave blank or enter an OU),
   • Common name (for example, FQDN of vCenter Server )
     
     Note: It may be necessary to issue the Certificate as 'vmware' for the common name, as VDI and other 3rd party tools vCenter Server could require this.
     
5. 
   
   • email (press Enter to leave blank).
     
     

Generating a custom certificate

1. Open the OpenSSl application using a command prompt:
   
   cd c:\openssl\bin
   
   Note: Ensure to Run as administrator when opening the command prompt.
   
   
2. To generate the rui.key file, run the command:
   
   openssl genrsa 1024 > rui.key
   
   
3. To create the rui.csr file, run the command:
   
   openssl req -new -nodes -out rui.csr -config openssl.cfg
   
   You see an output similar to:
   
   Generating a #### bit RSA private key
   ...........................++++++..........++++++writing new private key to 'rui.key'-----
   
   You are asked to enter information that are
4. incorporated into your certificate request.
   You need to enter a Distinguished Name or a DN.
   The blank fields can be ignored and there are default value for some field which needs to be left as is
   If you enter '.', the field is left blank.
   
   Country Name (2 letter code) [AU]: - E nter 2 letter country (example: US)
   State or Province Name (full name) [Some-State]: - enter your state (example: California, or enter to leave blank)
   Locality Name (eg, city) []: -Enter your city (example: San Diego, or enter to leave blank)
   Organization Name (eg, company) [Internet Widgits Pty Ltd] :(ie. Company Name Inc.)
   Organizational Unit Name (eg, section) []: (i.e. OU)
   Common Name (eg, YOUR name) []: ***MUST BE FQDN OF VCENTER*** (ie. vcenter.domain.local)
   Email Address []: (i.e. [email protected] , or enter to leave blank)
   An optional company name []: (enter to leave blank unless you require one)
   Please enter the following 'extra' attributes to be sent with your certificate request
   A challenge password []: (enter to leave blank unless you require one)
   
   
5. Open the rui.csr file with a text editor and copy entire contents including beginning and ending tags.
6. Open users Web interface for users CA server and generate certificate request, pasting the block of text as the certificate request.
7. The certificate now needs to be signed by authorized user.
8. After receiving the certificate from the authorized signer, rename it to rui.crt and generate a .pfx file:
   
   openssl.exe pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
   
   

9. Open the rui.crt file in a text editor such as notepad.

10. Remove any data present before -----BEGIN CERTIFICATE----- .
    
    

    Note: The above step is not mandatory for legacy versions of vCenter Server, however in vCenter Server 5.1 if there is a certificate with information before the -----BEGIN CERTIFICATE----- section Java may present the error:
    
    java.security.cert.CertificateParsingException: invalid DER-encoded certificate.
    
    Thus the registration of the service fails. This is known to occur with the vCenter Server Upgrade failing with Error 26002. Unable to register vCenter Server to Inventory Service.
    
    

Applying the generated certificates

1. Set DRS to manual on each cluster. This prevents mass migrations after reconnecting the hosts to vCenter Server in step 8.
2. Stop the VMware VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter services (1003895) .
3. Create a backup of this folder:
   
   C:\(Documents and Settings)ProgramData\(AllUsers)\(Application Data)\VMware\VMware VirtualCenter\SSL
   
   Note: Folders in parenthesis are for Windows Server 2003.
   
   
4. Replace rui.crt, rui.key, rui.pfx files in this folder with the new files.
5. Open a command prompt and run this command:
   
   c:\Program Files\VMware\Infrastructure\VirtualCenter Server\ vpxd.exe -p
   
   
   
6. When prompted, enter the ODBC password twice.
7. Start the VMware VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter services (1003895) .
8. Manually reconnect each host to vCenter server (right-click the host and choose Connect).
   
   Note: If you see an error asking for your credentials, enter the root credentials for the host.