Search the VMware Knowledge Base (KB)
View by Article ID

Generating custom or default SSL certificates (1029944)

  • 26 Ratings

Symptoms

In the sms.log file, you may notice these errors:
  • at java.lang.Thread.run(Thread.java:619)
    Thread-2 ERROR com.vmware.vim.common.lifecycle.InitializerExecutor] Initialization error; attempt 2 will begin in 60 seconds...
    java.util.concurrent.ExecutionException: java.lang.IllegalStateException: com.vmware.vim.common.vdb.VdbException: Error decrypting password
    at java.util.concurrent.FutureTask$Sync.innerGet(FutureTask.java:222)
    at java.util.concurrent.FutureTask.get(FutureTask.java:83)
    at com.vmware.vim.common.lifecycle.InitializerExecutor$MonitorCallback.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:619)
    Caused by: java.lang.IllegalStateException: com.vmware.vim.common.vdb.VdbException: Error decrypting password
    at com.vmware.vim.common.lifecycle.InitializerExecutor$MonitorCallback$1.run(Unknown Source)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
    at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
    at java.util.concurrent.FutureTask.r


    Or

  • SEVERE: Error starting endpoint
    java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
    at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1277)
    at java.security.KeyStore.load(KeyStore.java:1185)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:344)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:263)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:473)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:413)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:129)
    at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:503)
    at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:526)
    at org.ap


    Or

  • SEVERE: Catalina.start:
    LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
    at org.apache.catalina.connector.Connector.start(Connector.java:1138)
    at org.apache.catalina.core.StandardService.start(StandardService.java:531)
    at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
    at org.apache.catalina.startup.Catalina.start(Catalina.java:583)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
    Jun 9, 2011 1:49:45 PM org.apache.

Purpose

This article provides steps to generate default or custom SSL certificates.
 
You may need to generate default or custom SSL certificates if:

Caution: This article is specifically for vSphere 4.x .

Resolution

Caution: Ensure that lockdown mode is disabled before replacing vCenter Server Certificates. You need to connect to the host as root for re-adding it into vCenter Server. For more information, see Enabling or disabling Lockdown mode on an ESXi host (1008077) .

Installing OpenSSL

To install OpenSSL:
  1. Download and install 0.9.8y version of OpenSSL for Win32 or Win64 (depending on if the operating system is 32-bit or 64-bit). Keep the default location during install.

    Note:
    Some CA servers only accept 2048-bit keys. In this case, replace both instances of 1024 below with 2048.

  2. If prompted, download and install Microsoft Visual C++ 2008 Redistributable Package, click here for Windows 32bit OS or here for Windows 64bit OS .

    Note: The preceding links were correct as of October 8, 2014. If you find the links are broken, please provide feedback and a VMware employee will update the link.

  3. Edit openssl.cfg file in openssl\bin:

    under [ CA_Default ]: dir = .

    under [ req ] change: default_bits = 1024

    under [ req ] change: default_keyfile = rui.key

Generating a default certificate

To generate a default certificate:

  1. Open the OpenSSl application using a command prompt:

    cd c:\openssl\bin

    Note: Ensure to Run as administrator when opening the command prompt.

  2. To generate the rui.key file, run the command:

    openssl genrsa 1024 > rui.key

  3. To generate the rui.crt file, run the command:

    openssl.exe req -new -x509 -days 3650 -sha1 -nodes -key rui.key -out rui.crt -config openssl.cfg

    Note: After running the openssl.exe req -new command you are asked to enter this information
    • country code (for example, US)
    • state (for example, New Jersey)
    • city (press Enter to leave blank or enter a city name)
    • OU (press Enter to leave blank or enter an OU),
    • Common name (for example, FQDN of vCenter Server )

      Note: It may be necessary to issue the Certificate as 'vmware' for the common name, as VDI and other 3rd party tools vCenter Server could require this.

    • email (press Enter to leave blank).

4. To generate the rui.pfx file, run the command:

openssl.exe pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

Generating a custom certificate

To generate a custom CA signed certificate:
  1. Open the OpenSSl application using a command prompt:

    cd c:\openssl\bin

    Note: Ensure to Run as administrator when opening the command prompt.

  2. To generate the rui.key file, run the command:

    openssl genrsa 1024 > rui.key

  3. To create the rui.csr file, run the command:

    openssl req -new -nodes -out rui.csr -config openssl.cfg

    You see an output similar to:

    Generating a #### bit RSA private key
    ...........................++++++..........++++++writing new private key to 'rui.key'-----

    You are asked to enter
    information that are
  4.  incorporated into your certificate request.
    You need to enter a Distinguished Name or a DN.
    The blank fields can be ignored and there are default value for some field which needs to be left as is
    If you enter '.', the field is left blank.

    Country Name (2 letter code) [AU]: - E nter 2 letter country (example: US)
    State or Province Name (full name) [Some-State]: - enter your state (example: California, or enter to leave blank)
    Locality Name (eg, city) []: -Enter your city (example: San Diego, or enter to leave blank)
    Organization Name (eg, company) [Internet Widgits Pty Ltd] :(ie. Company Name Inc.)
    Organizational Unit Name (eg, section) []: (i.e. OU)
    Common Name (eg, YOUR name) []: ***MUST BE FQDN OF VCENTER*** (ie. vcenter.domain.local)
    Email Address []: (i.e.
    email@address.com , or enter to leave blank)
    An optional company name []: (enter to leave blank unless you require one)
    Please enter the following 'extra' attributes to be sent with your certificate request
    A challenge password []:
    (enter to leave blank unless you require one)

  5. Open the rui.csr file with a text editor and copy entire contents including beginning and ending tags.
  6. Open users Web interface for users CA server and generate certificate request, pasting the block of text as the certificate request.
  7. The certificate now needs to be signed by authorized user.
  8. After receiving the certificate from the authorized signer, rename it to rui.crt and generate a .pfx file:

    openssl.exe pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

  9. Open the rui.crt file in a text editor such as notepad.

  10. Remove any data present before -----BEGIN CERTIFICATE----- .

    Note: The above step is not mandatory for legacy versions of vCenter Server, however in vCenter Server 5.1 if there is a certificate with information before the -----BEGIN CERTIFICATE----- section Java may present the error:

    java.security.cert.CertificateParsingException: invalid DER-encoded certificate
    .

    Thus the registration of the service fails. This is known to occur with the vCenter Server Upgrade failing with Error 26002. Unable to register vCenter Server to Inventory Service.

Applying the generated certificates

To apply the certificates:
  1. Set DRS to manual on each cluster. This prevents mass migrations after reconnecting the hosts to vCenter Server in step 8.
  2. Stop the VMware VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter services (1003895) .
  3. Create a backup of this folder:

    C:\(Documents and Settings)ProgramData\(AllUsers)\(Application Data)\VMware\VMware VirtualCenter\SSL

    Note: Folders in parenthesis are for Windows Server 2003.

  4. Replace rui.crt, rui.key, rui.pfx files in this folder with the new files.
  5. Open a command prompt and run this command:

    c:\Program Files\VMware\Infrastructure\VirtualCenter Server\
    vpxd.exe -p


  6. When prompted, enter the ODBC password twice.
  7. Start the VMware VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter services (1003895) .
  8. Manually reconnect each host to vCenter server (right-click the host and choose Connect).

    Note: If you see an error asking for your credentials, enter the root credentials for the host.

Additional Information

 

Tags

custom-ssl-certificates

See Also

Update History

09/11/2011 - Added the step to create rui.key file

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 26 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 26 Ratings
Actions
KB: