3

I have a self-signed CA (root certificate) I use in our LAN to sign SSL/TLS certificates for other things such as pfSense itself, our HP iLO interfaces, and so on. Everything works fine here and we decided it was time to add the vcenter web interface to the mix. The CA itself and certs are managed by a pfSense server.

I generated a CSR with certificate manager, processed it on pfSense, and brought the generated cert along with the CA over to vCenter and ran the certificate manager again to import the CA, cert, and key whereupon I ran into the "Replacing the Machine SSL Certificate or Solution User Certificates with Custom CA Certificates fails at 0%" issue described here:

https://kb.vmware.com/s/article/2111571

Following the instructions there to try to import the CA (there is no chain, so I am just trying to import this single self-signed CA) fails with the following errors:

dir-cli failed. Error 11: Possible errors:
LDAP error: Administrative limit exceeded
Win Error: An attempt was made to load a program with an incorrect format.

The host OS for vCenter is Windows 2008 R2 Standard, 64bit. I would appreciate any advice in getting this resolved.

alzee
  • 427
  • 3
  • 14
  • 1
    Have you logged a call with VMware? – Chopper3 Nov 22 '17 at 17:18
  • https://haveyoutriedreinstalling.com/replacing-vsphere-6-0-certificates-using-vmca-as-a-subordinate-ca/ – Jacob Evans Nov 25 '17 at 06:48
  • @Chopper3 we don't have a support contract, decided not to renew last year after going five or so years without needing any help from them. – alzee Nov 27 '17 at 14:06
  • @JacobEvans I am not trying to replace the VMCA cert; I am trying to do option #1 in the 2nd step, not option #2. – alzee Nov 27 '17 at 14:07
  • I've never had good luck using an external CSR generation tool with vmware, I've always generated the CSR with vmware, and the processed the request with my external CA. However it's much easier to make vCenter a subordinate CA of your existing root, you're making this much harder on yourself as you'll still get warnings when working with vHosts as they will be self signed. Either install and trust the vmca or make it an intermediate. – Jacob Evans Nov 27 '17 at 15:59
  • @JacobEvans I finally got it to work, turns out that vcenter doesn't like CRLF terminated lines in the cert files. Individual hosts are much easier to do since vcenter isn't involved at all, just put them in maint mode, copy the cert & key to the machine, and restart management. I did *try* to make an intermediate, but that failed as well, first with the CRLF issue, then with some problem restarting the services. Going back to just the web cert but with unix newlines got things working as expected. – alzee Nov 27 '17 at 21:40
  • While importing the PFX, have you marked the private key to be exportable (default: no)? – bjoster Dec 01 '17 at 14:02

0 Answers0