VMware vCenter 6.5 SSL ICA not send

It looks like there is still a bug in vCenter 6.5 to handle the machine SSL certificates correctly. Somehow the vCenter webserver does not send the intermediate certificates also if they are selected with the certificate manager /usr/lib/vmware-vmca/bin/certificate-manager.

This result in a broken trust path if you connect from any application or from your web browser to the vCenter web interface. You could verify it also with a simple openssl command:

echo | openssl s_client -showcerts -connect vcenter.example.com:443

Mostly you could see it in these lines first lines

depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = vcenter.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = vcenter.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=vcenter.example.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

I have tried to select the correct intermediate certificate chain in the machine SSL certificate and also in the root certificate or in VMware terms in the “signing certificate of the Machine SSL certificate”. Both without any success.

The only thing that worked for me is installing the certificate with a valid chain again via the vecs-cli tool.

Check if the certificate chain are still missing with the following command. If it result in only one certificate I’m sure the chain isn’t send from the web server”

$ /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store machine_ssl_cert --alias __MACHINE_CERT

Save the machine certificate (server certificate) and the full chain (including all intermediate certificates) in one PEM file. The file content should be in the following order:

  • machine certificate (server certificate) #1
  • intermediate certificate #2 which signed the machine certificate #1
  • intermediate certificate #3 which signed the intermediate certificate #2

Also save the machine certificate key on the vCenter server for example both files are saved in /tmp. Then remove the existing certificate:

$ /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT

If you’ve saved both files on the server you could install the certificate and key again. Because /tmp/cert_with_chain.crt includes the full chain it will also send from the vCenter web server correctly:

$ /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert /tmp/cert_with_chain.crt --key /tmp/cert.key

Restart the virtual machine or restart the services of the vCenter!

Send your comment by mail.