I get this error when attempting to add vcenter to Oneview:-
Certificate seems fine on vcenter, is this a Oneview certificate issue or what? I tried adding a cert with a full chain to Oneview, and it did not accept anything other than a single machine cert only. This is the only thing on our network which seems to have an issue with the vcenter certificate, which is installed as a .pem with its full chain.
Hi @T_1_6
Thank you for sharing the workaround you found.
We do support external servers such as AD server, vCenter with a multi-level CA signed certificate chain.i.e. servers setup with a Root CA + intermediate CA + leaf level CA signed certificate for the server.
The error seems to indicate "invalid input chain".
Would be very helpful for us to look at this and understand what is special with this chain.
Would it be possible for you to raise a support case with the CA certificate chain PEM file (and a support dump so we can see the actual error in the cidebug.log file)?
Regards
Bhaskar
I am an HPE employee
Hi @T_1_6
I generated a 2 level CA chain - i.e. 1 Root CA +1 intermediate CA and replaced vmware's default vmca within the vCenter appliance using /usr/lib/vmware-vmca/bin/certificate-manager option 2.
Used vCenter 6.5 for this excerise.
When providing a CA chain to certificate-manager, I provided the chain as input, i.e. inter.crt and root.crt concatenated in a single file. The private key I provided is that of the intermediate. (inter.key)
I then imported the Root CA (topmost root) into OneView's trust store via Manage Certificates -> Add Certificate.
With this, I am able to add this VCenter in OneView using Add hypervisor manager.
Can you describe what steps you went through to get a multi level CA chain on vCenter?
Invalid input chain indicates the CA chain PEM file contents arent a chain.
Regards
Bhaskar
I am an HPE employee