HPE Community
HPE OneView
1819901 Members
2539 Online
109607 Solutions
New Discussion юеВ

Query: OV4VC Custom SSL Cert Error

 
MCSAP
Frequent Advisor

тАО01-06-2022 08:19 AM - last edited on тАО01-09-2022 11:03 PM by

тАО01-06-2022 08:19 AM - last edited on тАО01-09-2022 11:03 PM by

OV4VC Custom SSL Cert Error

Hi,

I've submitted my CSR and received my Base-64 Certificate Chain from our internal CA.  The sub and root certs are in my vCenter Trusted Cert store; however, when I add the OV4VC cert I get the below error:

Error occurred while adding trusted root certificates: com.vmware.vapi.std.errors.Error, Certificate bearing subject<DID NOT INCLUDE CERT INFO> is not a valid CA certificate. Please retry with a valid certificate chain

 

Now, the internal cert I received for my OV4VC appliance installed via the "Certificate Mangement" section in vCenter-Administration-HPE OneView for VMware vCenter and the browser sees that its a valid cert.

 

Unfortunately, I can't move forward with the SPP registration without getting the custom cert into the vCenter Trust Store.

 

Any clues?

 

vCenter = 7.0.3

OneView = 6.00.01

OV4VC = 10.4

0 Kudos
Reply
11 REPLIES 11
support_s
System Recommended

тАО01-06-2022 09:20 AM

тАО01-06-2022 09:20 AM

Query: OV4VC Custom SSL Cert Error

System recommended content:

1. Advisory: HP-UX 11.31 HP Directory Server (HPDS) - After Upgrading from Red Hat Directory Server 7 (RHDS7), HPDS 8.10 Does Not Start with "SSL Alert: CERT_VerifyCertificateNow: Verify Certificate Failed" or "Netscape Portable Runtime error" Messages

2. Web ViewPoint - Web browser unable to connect when using HTTPS protocol with custom SSL certificates

 

If the above information is helpful, then please click on "Thumbs Up/Kudo" icon.

 

Thank you for being a HPE community member.


Accept or Kudo

0 Kudos
Reply
MCSAP
Frequent Advisor

тАО01-10-2022 07:10 AM

тАО01-10-2022 07:10 AM

Re: Query: OV4VC Custom SSL Cert Error

Not helpful.  I can't reach the 2nd URL.

Any other thoughts on the Trusted Root Certificate error?

 

0 Kudos
Reply
T_1_6
Regular Advisor

тАО01-10-2022 07:04 PM - edited тАО01-10-2022 07:06 PM

тАО01-10-2022 07:04 PM - edited тАО01-10-2022 07:06 PM

Re: Query: OV4VC Custom SSL Cert Error

I always had to add the cert root and intermediate chains into the certificate file, and Oneview accepted our internal MS AD PKI no problems.
Uploading the machine cert only without a chain inside the single cert always failed, even with the root certificate already added via the GUI.

Of course it all has to be 64-bit DER or whatever.

 

0 Kudos
Reply
MCSAP
Frequent Advisor

тАО01-11-2022 04:49 AM

тАО01-11-2022 04:49 AM

Re: Query: OV4VC Custom SSL Cert Error

Just to be clear.

For the OV4VC Certificate Management section - you add in the machine certificate.

For the vCenter Trusted Root Certificate section - you add in the certificate chain that includes machine cert, intermediate, and root certs. (This I tried earlier and vCenter told me that the root cert was already added).

Where do you see to use the 64-bit DER version of the certificate?  I've downloaded and used the Base-64 certificate and chain.

 

 

0 Kudos
Reply
T_1_6
Regular Advisor

тАО01-11-2022 05:29 AM

тАО01-11-2022 05:29 AM

Re: Query: OV4VC Custom SSL Cert Error

Ok here is how we are setup.
AD PKI...
Vcenters have our PKI root in and are added to our domain anyway, so thats all sorted out, vCenters will trust any of our local PKI, so thats done.

When it comes to OV4VC, I added the root cert, fine worked. Then added the CSR generated machine cert as downloaded from our MS certsrv on-prem for the appliance, rejected with the usual error.

Went and modified the cert, added in our root CA, then both our intermediates in the chain, then finally the machine cert, re-added this to the OV4VC, accepts it no problem and all hunky dory.

 

0 Kudos
Reply
MCSAP
Frequent Advisor

тАО01-11-2022 05:40 AM

тАО01-11-2022 05:40 AM

Re: Query: OV4VC Custom SSL Cert Error

Again for my own sanity.  The chain was in this order?

Notepad:

machine cert

intermediate cert

root cert

To reiterate my issue...OV4VC accepts the machine cert and from the web portal all is green with the cert.  My issue is when I try and add that same machine cert into the vCenter Trusted Root Certificate store.  In the TRC store I have the root and intermediate added fine.  When I add the same machine cert it fails.

Error occurred while adding trusted root certificates: com.vmware.vapi.std.errors.Error, Certificate bearing subject

0 Kudos
Reply
T_1_6
Regular Advisor

тАО01-11-2022 05:46 AM - edited тАО01-11-2022 05:49 AM

тАО01-11-2022 05:46 AM - edited тАО01-11-2022 05:49 AM

Re: Query: OV4VC Custom SSL Cert Error

u dont need to add the machine cert anywhere near vcenter cert store.

You only do that when you have the HPE (out of the box) self signed cert of the appliance and vCenter needs to trust that.

If you are all fully properly implemented PKI, vCenter will have your RootCA and will trust the new OV4VC cert and you are good to go, as long as the cert is added correctly to the appliance in the OV4VC admin screen in vCenter. (which it seems like you are re-reading above!)

 

0 Kudos
Reply
MCSAP
Frequent Advisor

тАО01-11-2022 05:52 AM

тАО01-11-2022 05:52 AM

Re: Query: OV4VC Custom SSL Cert Error

According to the OV4VC installation guide I do need to add it to the TRC store.  Copy/Pase from guide:

Adding the HPE OneView for VMware vCenter certificate to vCenter trust store
To operate the VMware vSphere Lifecycle Manager, you must first add the HPE OneView for VMware vCenter certificate into the vCenter trust store.

Procedure
Log in to VMware vSphere.
Select Menu > Administration > HPE OneView for VMware vCenter > OneView Service Pack for ProLiant(SPP)Management.
Click ADD CERTIFICATE button and add the HPE OneView for VMware vCenter certificate.
HPE OneView for VMware vCenter displays the Success dialog box indicating that you have added the HPE OneView for VMware vCenter certificate into the vCenter trust store.
To view the certificate on the vCenter trust store, perform the following steps:
Log in to VMware vSphere.

Select Menu > Administration > Certificates > Certificate Management.

You can find the HPE OneView for VMware vCenter certificate in the vCenter trust store, under the Trusted Root Certificates section.

0 Kudos
Reply
T_1_6
Regular Advisor

тАО01-11-2022 07:16 AM

тАО01-11-2022 07:16 AM

Re: Query: OV4VC Custom SSL Cert Error

U dont. Trust me, I have not, and it would also not make logical sense.
Why would you if the OV4VC machine cert is your own PKI? Its already trusted.
Out setup is fully functional, and you do not need to manually add your own PKI Machine cert into vCenter trust store, I can 100% assure you of that. If you are using the 3rd party HPE self signed OV4C out of the box, then you must.

 

0 Kudos
Reply
MCSAP
Frequent Advisor

тАО01-13-2022 01:12 PM

тАО01-13-2022 01:12 PM

Re: Query: OV4VC Custom SSL Cert Error

I think I understand what you are saying.  I got confused because I'm not seeing the expected behavior I guess.   The "Add Certificate" button is greyed out for me. 

Quote:

To operate the VMware vSphere Lifecycle Manager, you must first add the HPE OneView for VMware vCenter certificate into the vCenter trust store.

Procedure
Log in to VMware vSphere.
Select Menu > Administration > HPE OneView for VMware vCenter > OneView Service Pack for ProLiant(SPP)Management.
Click ADD CERTIFICATE button and add the HPE OneView for VMware vCenter certificate.
HPE OneView for VMware vCenter displays the Success dialog box indicating that you have added the HPE OneView for VMware vCenter certificate into the vCenter trust store.
To view the certificate on the vCenter trust store, perform the following steps:
Log in to VMware vSphere.

Select Menu > Administration > Certificates > Certificate Management.

You can find the HPE OneView for VMware vCenter certificate in the vCenter trust store, under the Trusted Root Certificates section.

END QUOTE

0 Kudos
Reply
T_1_6
Regular Advisor

тАО01-17-2022 05:27 AM

тАО01-17-2022 05:27 AM

Re: Query: OV4VC Custom SSL Cert Error

It is simply poor wording on their part.

The error is trying to add a non CA Root cert to the VC Trust store.

I went through this and wondered too, but as long as your knowledge of PKI priciples and vSphere is sound, you will trust that all will be well and you are on the path to Oneview and vCenter Integration Enlightenment. Happy times head with Proactive HA and vLCM.

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.