Just a quick post here, mostly for my own documentation..
I was deploying (yet another) vCenter instance today, and as I was replacing SSL certs and verifying them, I didn’t get the green padlock symbol in my browser like I expected. I did some digging and found it’s a two part issue:
- Google is dead set on deprecating the insecure SHA1 hash
- Windows Server 2008 defaults to SHA1
Here’s how it looked:
And the certificate itself:
Just going back and updating the vCenter-SSL template you used to mint the cert requests isn’t enough the fix the issue, I had to update the CA itself. Log into the CA server and run the following from an elevated command prompt:
certutil –setreg ca\csp\CNGHashAlgorithm SHA256
net stop certsvc
net start certsvc
The entire upgrade was damn near instant, and when I minted the cert requests again all of the new certs were using the SHA256 hash and Google/Chrome was happy again.
As always, there’s only one real source for comprehensive VMware SSL cert knowledge and that over at Derek Seaman’s website. I can’t recommend it enough. Hope this helps one of the six of you out there who actually replace VMware SSL certs!