Ran into some issues with the ssl certs on the vCenter server when trying to run the Migration Assistant. Notes on the will follow, but first links to articles on the actual upgrade:
The issues I ran into with the migration assistant complained of the SSL certs not matching. Upon inspecting the certs I found all were issues for domain.lan except for one which was issued to domain.net. I followed the following articles to generate a new vCenter cert and install it:
- Generate SSL cert using openssl: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2074942
- Install and activate cert: https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2061973
As the Appliance Installed reached Stage 2 of the install where it copies the data to the new VCSA, I received the following error (note the yellow warning in the background along with the details in the foreground):
To resolve this error, I followed the following articles:
- Upgrading to VMware vCenter 6.0 fails with the error: Error attempting Backup PBM Please check Insvc upgrade logs for details (2127574): https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2127574
- Resetting the VMware vCenter Server 5.x Inventory Service database (2042200): https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2042200#3
Which essentially had me reset the inventory service’s database due to corruption. I had noticed the vSphere client slow in recent weeks, this could be a side effect.
- Additional more generic docs for tshooting vCenter upgrades: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2106760
I have a PKCS12 .pfx export of a cert that I need to import into a Tomcat keystore in order to update an expiring certificate.
Need to know a few things beforehand:
- Tomcat keyfile path
- Source store password for the pfx file
- Source alias for the pfx
- Dest source passwd
- Dest source alias
In order to get the source alias from the new pfx file:
If you need to get the alias from the existing Tomcat keystore:
Additionally, the above command can be used to verify the certificate, expiry date, etc.
Lastly, if you restart Tomcat and it throws errors like the following in the catalina log, you may need to reset the keystore password:
Reset to the correct password as defined in the servver.xml keyStorePass parameter using the following command. You may need to adjust alias to your needs. You will be prompted for the new password, which should match the previously mentioned keyStorePass parameter.
You can also reset the password for the keystore itself (www.ibm.com/support/knowledgecenter/en/S…):
EDIT FROM THE FUTURE:
Additional note — when trying to run the import command I was getting the following error:
I ran the following to verify the alias is correct:
Key ID of 2 is displayed correctly here as well as a more verbose output also showed the same:
I then took the same .pfx file and checked it on a linux machine based on a hint from this stackoverflow on binary chars: http://stackoverflow.com/questions/15301005/keytool-cant-find-alias
And lo’ and behold it shows the alias is actually 1!
..Back in Windows land:
It accepted alias 1 instead and the cert imported correctly. I love Tomcat -_-
Quick and dirty way to pull out the key and crt from a pkcs12 file:
If you are using this for Apache and need to strip the password out of the certificate so Apache does not ask for it each time it starts:
Here’s a nice one liner to generate a private key and csr:
Generates the key and the csr in one shot.
I had to generate a CRT for a server that runs Windows but has Apache and OpenSSL installed. I figured I'd do a quick key/csr/crt refresher.
First go to the /bin directory in the OpenSSL install and run openssl.exe
First, generate a keyfile. Thawte is pushing the use of 2048 bit sized keyfiles, so substitute if needed.
genrsa -des3 -out keyfile.key 1024
Next -- verify the keyfile:
rsa -noout -text -in keyfile.key
Create a unsecured version of the keyfile so Apache doesnt ask for a password every time it loads. Apache.conf
rsa -in keyfile.key -out unsecured.keyfile.key
Create the actual CSR:
req -new -key keyfile.key -out certificate.csr
If you get this error:
OpenSSL req -new -key digitss.key -out digitss.csr
Unable to load config info from /usr/local/ssl/openssl.cnf
Run this to specify the config file instead:
OpenSSL req -new -key keyfile.key -out certificate.csr -config openssl.cnf
Now just point Apache at the keyfile, and install the cert when it arrives.