VCSA with Embedded PSC v6.7 (Build 9451876)
VMCA configured as Subordinate CA to a Windows 2012 R2 Enterprise Root CA. (SHA256 Hash / 2048 bit Key)
VMCA replaces the SSL certificate on a ESXi v6.5 (Build 5969303) host and the 'certification path' is complete. All works as expected, no browser errors.
VMCA replaces the SSL certificate on a ESXi v6.7 (Build 8169922) host and the 'certification path' is incomplete. Still get the standard browser errors. The root CA and VMCA certificates are NOT in the path, only the ESXi host certificate!
| ESXi v6.5 Host - Complete Certification Path. |
|---|
 |
A dump of the SSL connection using the TestSSLServer utility (GitHub - pornin/TestSSLServer ) shown below.
Connection: mc-esxi-v-204.momusconsulting.com:443 SNI: mc-esxi-v-204.momusconsulting.com TLSv1.0: server selection: uses client preferences 3-- (key: RSA) RSA_WITH_AES_128_CBC_SHA 3-- (key: RSA) RSA_WITH_AES_256_CBC_SHA 3f- (key: RSA) ECDHE_RSA_WITH_AES_128_CBC_SHA 3f- (key: RSA) ECDHE_RSA_WITH_AES_256_CBC_SHA TLSv1.1: idem TLSv1.2: server selection: enforce server preferences 3f- (key: RSA) ECDHE_RSA_WITH_AES_256_GCM_SHA384 3f- (key: RSA) ECDHE_RSA_WITH_AES_128_GCM_SHA256 3-- (key: RSA) RSA_WITH_AES_256_GCM_SHA384 3-- (key: RSA) RSA_WITH_AES_128_GCM_SHA256 3f- (key: RSA) ECDHE_RSA_WITH_AES_256_CBC_SHA384 3f- (key: RSA) ECDHE_RSA_WITH_AES_256_CBC_SHA 3f- (key: RSA) ECDHE_RSA_WITH_AES_128_CBC_SHA256 3f- (key: RSA) ECDHE_RSA_WITH_AES_128_CBC_SHA 3-- (key: RSA) RSA_WITH_AES_256_CBC_SHA256 3-- (key: RSA) RSA_WITH_AES_256_CBC_SHA 3-- (key: RSA) RSA_WITH_AES_128_CBC_SHA256 3-- (key: RSA) RSA_WITH_AES_128_CBC_SHA ========================================= +++++ SSLv3/TLS: 1 certificate chain(s) +++ chain: length=3 names match: yes includes root: yes signature hash(es): SHA-256 + certificate order: 0 thumprint: A18830247B90395EE003D706CE3AEB3CDA96BC6D serial: E032A1675443F48D subject: EMAILADDRESS=admin@momusconsulting.com,CN=mc-esxi-v-204.momusconsulting.com,OU=Momus Labs,O=Momus Consulting,L=Basingstoke,ST=Basingstoke,C=GB issuer: CN=VMCA-mc-vcsa-v-204,OU=Momus Labs,O=Momus Consulting,L=Basingstoke,ST=Hampshire,C=GB valid from: 2018-10-06 14:22:12 UTC valid to: 2020-10-05 12:06:47 UTC key type: RSA key size: 2048 sign hash: SHA-256 server names: mc-esxi-v-204.momusconsulting.com + certificate order: 1 thumprint: 6313EF9061D1ED748298F0DB7D693F6CC2099046 serial: 5D0000000BA3C47E6295F579B400000000000B subject: CN=VMCA-mc-vcsa-v-204,OU=Momus Labs,O=Momus Consulting,L=Basingstoke,ST=Hampshire,C=GB issuer: CN=Momus Root CA on mc-addc-v-101,DC=momusconsulting,DC=com valid from: 2018-10-06 12:06:47 UTC valid to: 2020-10-05 12:06:47 UTC key type: RSA key size: 2048 sign hash: SHA-256 + certificate order: 2 thumprint: A3BD98D6B6C712A510E11669A84D0571C2D2F0F1 serial: 65F1DEEF09DD1A9A436075662D731F0F subject: CN=Momus Root CA on mc-addc-v-101,DC=momusconsulting,DC=com issuer: CN=Momus Root CA on mc-addc-v-101,DC=momusconsulting,DC=com valid from: 2018-10-05 15:11:29 UTC valid to: 2028-10-05 15:21:28 UTC key type: RSA key size: 2048 sign hash: SHA-256 (self-issued) ========================================= Server compression support: no Server sends a random system time. Secure renegotiation support: yes Encrypt-then-MAC support (RFC 7366): no SSLv2 ClientHello format (for SSLv3+): yes Minimum EC size (no extension): 256 Minimum EC size (with extension): 256 ECDH parameter reuse: no Supported curves (size and name) ('*' = selected by server): * 256 secp256r1 (P-256) ========================================= WARN[CS006]: Server supports cipher suites with no forward secrecy. |
| ESXi v6.7 Host - Incomplete Certification Path. |
|---|
 |
Again, a dump of the SSL connection is shown below.
Connection: mc-esxi-v-205.momusconsulting.com:443 SNI: mc-esxi-v-205.momusconsulting.com TLSv1.2: server selection: enforce server preferences 3f- (key: RSA) ECDHE_RSA_WITH_AES_256_GCM_SHA384 3f- (key: RSA) ECDHE_RSA_WITH_AES_128_GCM_SHA256 3-- (key: RSA) RSA_WITH_AES_256_GCM_SHA384 3-- (key: RSA) RSA_WITH_AES_128_GCM_SHA256 3f- (key: RSA) ECDHE_RSA_WITH_AES_256_CBC_SHA384 3f- (key: RSA) ECDHE_RSA_WITH_AES_256_CBC_SHA 3f- (key: RSA) ECDHE_RSA_WITH_AES_128_CBC_SHA256 3f- (key: RSA) ECDHE_RSA_WITH_AES_128_CBC_SHA 3-- (key: RSA) RSA_WITH_AES_256_CBC_SHA256 3-- (key: RSA) RSA_WITH_AES_256_CBC_SHA 3-- (key: RSA) RSA_WITH_AES_128_CBC_SHA256 3-- (key: RSA) RSA_WITH_AES_128_CBC_SHA ========================================= +++++ SSLv3/TLS: 1 certificate chain(s) +++ chain: length=1 names match: yes includes root: no signature hash(es): SHA-256 + certificate order: 0 thumprint: 9CB7BEC3BD58491A36069B182093F22BE9813042 serial: FD682ECC9662D00C subject: EMAILADDRESS=admin@momusconsulting.com,CN=mc-esxi-v-205.momusconsulting.com,OU=Momus Labs,O=Momus Consulting,L=Basingstoke,ST=Basingstoke,C=GB issuer: CN=VMCA-mc-vcsa-v-204,OU=Momus Labs,O=Momus Consulting,L=Basingstoke,ST=Hampshire,C=GB valid from: 2018-10-06 14:44:04 UTC valid to: 2020-10-05 12:06:47 UTC key type: RSA key size: 2048 sign hash: SHA-256 server names: mc-esxi-v-205.momusconsulting.com ========================================= Server compression support: no Server sends a random system time. Secure renegotiation support: yes Encrypt-then-MAC support (RFC 7366): no SSLv2 ClientHello format (for SSLv3+): yes Minimum EC size (no extension): 256 Minimum EC size (with extension): 256 ECDH parameter reuse: no Supported curves (size and name) ('*' = selected by server): * 256 secp256r1 (P-256) ========================================= WARN[CS006]: Server supports cipher suites with no forward secrecy. |
Any ideas?
Thanks
M