Trusted SSL certificates in OSX 10.15+ and iOS 13+

I deployed a new vSphere VCSA for my homelab in December 2019 (last month). By default these come with a self-signed SSL certificate that's valid for 10 years. Of course I typically replace these with a signed certificate but it's not always the first thing that I do. What I found this time however is that on my Mac neither Chrome or Brave would allow me to reach the web UI. Only Firefox would. I expect security warnings for self-signed (and hence untrusted) certificates. On the former two browsers though the message suggests that the certificate is invalid in some…

Read More

vRA 7 / vRO 7 REST error (java.security.cert.CertificateException)

Whilst I was with a customer recently, I hit an SSL related issue whilst trying to put together a vRO workflow to orchestrate the creation of a load-balancer configurationĀ on a Citrix Netscaler VPX. Adding the REST host(s) to vRO was accomplished without any issue, but when I came to use them my workflow failed with the following error: Cannot execute request: ; java.security.cert.CertificateException: Certificates does not conform to algorithm constraintsCertificates does not conform to algorithm constraints As this vRO instance was running on a vRA appliance, my first port of call was starting the vRO Control…

Read More

Howto: Creating a CA template for VMware services

Having setup my lab's PKI infrastructure previously, one of the next steps I needed to complete was to create a template for certificates for VMware's products to use as they require certain properties to be present in the certificates used. There is a KB article that covers this but I wanted to run through it and use some of the specifics for my lab. Template for VMware SSL Certificates This template will provide certificates for ESXi hosts, vCenter, vRA, vRO etc. To create it, we first need the Certificate Templates Console. This can be opened by running certtmpl.msc. Per…

Read More

Howto: Configuring a homelab online subordinate CA

A quick recap of where I got to. I have an offline Root CA (well, it's still online because I'll need it in a minute) and I've created a website on my online subordinate CA server to host the Root CA certificate and CRL files. The purpose of the subordinate CA is to handle certificate signing and repudiation for all services in my infrastructure that require them. It will be granted the authority to do so by the Root CA. So this post covers the remaining steps of the process, which are: Installing and configuring the subordinate CA Signing the…

Read More

Howto: Publishing offline Root CA certs and CRLs

Previously, I setup an offline Root CA in my homelab with the intention emulating a PKI setup that many enterprises seem to run. The second stage of this process is publishing the Root CA certificate and CRL in a place that they can be accessed when the Root CA is offline. If you recall, I configured the Root CA to publish its CRL etc to a location on pki.o11n.lab. I now need to create that. The Server Rather than run my lab's online CA on a domain controller, which might be tempting but causes other issues, I have…

Read More

Howto: Configuring a homelab offline Root CA

Self-signed SSL certificates are all well and good but they're not meant to be for the real world. The trust issues they cause can be a headache on customer projects and anything that's going in to production shouldn't be using them. For that reason, I thought it'd be better to change my homelab so that it uses a slightly more realistic PKI setup. The first phase of that is creating an offline Root CA as it's something that a good number of customers use too. Step 1: DNS From a DNS perspective, my homelab is split up so that anything…

Read More