vCenter and 512 bits SSL Cert

Had an interesting one today on a small client running vCenter 5.1, that been upgraded from 4.1 to 5.0 and eventually to 5.1.

Their monitoring tool needed to access https://vcenter/mob via a patrol agent logged into the desktop of  vCenter server.(will cover the power of mob later in another post).

Problem was when they accessed the URL they had the message

There is a problem with this website’s security certificate.”,  “Continue to this website (not recommended).”, etc

But when you clicked on Continue to this website you would normally accept a login box to appear which can they used to access the MOB details of vCenter to provide access to underlying vCenter data.

The vCenter box was russl512detailsnning IE9 and when I checked the default Vmware Default Certificate it was noted as being 512bits which due to recent changes from Microsoft in minimum key length was causing issues  http://support.microsoft.com/?kbid=2661254

I know the real answer is for the client to move to 2048 byte certificates but at this time they are not in place to do this.

 

 

So I ran the following in a elevated command line (cmd.exe ‘run-as-administrator’), and heh presto the MOB url worked fine and patrol logged in:

certutil -setreg chain\minRSAPubKeyBitLength 512

If you want to revert this change and go back to the default of an 1024 bit key minimum, run: 

certutil -delreg chain\MinRsaPubKeyBitLength

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *