Just a quick post here, mostly for my own documentation..

I was deploying (yet another) vCenter instance today, and as I was replacing SSL certs and verifying them, I didn’t get the green padlock symbol in my browser like I expected. I did some digging and found it’s a two part issue:

  1. Google is dead set on deprecating the insecure SHA1 hash
  2. Windows Server 2008 defaults to SHA1

Here’s how it looked:


And the certificate itself:


Just going back and updating the vCenter-SSL template you used to mint the cert requests isn’t enough the fix the issue, I had to update the CA itself. Log into the CA server and run the following from an elevated command prompt:

certutil –setreg ca\csp\CNGHashAlgorithm SHA256

net stop certsvc

net start certsvc

The entire upgrade was damn near instant, and when I minted the cert requests again all of the new certs were using the SHA256 hash and Google/Chrome was happy again.

As always, there’s only one real source for comprehensive VMware SSL cert knowledge and that over at Derek Seaman’s website. I can’t recommend it enough. Hope this helps one of the six of you out there who actually replace VMware SSL certs!

35,297 total views, no views today


One Response to Prepping Microsoft CA Using SHA1 for vCenter 5.5 Certificates

  1. Aaron Patten says:

    Windows 2012 R2 also defaults to SHA1