Prepping Microsoft CA Using SHA1 for vCenter 5.5 Certificates

Just a quick post here, mostly for my own documentation..

I was deploying (yet another) vCenter instance today, and as I was replacing SSL certs and verifying them, I didn’t get the green padlock symbol in my browser like I expected. I did some digging and found it’s a two part issue:

  1. Google is dead set on deprecating the insecure SHA1 hash
  2. Windows Server 2008 defaults to SHA1

Here’s how it looked:


And the certificate itself:


Just going back and updating the vCenter-SSL template you used to mint the cert requests isn’t enough the fix the issue, I had to update the CA itself. Log into the CA server and run the following from an elevated command prompt:

certutil –setreg ca\csp\CNGHashAlgorithm SHA256

net stop certsvc

net start certsvc

The entire upgrade was damn near instant, and when I minted the cert requests again all of the new certs were using the SHA256 hash and Google/Chrome was happy again.

As always, there’s only one real source for comprehensive VMware SSL cert knowledge and that over at Derek Seaman’s website. I can’t recommend it enough. Hope this helps one of the six of you out there who actually replace VMware SSL certs!