Xtravirt — Public CA certificates with Internal Server Names...

1.5M ratings
277k ratings

See, that’s what the app is perfect for.

Sounds perfect Wahhhh, I don’t wanna

Public CA certificates with Internal Server Names & IP Addresses

by Matthew Bunce

While working on a recent engagement I had a discussion with a customer’s Architect about how we would issue certificates for a vSphere, vRA & vROPS deployment. The customer had no internal CA and relied instead on a public CA to issue all certificates that would be user facing.

This simplified the management of the certificates and meant they did not need to maintain an internal PKI infrastructure or root certificates on client devices. I explained to him that while this worked currently for their servers which used internal names or reserved private IPs it would soon change and they would need to look at deploying their own PKI infrastructure.

As of the 1st November 2015, public Certificate Authorities like Symantec and GlobalSign were no longer issuing certificates with a subjectAltName extension or Subject commonName field containing a IP address within the IPv4 RFC 1918 reserved address space or IPv6 address in the RFC 4193 range:

10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
FC00::/7 prefix on an IPv6 address

This is also the case for Internal Names. An Internal Name is a Common Name (CN) or Subject Alternative Name (SAN) field of a certificate does not end with a valid Top Level Domain (TLD) i.e. .local, .internal etc. CN or SANs which end with valid TLD i.e. .com or .net will still be valid.

This also affects certificates which use NetBIOS names or short hostnames i.e vCenter01, WebServer, Beeblebrox etc.

Any certificate which expired after 1 November 2015 will not be reissued and after the 1st October 2016 all certificates which are still valid will be revoked by the issue CAs and will no longer work as a valid certificate.

This is not just a VMware issue and will impact all servers using certificates described above. However, if you are affected by this issue in your VMware environment, VMware have posted a Knowledge Base article which covers the issue. Click here to go to the article.

About the author

Matthew Bunce joined the Xtravirt consulting team in May 2015. As well contributing to the Xtravirt blog, Matthew blogs on his own site at www.virtualisedgeek.com

If you’d like any assistance with a virtualisation project or simply want to learn more about how Xtravirt can help your organisation, please contact us , and we’d be more than happy to use our real world experiences to support you.
vsphere xtravirt virtualisation virtaulization vRA vROPS PKI Symantec Globalsign

See more posts like this on Tumblr

#vsphere #xtravirt #virtualisation #virtaulization #vRA #vROPS #PKI #Symantec #Globalsign