vCenter, VMware

vSphere 6 certificate templates with SHA256 encryption

I was just in the middle of configuring a PSC 6.0 node’s VMCA as an intermediate CA and, in traditional fashion, went to request a certificate from a 2008 R2 Microsoft CA using the web enrollment form (as per this VMware KB article).

Oddly enough though my brand spanking new vSphere 6.0 machine and intermediate CA certificate templates were missing from the template selection drop down.

I had a look around online and found that MS CA v3 certificate templates are not supported in the web enrollment form. Why is this relevant? Well, this VMware KB states that if you use SHA256 encryption in your environment you must select Windows Server 2008 Enterprise as your certificate template version. That instantly sets your certificate templates to v3.

Damn. How was I going to submit my CSR to this Microsoft CA and get back my certificates?! The Certificate Management snap-in doesn’t allow CSR files to be submitted. It’s just not an option.

Luckily we have the trusty certreq tool. I was easily able to submit my CSR file to the Microsoft CA and get a certificate back in a simple command:

Certreq -submit -attrib "certificateTemplate:vSphere6.0VMCA" vmca_issued_csr.csr

Make sure you specify the correct certificate template. In my example above, I was after the VMCA intermediate CA template. The file specified was in my cmd working directory and is the same file the PSC’s spit out when you’re using the certificate manager tool.

PowerCLI, vCenter, VMware

Copy-VMGuestFile returns 403 Forbidden error

Got this error just today and couldn’t figure out why. I was trying to copy from my management server to a test VM with no network connectivity, and was receiving the following error:

Copy-VMGuestFile : 5/01/2017 11:47:40 AM Copy-VMGuestFile The remote server returned an error: (403) Forbidden. 
At line:1 char:1
+ Copy-VMGuestFile -Source "REDACTED" -Destination " ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : NotSpecified: (:) [Copy-VMGuestFile], ViError
 + FullyQualifiedErrorId : Client20_VmGuestServiceImpl_UploadFileToGuest_UploadError,VMware.VimAutomation.ViCore.Cmdlets.Commands.CopyVMGuestFile

My privileges and network connectivity to vCenter and the ESXi hosts was looking good. Until I tripled checked my network port access to the ESXi host.

I was missing port 903 from the management server to the ESXi host the VM was sitting on. Opening that up allowed me to execute the command.

Check your ports people.