So I was working on the post about how to resolve the SSL Certificate error message that you get if you do not have the Root certificate for the ESXi host installed on your machine. Well in the process of taking screen shots for that post I discovered something that I have never seen before. Rather than starting from the beginning, lets pick up at the end of the last post.
So right after you finish installing the Root CA on your machine, you have closed out of your web browser and reopened it and go to the URL and you get this message.
On first glance it looks like the certificate install failed, but it didn’t, Upon closer inspection of the message you will see that there is an issue with the CN is invalid.
For those who do not know CN means Common Name which is usually the FQDN or Host name of the server. So I went back to check the CN of the Certificate of the ESXi host and I found what you see below. This is where things get crazy….
So according to the image above, the SAN or Subject Alternate Name (AKA a list of CN’s, usually up to 5 on one Certificate) is an IP Address!!! How the heck is it an IP address?
So what I tried next was typing in https://172.26.96.44 in my web browser and I was immediately presented with the image below.
So wait, it worked like it should using the IP address instead of the name. How did that certificate get issues at all.
WELL….. It would appear that one of my co-workers added this host to vCenter with the IP address instead of the name.
Needless to say I am very disappointed in my Co-Worker for not following our naming convention. But if I had to guess it looks like VMCA (VMWare Certificate Authority) which is included in the PSC (Platform Services Controller) and issues Certificate to hosts when they are added to vCenter must have issues the certificate to the IP address because he added it using the IP. Having dealt with several different Certificate Authorities in my time, this is crazy to see.
Anyway this is just a heads up just encase you run into something like this in your travels.
One reply on “I didn’t know this was even possible…. SSL Certificate weirdness”
Your Awesome, but I already knew that