Replacing a vSphere 6.x /7.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate

If you have not yet configured your Microsoft Certificate Authority, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (2112009) .   To replace the Machine SSL certificate with the Custom CA certificate:

  1. Launch the VMware vSphere 6.x Certificate Manager:

    vCenter Server 6.x Appliance:

    Windows vCenter Server 6.x:
    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
    Note: It is important to be logged in as an administrator or to “Run as Administrator” if user access control is enabled.
  2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate).
  3. Provide the administrator@vsphere.local password when prompted.
  4. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate).
  5. Enter the directory in which you want to save the certificate signing request and the private key.

    • Refer to the below information to enter values for CSR generation.
      • Country      : Two uppercase letters only (Eg. US), the country where your company is located.
        Name         : FQDN of the vCenter Server(This will be your Certificate Subject Alternate Name)
        Organization : Company Name
        OrgUnit      : The name of your department within the organization. Example: “IT”
        State        : The state/province where your company is located
        Locality     : The city where your company is located.
        IPAddress    : IP Address of vCenter Server, this field is Optional
        Email        : Email Address
        Hostname     : FQDN of vCenter Server(This field accepts multiple entries separated by comma.

For example: VCSA1.vsphere.local,vcsa1,
VMCA Name    : FQDN of vCenter Server with VMCA (Usually External PSC or VC with Embedded PSC FQDN)

  • Note: make sure the Primary Network Identifier (PNID) matches the Hostname
    • To obtain the PNID please refer to the following commands for appliance and windows respectively:
      • /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid –server-name localhost
      • “C:\Program Files\VMware\vCenter Server\vmafdd\” vmafd-cli.exe get-pnid –server-name localhost
    • In vSphere 6.0 Update 3, provide Host Name with proper case sensitivity as per the previous Machine_SSL certificate while generating CSR.
    • The files created will have the names vmca_issued_csr.csr and vmca_issued_key.key.
  1. Provide the vmca_issued_csr.csr to your Certificate Authority to generate a Machine SSL Certificate, name the file machine_name_ssl.cer. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014) .

    Note: For more information on allowing WinSCP connections to a vCenter Server 6.x Appliance, see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).
  2. Return to the vSphere 6.x Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate).

    : If you are using a chain of Intermediate CA and Root CA, see Replacing certificates using vSphere 6.0 Certificate Manager fails at 0% with the error: Operation failed, performing automatic rollback (2111571) before proceeding.
  3. Provide the full path to machine_name_ssl.cer and vmca_issued_key.key from Step 5 and the CA certificate Root64.cer.

    Note: If you have one or more intermediate certificate authorities, the root64.cer should be a chain of all intermediate CA and Root CA certificates. The “machine_name_ssl.cer” should be a full chain for certificate+inter(s)+root.

    The machine_name_ssl.cer should be a complete chain file similar to: —–BEGIN CERTIFICATE—– MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa <—–Certificate SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih 4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM= —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <—–Intermediate Certificate /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC TLqwbQm6tNyFB8c= —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <—–Root Certificate /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC TLqwbQm6tNyFB8c= —–END CERTIFICATE—–
    For example:

vCenter Server Appliance:  Provide a valid custom certificate for Machine SSL. File : /tmp/ssl/machine_name_ssl.cer
  Provide a valid custom key for Machine SSL. File : /tmp/ssl/machine_name_ssl.key   Provide the signing certificate of the Machine SSL certificate. File : /tmp/ssl/Root64.cer   Windows vCenter Server: Provide a valid custom certificate for Machine SSL.
File : C:\ssl\machine_name_ssl.cer

Provide a valid custom key for Machine SSL.
File : C:\ssl\machine_name_ssl.key

Provide the signing certificate of the Machine SSL certificate.
File : C:\ssl\Root64.cer

  1. Answer Yes (Y) to the confirmation request to proceed.

  • When Certificate Manager prompts for the certificate, Enter the proper value for VMCA Name enter the Root Cert Name (That is Issuer Cert CA Common Name).
  • This task replaces the Machine SSL Certificate with a Custom CA Signed Certificate.
  • This certificate is not issued by VMCA. It is issued by an external Certificate Authority.
  • If you are running an external Platform Services Controller (deprecated in 6.7.x), you will need to restart the services on the external vCenter Server 6.x and then proceed with replacing the Machine SSL of the vCenter Server 6.x.


Run RouterOS in Azure

Yes, it’s possible to have a (virtual) MikroTik router in the cloud.

MikroTik provide a version of RouterOS which supports the x86-64-bit architecture and can be used on most of the popular hypervisors such as VMWare, Hyper-V, VirtualBox, KVM and others. This version name is MikroTik CHR, (Cloud Hosted Router).

By default in the MS Azure marketplace there are no MikroTik appliance templates, but you can create custom OS images to deploy a virtual machine.

1. Step

Download the CHR VHDX image from MikroTik.

download chr vhdx image

2. Step

Azure supports only VHD files to create OS images. Convert VHDX image to a VHD! For this, use Powershell and use fixed type virtual disk!

Convert-VHD -Path C:\temp\chr-6.46.7.vhdx -DestinationPath C:\temp\chr-6.46.7.vhd -VHDType Fixed

3. Step

In Azure you will need to create a storage account: (use Azure CLI in your terminal) If you prefer GUI, you can do this few steps on Azure portal, the parameters are the same.

az storage account create --name chrteststorageaccount --resource-group DemoRSC

If it’s successfull, you have to create a container within the storage account. There will be uploaded the VHD image.

az storage container create --name imagecontainer --account-name chrteststorageaccount

4. Step

Upload the CHR image. (use your own account key instead of xxxx) The new VHD must be a page blob.

az storage blob upload --account-key xxxx --account-name chrteststorageaccount --container-name imagecontainer --file C:/temp/chr-6.46.7.vhd --name chr-6.46.7.vhd --type page

5. Step

Create an OS image from the uploaded image: (CHR image only supports Hyper-V generation 1, ‘V1’ virtual machines)

az image create --name chr646image --resource-group DemoRSC --location northeurope --os-type linux --hyper-v-generation V1 --source

6. Step

Finally deploy a VM from the image: (select a cheap vm size, Standard_B1ls is more than enough and it’s only 4EUR / month)

az vm create --name CHRVM --resource-group DemoRSC --location northeurope --size Standard_B1ls --image chr646image --admin-username username --admin-password Apple123456789@ --nsg-rule SSH

7. Step

Get the VM’s public IP address and connect via SSH:

$ip = az vm show -d --resource-group DemoRSC --name CHRVM --query publicIps -o tsv
ssh username@$ip
No alt text provided for this image

Winbox is also working, but for this, first you have to create a rule in the automatically-created network security group, which controls the VM’s network traffic. The network security group belongs to the VM’s network interface resource not the VM, so this configuration is a littlebit easier on GUI.

No alt text provided for this image

Create an inbound rule for Winbox 8291 port.

No alt text provided for this image

Now you can connect to the CHR’s public IP with Winbox and SSH too.

Enjoy your MikroTik router in Azure! 🙂

(Configure interfaces, IP addresses and routes are a littlebit complex but not impossible. You have to know how Azure networking works. See my next article!)

WARNING: Winbox and SSH with username/passsword via a public IP address is very unsecure but it’s just a demo. Secure your connections in productional environment!


HowTo: Repair Windows 7 Install After Replacing Motherboard

So you’ve installed a new motherboard and now your existing, installed copy of Windows 7 won’t boot, failing somewhere before the logo finishes displaying with a quick blue screen? Well here’s one way to fix it.

You will need:

  • Your motherboard drivers. Use CPUID(CPU-Z) to find the model number if you don’t have it handy.
  • The archive program “7-Zip” available from installed.
  • A CD writer and a blank CD or a thumb drive or a USB hard disk
  • Your Windows 7 install disc if you already tried the system repair option, or the system repair option on the Windows boot options screen if it is there.
  • Another, working, computer.

Get your motherboard drivers downloaded from the manufacturer’s website. If you don’t know the model number you can use CPUID and locate the model number and manufacturer on the “Mainboard” tab:

CPU-Z Mainboard Tab

In this example, the manufacturer is MSI (Micro-Star International), so we can get the drivers by a quick Google search for “MSI Motherboard Driver Downloads.” The primary one you need is the IDE/AHCI/SATA driver files. After they’ve finished downloading, you need to extract them to a folder. You can do this by right clicking and selecting 7-Zip -> Extract to <Name of Driver Download>:

7-Zip Contextual Extract to Folder

Copy the extracted folder to a CD, thumb drive, or external USB drive.

Go to the broken Windows 7 machine. Either load the system repair option or boot off your Windows 7 install disc. Once it boots, select your language and other things and hit next:

Install Windows - Language Selection

At the bottom of the window is an option that says “repair”, click this:

Install or Repair Windows

It will scan your drives, hopefully showing your Windows drive. If so, let it try to repair automatically at least once. Come back to this point if that fails. You can click “no” here, and it will drop back to the window that shows your Windows hard drive. Make sure the top radio button is selected and click next. It should bring up a list of links that you can click, the bottom one is “recovery console”, click that:

System Recovery Options

Eject the Windows disc and put in the CD you burned if you burned one. You need to figure out which drive your CD / thumb drive / external drive is – so try different drive letters and type dir until you see the one that has your folder. If you burned a CD, chances are it’s the D: drive (unless it was an HP or something, then it will be E:) if it’s a thumb drive or external hard drive and you only have 1 CD-ROM, it’s the E: drive. Maybe F: – check it out. We might add a guide on how to do this at a future date.

Once you have that figured out you need to type this

dism /image:c:\ /add-driver /Driver:X:\ /recurse

Replace “X” with the drive letter from the previous step:

Command Prompt

Hit enter and it should find the drivers you extracted into the folder in the second step.

After it does that, type “exit” and hit enter, then press the “Restart” button.

When Windows boots it will take a LONG time to get all the updated drivers – but hey, it booted, right?


SharePoint 2019 AppFabric分布式缓存服务反复崩溃


Hey People,

yup, my Distributed Cache service keeps crashing about 3 minutes after it starts.

This is a fresh, single-server (separate SQL) SP2019 Farm, it includes the Jan 2019 CU.

The service is using the SPFarm account, which is in the WSS_WPG group – which has permissions for the Distributed Cache.

I’ve done some network sniffing and there’s no sign of it trying to do a CRL check.

I’ve unprovisioned and reprovisioned it multiple times.

What am I missing?


Event log errors:

Log Name:      Application
Source:        .NET Runtime
Date:          15/01/2019 11:13:28 AM
Event ID:      1026
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Application: DistributedCacheService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: Microsoft.ApplicationServer.Caching.DataCacheException
   at Microsoft.ApplicationServer.Caching.DistributedObjectManager..ctor(Microsoft.ApplicationServer.Caching.EndpointID[], Microsoft.ApplicationServer.Caching.ServiceConfigurationManager, Microsoft.ApplicationServer.Caching.WcfServerChannel)
   at Microsoft.ApplicationServer.Caching.ServiceLayer.ServiceStart(Boolean)
   at Microsoft.ApplicationServer.Caching.DataCacheServiceBase.ServiceStart(Microsoft.ApplicationServer.Caching.ServiceConfigurationManager, Boolean)
   at Microsoft.ApplicationServer.Caching.VelocityWindowsService.StartService(Boolean)
   at Microsoft.ApplicationServer.Caching.VelocityWindowsService.StartServiceCallback(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
   at System.Threading.ThreadPoolWorkQueue.Dispatch()

and Log Name:      Application
Source:        Application Error
Date:          15/01/2019 11:13:28 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Faulting application name: DistributedCacheService.exe, version: 1.0.4632.0, time stamp: 0x4eafeccf
Faulting module name: KERNELBASE.dll, version: 10.0.14393.2636, time stamp: 0x5bda7edc
Exception code: 0xe0434352
Fault offset: 0x0000000000034048
Faulting process id: 0x1e98
Faulting application start time: 0x01d4ac55eed9e9e6
Faulting application path: C:\Program Files\AppFabric 1.1 for Windows Server\DistributedCacheService.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: 1f2b476d-1aae-47e2-b265-c2f8b260ada6
Faulting package full name: 
Faulting package-relative application ID: 


Try running this.


# Stop the Caching Services on all cache hosts in the cluster.

# Export existing cache cluster configuration
Export-cacheclusterconfig -file c:\temp\appfabconfig.txt

# make a copy of "appfabconfig.txt" and name it "appfabconfig2.txt"
# Edit appfabconfig2.txt
# Change <caches partitionCount="256" to "128"

# Import the changes.
Import-cacheclusterconfig c:\temp\appfabconfig2.txt

# Start the Caching Services on all cache hosts in the cluster.

# Stop the Caching Services on all cache hosts in the cluster.

# Import the original settings
Import-cacheclusterconfig c:\temp\appfabconfig.txt

# Start the Caching Services on all cache hosts in the cluster.



Newer versions of OpenSSL say BEGIN PRIVATE KEY because they contain the private key + an OID that identifies the key type (this is known as PKCS8 format). To get the old style key (known as either PKCS1 or traditional OpenSSL format) you can do this:

openssl rsa -in server.key -out server_new.key

Alternately, if you have a PKCS1 key and want PKCS8:

openssl pkcs8 -topk8 -nocrypt -in privkey.pem