WilliamLam.com

Quick Tip - Certificate is not trusted when importing signed OVF/OVA into vCenter Server

by // 1 Comment

An OVF/OVA can be digitally signed by a vendor to ensure its authenticity and when importing it into vCenter Server, the vSphere UI will either display that it contains a valid certificate or the certificate is not trusted as demonstrated in the example below:


If you are using a self-signed TLS certificate to sign an OVF/OVA, then it is expected that it would not be trusted by the Root Certificate Authority (CA) stored within the vCenter Server Appliance (VCSA).

However, if you have a valid TLS certificate that has been issued from a trusted certificate authority to sign an OVF/OVA, would you still see the error message? The answer actually surprised me.

[Read more...]

VMware Cloud Foundation 5.0 running on Intel NUC

by // 10 Comments

Interested in trying out the latest release of VMware Cloud Foundation (VCF) 5.0? Don't have some beefy hardware to meet all the requirements, not to worry! Did you know you can actually deploy a VCF Management Domain using just a single Intel NUC or simliar small form factor system? This is exactly how I kicked the tires with the latest VCF 5.0 release 😎


Disclaimer: This is not officially supported by VMware, please use at your own risk.

Requirements:

  • VMware Cloud Builder 5.0 OVA (Build 21822418)
  • VCF 5.0 Licenses
  • Intel NUC configured with
    • 64GB of memory or more
    • Dual onboard networking ("Tall" NUC like Intel NUC 11 Pro, which is what I used) OR add additional NICs with these Thunderbolt 3 Networking options (no USB NIC)
    • 2 x SSD that are empty for use for vSAN bootstrap (500GB+ for capacity)
  • ESXi 8.0 Update 1a installed on the Intel NUC using USB device
  • Ability to deploy and run the VMware Cloud Builder (CB) Appliance in a separate environment (ESXi/Fusion/Workstation)

Note: While my experiment used an Intel NUC, any system that meets the basic requirements above should also work.

[Read more...]

Clearing TPM alarms after replacing TPM chip or resetting TPM keys for ESXi

by // 13 Comments

If you have a supported Trusted Platform Module (TPM) device that has been installed in your ESXi host after the initial installation and you either replace the TPM chip and/or you reset the TPM keys within the system BIOS, you may find several TPM alarms that is raised within your vCenter Server including:

  • Host TPM attestation alarm
  • TPM Encryption Recovery Key Backup Alarm
  • The new host TPM endorsement key doesn't match the one stored in the DB


I recently had to resolve this in my lab after clearing the TPM keys within the system BIOS, this was for some testing I was doing, but I could not figure out how to get vCenter Server to clear the previous endorsement keys associated with the ESXi host.

After a bit of searching, I came across this VMware KB 81446 which outlines a solution to one the scenarios I mentioned above where you would see these TPM alarms, which is replacing the TPM chip, but I came to find out that the workflow is also applicable if you had cleared the TPM keys and new ones were generated prior to re-installing ESXi. The KB was missing a some details, which I have already shared in the feedback and I think there is a more streamline method which I have shared below.

[Read more...]