Symptoms


Microsoft has recently issued Security Advisory #2661254. The Advisory states:


 

Windows machines that are running the Zerto Virtual Manager and installed with this Microsoft Update might get disconnected from their respective vCenter instances, if the vCenter certificate was generated with a key length of 512 bits. A Zerto administrator may notice that Zerto Virtual Replication GUI failed to load, while vSphere Client has no trouble connecting to vCenter. Also, attempts at connecting to vCenter from the ZVM using the Internet Explorer web browser fail (i.e. https://vcserver/mob). This article explains the cause and the solution for this problem.


Solution


The cause of this problem is Windows Hotfix Patch 2661254. This hotfix causes Windows to refuse to accept certificates with key lengths of less than 1024 bits. As such, Windows operating systems with this fix applied will refuse connection to applications with such certificates. This problem will be encountered if vCenter is running on its default certificate (512 bits) and the Windows hotfix is installed on the ZVM.


To resolve the issue, execute one of the following, and then restart the Windows VM running the ZVM software:

  • Follow VMware KB 2037082 for further instructions on how to regenerate the certificate to be at least 1024 bits long
  • Follow Microsoft KB 2661254 to allow Windows to accept weaker certificates - namely, run the following command on the ZVM to allow 512 bit certificate key lengths to be accepted:
    • certutil -setreg chainminRSAPubKeyBitLength 512
  • Follow Microsoft KB 2661254 to enable an RSA root certificate that has a key length of less than 1024 bits:
    • certutil -setreg chainEnableWeakSignatureFlags 2
  • Uninstall the hotfix from the ZVM

Note that starting with Windows Server 2012, the changes that this hotfix applied are now native to the OS, meaning there is no hotfix that can be removed.  As such, one of the first three fixes would need to be performed.