Hello,
I am currently evaluating vShield App and since I don't have SnS, I'll document the bugs I found here.
1. GUI glitch when generating a new certificate signing request
When generating a new CSR one can choose the key algorithm and size. When switching between DSA and RSA forth and back and opening the key size pull down menu one more 4096 bit entry is generated in each round.
This looks like the following image. This one is merely cosmetic.
2. The wizard to generate a CSR has deliberate mandatory fields
There is no good reason, why the values for OU and O are mandatory whereas L and ST are optional (see rfc5280 for reference).
3. The wizard to generate a CSR fails to add L and ST to the request
This one is bad. The following image shows what I entered in the wizard.
This is what ends up in the CSR:
user@host ~ % openssl req -in vShieldCert.csr -noout -text | grep Subject:
Subject: C=DE, ST=null, L=null, O=Organization, OU=Unit, CN=vsm.example.org
I attached the vShieldCert.csr for reference.
As our internal CA requires both state and location to have valid input, I cannot use the wizard to generate a usable CSR. I took apart the vShield Manager vApp and found /home/secureall/.store/.bluelane_keystore containing the keypair and the certificates. A workaround is probably to directly inject a valid key and certificate there. The keystore password is 'secureall-em' in case somebody wants to try this.
4. Adding a Lookup Service URL with custom certificates on SSO fails
It is not documented how to update the trust store that validates SSO Lookup Services certificates. Oh wait - this is already documented here: http://communities.vmware.com/thread/423851.
VMware vs. SSL - the saga continues...