Cloud Lab-14: How to Install Certificate in vCenter from Microsoft CA- ”Signed Certificate” (Part 1)

LAB-14 TASKS (Part 1)

In this Lab we will perform following tasks

  1. VCenter Certificate Components
  2. Generate SSL Certificate Request
  3. Getting Signed SSL Certificate from CA
  4. Creating the PFX

1-VCenter Certificate Components.

There are seven separate components in vCenter Server 5.5 that utilize certificates to encrypt communication. This information has taken from VMWare Kb Article (2061934)

  1. InventoryService
  2. SSO
  3. UpdateManager
  4. vCenter
  5. WebClient
  6. LogBrowser
  7. vCenter Orchestrator

This article can be used if the components are on the same server and if they are on different servers, as long as you have a separate certificate for each component. The OpenSSL configuration when generating requests must:

  • Have the subject alternative name field included in them
  • Have unique OrganizationalUnitNames for the components
  • Have the case of the DNS entries in the subject alternate name field match the case for the hostname and domain as the host reports when running the hostname or ipconfig /all commands
  • Include digitalSignature, keyEncipherment, dataEncipherment components for Key Usage

NOTE: Each SSL Certificate needs a unique Distinguished Name (DN). The examples in this article use the OrganizationalUnitName (OU) field to achieve this uniqueness, based on a configuration where all components are installed on the same server. If the services are all on separate servers, they have a unique DN by default.

The use of an IP address in the subjectAltName for each SSL certificate is a recommendation from VMware but not required. When using a commercial CA for certificate signing, the IP address can be left out of the certificate as long as DNS resolves properly for short name, fully qualified domain and reverse lookup.

Let’s start

First go to OpenSSL Server (in my case it’s my Linux box) and create the folder structure as shown below. if you dont have openssl available then go and download it from openssl site. it is available for both windows and linux. 

cloudlab14-installsignedcertinVC-1

2-Generate SSL Certificate Request

1-InventoryService

Navigate into “InventoryService” directory which we created above.

Run this command to create the Inventory Service certificate request and export the private key

# openssl req -new -nodes -out inventoryservice.csr -keyout inventoryservice-orig.key

cloudlab14-installsignedcertinVC-2

Convert the key to the proper RSA format for the Inventory Service to use.

#openssl rsa -in inventoryservice-orig.key -out inventoryservice.key

# Cat inventoryservice.key (verify the RSA key)

cloudlab14-installsignedcertinVC-3

2-SSO

Navigate into “SSO” directory which we created above.

Run this command to create the SSO certificate request and export the private key

# openssl req -new -nodes -out SSO.csr -keyout SSO-orig.key

cloudlab14-installsignedcertinVC-4

Convert the key to the proper RSA format for the Inventory Service to use.

#openssl rsa -in SSO-orig.key -out SSO.key

# Cat SSO.key (verify the RSA key)

cloudlab14-installsignedcertinVC-5

3-Update Manager

Navigate into “UpdateManager” directory which we created above.

Run this command to create the UpdateManager certificate request and export the private key

# openssl req -new -nodes -out UpdateManager.csr -keyout UpdateManager-orig.key

cloudlab14-installsignedcertinVC-6

Convert the key to the proper RSA format for the UpdateManager Service to use.

#openssl rsa -in UpdateManager-orig.key -out UpdateManager.key

# Cat UpdateManager.key (verify the RSA key)

cloudlab14-installsignedcertinVC-7

4-vCenter

Navigate into “vCenter” directory which we created above.

Run this command to create the vCenter certificate request and export the private key

# openssl req -new -nodes -out vCenter.csr -keyout vCenter-orig.key

cloudlab14-installsignedcertinVC-8

Convert the key to the proper RSA format for the VCenter Service to use.

#openssl rsa -in vCenter-orig.key -out vCenter.key

# Cat vCenter.key (verify the RSA key)

cloudlab14-installsignedcertinVC-9

5-WebClient

Navigate into “WebClient” directory which we created above.

Run this command to create the WebClient certificate request and export the private key

# openssl req -new -nodes -out WebClient.csr -keyout WebClient-orig.key

cloudlab14-installsignedcertinVC-10

Convert the key to the proper RSA format for the WebClient Service to use.

#openssl rsa -in WebClient-orig.key -out WebClient.key

# Cat WebClient.key (verify the RSA key)

cloudlab14-installsignedcertinVC-11

6-LogBrowser

Navigate into “LogBrowser” directory which we created above.

Run this command to create the LogBrowser certificate request and export the private key

# openssl req -new -nodes -out LogBrowser.csr -keyout LogBrowser-orig.key

cloudlab14-installsignedcertinVC-12

Convert the key to the proper RSA format for the LogBrowser Service to use.

#openssl rsa -in LogBrowser-orig.key -out LogBrowser.key

# Cat LogBrowser.key (verify the RSA key)

cloudlab14-installsignedcertinVC-13

7-Orchestrator

Navigate into “Orchestrator” directory which we created above.

Run this command to create the Orchestrator certificate request and export the private key

# openssl req -new -nodes -out Orchestrator.csr -keyout Orchestrator-orig.key

cloudlab14-installsignedcertinVC-14

Convert the key to the proper RSA format for the Orchestrator Service to use.

#openssl rsa -in Orchestrator-orig.key -out Orchestrator.key

# Cat Orchestrator.key (verify the RSA key)

cloudlab14-installsignedcertinVC-15

To validate any of seven certificate CSR. Go to the respective directory and run below cmd.

#openssl req -in SSO.csr -noout –text

*NOTE: SSO is just an example. You may replace with other service name to check*

3-Getting Signed SSL Certificate from CA

Log into the Microsoft CA certificate authority Web interface. By default, it is http://servername/CertSrv/.

Copy the “vCenterCerts” folder tree from OpenSSL server into CA server. The folder hierarchy look like as shown below.

cloudlab14-installsignedcertinVC-16

Now we have CSR of all of our seven vCenter services. its time to use this CSR to get certificates against all seven of vCenter Services  from Microsoft Certificate authority. its very easy to get certificate from CA against generated CSR. i did this step in my last post.so i am going to skip that part here. i assume you will get the certificates against all seven services. if you don’t remember it. visit my previous ESXIi Signed Certificate post and see how to get certificate from CA against generated CSR. click here.

*NOTE: when CA generate certificate against your request then place this certificate into “vCenterCerts” folder according to the hierarchy*
Download Root certificate, save into “C:\vCenterCerts\Root.cer” with other vCenter Service Certificate Folder Tree.

cloudlab14-installsignedcertinVC-17

*NOTE: This assumes there are no intermediate certificates in the Certificate Authority. If there are two or more levels in the Certificate Authorities, before exporting the certificate intoBase-64 encoded X.509 (.CER). You must export each intermediate certificate to a separate file*

For example, create files named C:\certs\interm64-1.cer,C:\certs\interm64-2.cer, etc. Once complete, concatenate the certificates into a single file named chain.cer

To concatenate the two files on Windows, open a Windows command prompt, navigate to the certificates directory, then run this command:

copy interm64-1.cer+interm64-2.cer+Root64.cer chain.cer

If this is not correctly done before the PFX and JKS files are created below, logging into the vSphere Web Client and other components and commands will fail.

4-Creating the PFX

When you have the certificate created, you can generate the PKCS#12 PFX file for use with each of the services.

To create the PFX file for each service:

Copy the updated SSL Certificate Folder (vCenterCert) from CA to Linux Server. Where we generate the Cert using openssl

Verify the certificates hierarchy.

cloudlab14-installsignedcertinVC-18

a)      Run this command to create the rui.pfx file for the Inventory service:

Navaigate to “InventoryService” Directory/Folder

# openssl pkcs12 -export -in inventory-rui.crt -inkey inventoryservice.key -certfile /home/SNGPL/shabbir.ahmed/vCenterCerts/Root.cer -name “rui” -passout pass:testpassword -out rui.pfx

*Note: The certificate store password must be testpassword. Do not change this parameter*

a)      Run this command to create the ssoserver.p12 file for SSO:

Navaigate to “SSO” Directory/Folder.

#openssl pkcs12 -export -in SSO-rui.crt -inkey SSO.key -certfile /home/SNGPL/shabbir.ahmed/vCenterCerts/Root.cer -name “ssoserver” -passout pass:changeme -out ssoserver.p12

*Note: The certificate store password must be changeme and the key alias must be ssoserver. Do not change these parameters*

b)      Run this command to create the rui.pfx file for the vCenter Server.

Navaigate to “vCenter” Directory/Folder.

#openssl pkcs12 -export -in vCenter-rui.crt -inkey vCenter.key -certfile /home/SNGPL/shabbir.ahmed/vCenterCerts/Root.cer -name “rui” -passout pass:testpassword -out rui.pfx

c)       Run this command to create the rui.pfx file for the vCenter Web Client.

Navaigate to “WebClient” Directory/Folder.

# openssl pkcs12 -export -in WebClient-rui.crt -inkey WebClient.key -certfile /home/SNGPL/shabbir.ahmed/vCenterCerts/Root.cer -name “rui” -passout pass:testpassword -out rui.pfx

d)      Run this command to create the rui.pfx file for the Log Browser.

Navaigate to “LogBrowser” Directory/Folder.

# openssl pkcs12 -export -in LogBrowser-rui.crt -inkey LogBrowser.key -certfile /home/SNGPL/shabbir.ahmed/vCenterCerts/Root.cer -name “rui” -passout pass:testpassword -out rui.pfx

e)      Run this command to create the rui.pfx file for the VSphere Update Manager.

Navaigate to “UpdateManager” Directory/Folder.

# openssl pkcs12 -export -in UpdateManager-rui.crt -inkey UpdateManager.key -certfile /home/SNGPL/shabbir.ahmed/vCenterCerts/Root.cer -name “rui” -passout pass:testpassword -out rui.pfx

The PFX files are created. To test the encoding, run this command:

#openssl pkcs12 -in “path of rui.pfx” –info

Example: “openssl pkcs12 -in /home/SNGPL/shabbir.ahmed/vCenterCerts/UpdateManager/rui.pfx –info”

When prompted for a password, use testpassword for both the password and the passphrase. This is purely to decode the information in the PFX file and check the validity. The output should match the Distinguished Name (DN) in the certificates and is shown along with the certificate content in the output of the -info command.

 That’s it for today. i will continue  installation and configuration of vCenter signed certificate in my next post.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s