Cloud Lab-14: How to Install Certificate in vCenter from Microsoft CA- ”Certificate Automation Tool” (Part 2)

If you remember my last post about vCenter signed certificate installation (Part 1). then you should know how much we have covered so far.it very lengthy post, so i divided into two parts . today i am going to move forward at part 2 of this lab.

LAB-14 TASKS (Part 2)

In this Lab we will perform following tasks

  1. vCenter Certificate Automation Tool Prerequisite
  2. Configuring the Tool
  3. Creating PEM Files
  4. Installing Singed Certificate into VCenter using the vCenter Certificate Automation Tool
  5. Verify Certificates

VCenter Certificate Automation Tool Prerequisite

i am using vCenter automation tool to install singed certificate in all of vCenter services.For more information about vCenter automation Tool, please read VMWare KB article (2057340)

Lets start. First You should copy your “vCenterCert” Directory from Linux to vCenter Server “C” Drive.my directory structure that looks like the screenshot below. 

Inside each of the seven folders you should have the same set of files, as shown below. 

cloudlab14-installsignedcertinVC-19

You will also need the following accounts and passwords handy to complete the process:

  • SSO administrator and password
  • vCenter administrator and password
  • Original vCenter database password

2-Configuring VCenter Certificate Automation Tool

    1. Download the SSL Certificate Automation Tool from My VMware or Save from attachment of this guide.
    2. Copy it to your vCenter server and unzip it to a safe place, such as “C”.
    3. Open the ssl-environment.bat  file and fill in all of the missing paths.

In my case I set the followings:


set sso_cert_chain=C:\vCenterCerts\SSO\chain.pem
set sso_private_key=C:\vCenterCerts\SSO\SSO.key
set sso_node_type=Single
set sso_admin_is_behind_lb=
set sso_lb_certificate=
set sso_lb_hostname=
set is_cert_chain=C:\vCenterCerts\InventoryService\chain.pem
set is_private_key_new=C:\vCenterCerts\InventoryService\inventoryservice.key
set vc_cert_chain=C:\vCenterCerts\vCenter\chain.pem
set vc_private_key=C:\vCenterCerts\vCenter\vCenter.key
set ngc_cert_chain=C:\vCenterCerts\WebClient\chain.pem
set ngc_private_key=C:\vCenterCerts\WebClient\WebClient.key
set logbrowser_cert_chain=C:\vCenterCerts\LogBrowser\chain.pem
set logbrowser_private_key=C:\vCenterCerts\LogBrowser\LogBrowser.key
set vco_cert_chain= C:\vCenterCerts\ Orchestrator\chain.pem
set vco_private_key= C:\vCenterCerts\Orchestrator\LogBrowser.key
set vum_cert_chain=C:\vCenterCerts\UpdateManager\chain.pem
set vum_private_key=C:\vCenterCerts\UpdateManager\UpdateManager.key
set sso_admin_user=administrator@vsphere.local
set vc_username=vmlab\vc.admin 
(it’s my domain user, remember we gave administrative rights in permission section of vCenter)
*Leave the reset as default.*

    1. Open an elevated command prompt and run the ssl-environment.bat script.

3-Creating PEM Files

From inside each service directory you can use the following command to create the chain.pem file

For Example in SSO Directory.
copy /B SSO-rui.crt + c:\vCentercert\Root.cer c:/vCentercert/SSO/chain.pem

cloudlab14-installsignedcertinVC-20

Change the variable name for other six service and create their chain.pem file.

If you only have a root CA then the command would look like: (Optional in our case)

(assuming a subordinate CA):

copy /B rui.crt + c:\vCentercert \Root-2.cer + c:\vCentercert\Root-1.cer chain.pem

4-Installing Singed Certificate into VCenter using the vCenter Certificate Automation Tool

I strongly urge you do a full backup of all vCenter databases (SSO, vCenter, and VUM), plus snapshot/backup your vCenter VM(s). If you hose up the certificate replacement process you may be left with a smoking vCenter hole. Backup before proceeding!

On your vCenter server run the ssl-updater.bat script. They have a built-in planner which tells you which steps to perform and in what order, depending on what services you want to update. To access the planner type 1.

cloudlab14-installsignedcertinVC-21

The result of pressing 8, was the following text:

cloudlab14-installsignedcertinVC-22

You will get following output.

  1. Go to the machine with Single Sign-On installed and – Update the Single Sign-On SSL certificate.
  2. Go to the machine with Inventory Service installed and – Update Inventory Service trust to Single Sign-On.
  3. Go to the machine with Inventory Service installed and – Update the Inventory Service SSL certificate.
  4. Go to the machine with vCenter Server installed and – Update vCenter Server trust to Single Sign-On.
  5. Go to the machine with vCenter Server installed and – Update the vCenter Server SSL certificate.
  6. Go to the machine with vCenter Server installed and – Update vCenter Server trust to Inventory Service.
  7. Go to the machine with Inventory Service installed and – Update the Inventory Service trust to vCenter Server.
  8. Go to the machine with vCenter Orchestrator installed and – Update vCenter Orchestrator trust to Single Sign-On.
  9. Go to the machine with vCenter Orchestrator installed and – Update vCenter Orchestrator trust to vCenter Server.
  10. Go to the machine with vCenter Orchestrator installed and – Update the vCenter Orchestrator SSL certificate.
  11. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to Single Sign-On.
  12. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to Inventory Service.
  13. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to vCenter Server.
  14. Go to the machine with vSphere Web Client installed and – Update the vSphere Web Client SSL certificate.
  15. Go to the machine with Log Browser installed and – Update the Log Browser trust to Single Sign-On.
  16. Go to the machine with Log Browser installed and – Update the Log Browser SSL certificate.
  17. Go to the machine with vSphere Update Manager installed and – Update the vSphere Update Manager SSL certificate.
  18. Go to the machine with vSphere Update Manager installed and – Update vSphere Update Manager trust to vCenter Server”

 As you can see, we have to perform 18 steps to fully update all SSL certificates.

Step 1: Getting back to the main menu by pressing “9″, I now want to start updating the SSL certificates in the prescribed order per the pre-planner. So I press “3” to start with SSO.

cloudlab14-installsignedcertinVC-23

To perform the certificate update I press “1”.

cloudlab14-installsignedcertinVC-24

After pressing 1 it then asks me where my SSO SSL chain file is stored. And it also wants to know where the SSO private key is, as well. Since we previously configured the environment script, the paths and files it listed were correct. I then typed in my SSO master password (you do remember it, right?). My install did not involve load balancers, so I told the installer no.

At this point the black magic starts, and a minute later….all seems to be well

Step 1 of the pre-planning guide is complete.

Step 2: Now that the SSO certificate appears to be successfully updated, it’s time to march on to the inventory service. So I press “3″ to return to the main menu. On the main menu I press “4″ to update the inventory service. I’m now presented with a plethora of options

cloudlab14-installsignedcertinVC-25

Per the pre-planning guide I need to select option “1”.

cloudlab14-installsignedcertinVC-26

After 30 seconds of disk activity, I get a successful message.

Step 2 of the pre-planning guide is complete.

Step 3: Slightly illogically the next step is to select option “3”, per the pre-planning guide.  

cloudlab14-installsignedcertinVC-27

Again, the certificate paths and files are pre-populated and are correct. Now it wants to know the SSO administrator user. If you aren’t sure what this is, open the Web Client and login. If you can access and modify the Sign-On and Discovery settings, you probably have the right username. In my case this is default administrator@vsphere.local

A little whirring of my disk drive, and I get a successful message.

Step 3 of the pre-planning guide is complete.

Step 4: Exit back to the main menu by pressing “5″, then press “5″.

cloudlab14-installsignedcertinVC-28 

vCenter needs to trust the SSO certificate, so I press “1”. The default path and file are correct, so I press enter. Success!

cloudlab14-installsignedcertinVC-29

Step 4 of the pre-planning guide is complete.

Step 5: From the same menu I press “2”, to update the vCenter SSL certificate. Again, the default paths and files were correct so I accepted them. Now I’m prompted for the vCenter administrator name and password. Next I’m asked to enter the original vCenter server database password, with all kinds of scary warnings if I input the wrong password since no validation is done. I’m also asked to enter the SSO administrator username and password.

cloudlab14-installsignedcertinVC-30

After several minutes of chugging away I see a successful message.

Step 5 of the pre-planning guide is complete.

Step 6: Per the pre-planning guide I now must select option “3″, to trust the inventory service SSL certificate.

cloudlab14-installsignedcertinVC-31

Step 6 of the pre-planning guide is complete. 

Step 7: Pressing 5 I get back to the main menu. And I need to go back into the inventory service, so I press “4″.

cloudlab14-installsignedcertinVC-32

Finally, we now configure the inventory service to trust vCenter by pressing “2”.

cloudlab14-installsignedcertinVC-33

Step 7 of the pre-planning guide is complete.

Step 8: Pressing “5″ I get back to the main menu. I now press “6″, to update vCO. 

cloudlab14-installsignedcertinVC-34

Per the pre-planning guide I need to configure vCO to trust SSO, so I press “1”. The default SSO filename is correct so I press enter.

cloudlab14-installsignedcertinVC-35

Step 8 of the pre-planning guide is complete.

Step 9: Now vCO needs to be told to trust vCenter server, so I press “2” and validate the path is right.

cloudlab14-installsignedcertinVC-36

Step 9 of the pre-planning guide is complete.

Step 10: Next up is updating the vCO SSL certificate, so I press “3” and validate the path.

  cloudlab14-installsignedcertinVC-37

Step 10 of the pre-planning guide is complete.

Step 11: Pressing “5″ takes us back to the main menu. Now we press “7″ to enter the web client and log browser update process. 

cloudlab14-installsignedcertinVC-38

Pre the pre-planning guide we need option “1″. I enter the SSO administrator username and password.

cloudlab14-installsignedcertinVC-39

Several minutes later the process was a success.

Step 11 of the pre-planning guide is complete. 

Step 12: Now we need to press “2″, to trust the inventory service.

cloudlab14-installsignedcertinVC-40

Several minutes later the process was a success.

Step 12 of the pre-planning guide is complete. 

Step 13: Now we need to press “3″, to trust the vCenter server

cloudlab14-installsignedcertinVC-41

Step 13 of the pre-planning guide is complete.

Step 14: Now we need to press “4″, to update the web client SSL certificate. Again, the presented paths and files were correct. Enter the SSO administrator username and password.

cloudlab14-installsignedcertinVC-42

Step 14 of the pre-planning guide is complete. 

Step 15:  Next up is pressing “5″, to enable the log browser service to trust SSO.

cloudlab14-installsignedcertinVC-43

Step 15 of the pre-planning guide is complete. 

Step 16: Now press “6″, to update the log browser SSL certificate. Again, the certificate and paths looked good. Enter the SSO username and password.

cloudlab14-installsignedcertinVC-44

Step 16 of the pre-planning guide is complete.

Press “9″ to go back to main menu, then again press “9″ (end the update process and exit) to close the tool

*NOTE: I am going to skip step 17-18 (VUM) here, it is because I did not configure/Install VCenter update manager yet. I will come back to perform these steps after VUM installation*

Now it’s time to verify the hard work which we are doing since hour and two.

5-Verify VCenter Certificates

1-Inventory Service
Browse to https://vc-mgmt.vmlab.com:10443/.

cloudlab14-installsignedcertinVC-45

Click on the lock sign, view Certificate

cloudlab14-installsignedcertinVC-46

Click on “Details” Tab->Click “Subject” and Notice “OU=VMWareInventoryService”

cloudlab14-installsignedcertinVC-47

You may receive a 400 Bad request page, but you can check that the certificate is being properly used.

2-VCenter SSO

Browse https://vc-mgmt.vmlab.com:7444/lookupservice/sdk

cloudlab14-installsignedcertinVC-48

Click on the Lock sign -> View “Certificates”

Click in Certificate Detail tab -> Subject -> Notice “OU=vCenterSSO”

cloudlab14-installsignedcertinVC-49

3-VCenter Orchestrator

Browse https://vc-mgmt.vmlab.com:8281/

cloudlab14-installsignedcertinVC-50

*In vCenter default Installation VMWare VCenter Orchestrator service is not running. Make sure to start first*

Click on the Lock sign -> View Certificates

Click in Certificate Detail tab -> Subject -> Notice “OU=vCenterOrchestrator”

cloudlab14-installsignedcertinVC-51

4-VCenter

Browse https://vc-mgmt.vmlab.com/

cloudlab14-installsignedcertinVC-52

Click on the Lock sign -> View “Certificates”

Click in Certificate Detail tab -> Subject -> Notice “OU=vCenter”

cloudlab14-installsignedcertinVC-53

5-Web Client

Browse https://vc-mgmt.vmlab.com:9443/vpshere-client

cloudlab14-installsignedcertinVC-54

Click on the Lock sign -> View Certificates

Click in Certificate Detail tab -> Subject -> Notice “OU=vCenterWebClient”

cloudlab14-installsignedcertinVC-55

 If everything went the same as in the guide. Then it’s time to joy.  Congratulation 🙂

Now login from VMWARE web client are verify the vCenter working. 

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s