vendredi 3 octobre 2014

Replacing SSL Certificates for VMware Horizon View 5.2

While replacing the default SSL Certificates in the vSphere suite could seems challenging, the process in the View suite is much easier.

This article will cover the replacement of the default SSL certificates for both VMware View Connection Server and VMware View Composer.

OpenSSL and a Windows 2008 R2 CA are used to generate our CA Signed SSL certificates.

As a reminder, View Composer can be installed on the vCenter server or on another server (in case of heavy load).

My domain katalykt.lan is designed as follow:
- dc0001.katalykt.lan: This is the domain controller and our Certification Authority.
- vc0001.katalykt.lan: This is the vCenter and our View Composer server.
- cs0001.katalykt.lan: This is our View Connection Server.

Let's start by creating our working directory, under

C:\OpenSSL-Win32\Certificates


Let's create the following folders:

  • Composer
  • ConnectionServer


Creating the OpenSSL Template files

In this part, we'll create a configuration file for those folders in their respective folder:

Composer.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:vc0001, DNS:vc0001.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = ViewComposer
commonName = vc0001.katalykt.lan

ConnectionServer.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:cs0001, DNS:cs0001.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = ConnectionServer
commonName = cs0001.katalykt.lan


Creating the SSL Certificates CA Template

A specific CA SSL Certificate Template is required for VMware View. See my article about Preparing a Microsoft CA SSL Certificate Template for VMware View 5.2 here to create one.

I've granted my service account srv-vcenter the right to Enroll my VMwareViewSSL Template here (this is done by modifying the template)



Generating the SSL Certificates

So now that we've got everything that we need we can just go ahead and create a script which will do the manual labor for us!

This script will do as follow for each component:
  • Create a private key rui.key in RSA 2048
  • Create a Certificate Signing Request from the current OpenSSL Template
  • Submit the previous request to the CA and (hopefully) generate the Certificate rui.crt
  • Create the Personal Information Exchange file which will bundle our Certificate along with its private key
Create_View_SSL.bat
REM Change this according to your needs
Set OPENSSL=c:\OpenSSL-Win32\bin\openssl.exe
Set SSLPATH=c:\OpenSSL-Win32\Certificates
Set MSCA=DC0001\katalykt-DC0001-CA
Set MSCATEMPLATE=VMwareViewSSL
  
REM Core processing
echo PROCESSING: View Composer SSL Certificate
cd /d %SSLPATH%\Composer
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config Composer.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
%OPENSSL% pkcs12 -export -in rui.crt -inkey rui.key -name vdm -passout pass:testpassword -out rui.pfx
  
echo PROCESSING: View Connection Server SSL Certificate
cd /d %SSLPATH%\ConnectionServer
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config ConnectionServer.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
%OPENSSL% pkcs12 -export -in rui.crt -inkey rui.key -name vdm -passout pass:testpassword -out rui.pfx


Replacing the View Composer Certificate

If you already have a View Connection Server up and linked to an existing View Composer then make sure to stop it's services before replacing View Composer SSL certificate.

As you may already know, View Composer is installed either on the vCenter or on a side server. In this case it's hosted on my vCenter.

The first step is to stop the VMware View Composer service before proceeding any further.


The goal of this operation is to import our previously generated Personal Information Exchange rui.pfx into the View Composer server Personal store so that it may use both the SSL Certificate along with its private key.

So we hit the mmc.exe component where the View Composer is installed and load the Certificates Snap-in.


We pick the Computer account here.


I'm picking Local computer here since the mmc snap-in is running on the View Composer server.


Once the operation done, we browse to Personal >> Certificates. If you already have View Composer installed then you should be able to see the default Self Signed SSL Certificate in there.


The next step is to import our rui.pfx into the Certificates folder.

Using the contextual menu on the Certificates folder we do All Tasks > Import... to import it in there.

The first thing is to select the View Composer's rui.pfx file.


We use the password testpassword here (if you haven't changed it from the script that is) and we absolutely need to mark the key as exportable by ticking the option Mark this key as exportable...


Finally we place it in the Personal store.


Once done, we should be able to see our SSL certificate in the Personal store!


If you open up your SSL certificate you should see that a private key is associated with it thanks to the message "You have a private key that corresponds to this certificate".

If the SSL certificate doesn't have an associated private key then the replacement will not work (remember that the SSL Certificate template need to allow the private key export!)


Now that we got our SSL Certificate in our Personal store we can go ahead and replace the existing one.

This step is done by using the SviConfig.exe tool present on the View Composer server.

"c:\Program Files (x86)\VMware\VMware View Composer\SviConfig.exe" -operation=replacecertificate -delete=false

Note that we put the delete switch on false to keep the existing SSL Certificate in the store (we can always delete it later on)

Once the utility launch, simple select the new SSL certificate and everything else will be done automatically!


You may delete (or export as a backup) the old Certificate now.

And that's it! Our View Composer certificate has been changed! Make sure to restart the service!


Replacing the View Connection Server Certificate

View Connection Server SSL Certificate replacement is quite similar to the View Composer's one.

Our last rui.pfx has to be loaded onto the Connection Server personal certificate store. The only difference is that its "friendly name" need to be called vdm (It will only look for SSL Certificates with that friendly name)

Replacing the SSL Certificate of the View Connection Server is a good practice for many reasons. For instance your clients will view the Connection Server as a valid CA Signed entity when they connect through the View Horizon Client (No more red warning about Self Signed yay!)

Let's start our operation by stopping all View components services.


Via the mmc.exe component on the View Connection Server we add the Certificates Snap-in and load the Computer Account (This is the same process as the Composer's one above) on the Local computer.

Once more, we have the default SSL Certificate in there!


The next step is to import our rui.pfx into the Certificates folder.

Using the contextual menu on the Certificates folder we do All Tasks > Import... to import it in there.

The first thing is to select the View Connection Server rui.pfx file.


We use the password testpassword here (if you haven't changed it from the script that is) and we absolutely need to mark the key as exportable by ticking the option Mark this key as exportable...


Finally we place it in the Personal store.


Right now we have both the old and the new SSL Certificate. Make sure that the new SSL Certificate has the "vdm" Friendly Name set otherwise it will not be loaded.


I've removed the old SSL Certificate (you can export it too).


Finally we can restart the View Connection Server services.


After a few minutes, we head to the Web Admin site to ensure that the new SSL Certificate is loaded

https://cs0001.katalykt.lan/admin

If everything's fine our dashboard should show that our Connection Server is healthy!



Integrating View Composer in View Connection Server

In this part, I'll be linking my View Composer to my View Connection Server. If you already did it then you may skip this part.

Let's head in View Configuration >> Servers and add a vCenter server.


In my case the Composer is linked to the vCenter.



My vCenter is added as shown below.


The dashboard shows our View Composer's SSL Certificate as valid! (It may appear red at first but give it a few minutes)


Both our View Connection server and View Composer are now using valid CA SSL Certificates!

jeudi 2 octobre 2014

Preparing a Microsoft CA SSL Certificate Template for VMware View 5.2

Preparing an SSL Certificate Template for VMware View 5.2 is quite easy compared to the other vCenter components. What we have to keep in mind in this case is that the Private Key need to be exportable since both View Composer and View Connection Server requieres that option.

First of all let's go in our Certification Authority to find our Certificate Templates And select Manage from the contextual menu (or you may use the shortcut certtmpl.msc to go straight to the template console)


Now let's duplicate our Web Server template by using the contextual menu action Duplicate Template


We pick Windows Server 2003 Enterprise as a Minimal Supported CA


We can now start to customize our View SSL Template.

Let's start by giving it a descriptive label like VMware View SSL (note the difference between the display name and the template name, the display name has some escape characters while the template name doesn't).

Our template will be refered as VMwareViewSSL later on.


Our template should only be used for Server Authentication as we don't need Client Authentication here.


Next we're going to Edit the Key Usage.


We tick Allow encryption of user data


In the Request Handling tab, the most important part is to tick the option Allow private key to be exported.


We do a quick check in the Subject Name tab to ensure that the Supply in the request option is ticked. This is important for the Subject Alternative Name (SAN) property.


We validate the creation of our template and we should be able to see it among our templates


We quit the Template console and we're back in our CA's Menu.

Let's enable the template by using New >> Certificate Template to Issue  from the contextual menu over the Certificate Templates folder


Once that we're in the Enable Certificate Templates menu, we choose our VMware View SSL template and we validate.


Our Template is now issued and ready to be used!



mardi 18 mars 2014

Using a custom SSL Certificate for VMware Site Recovery Manager 5.x

During the VMware Site Recovery Manager (SRM) installation you may decide to use a custom SSL Certificate (no more SSL warning yay!)

As you may already know SRM come in pair where you have a Site A and a Site B with a vCenter on each site. 

The following properties on the SRM SSL Certificates need to match the vCenter ones and both vCenter need to have identical values on those properties:
  • Organizational Unit Name (OU)
  • Organization Name (O)
  • Country Name (C)
  • State or Province Name (S)
  • Locality Name (L)
Note that properties Organizational Unit Name and Organization Name are mandatory.

On the other hand the property Common Name (CN) need to be identical on both pair (something like "SRM" is appropriated as stated on the VMware KB here)

I will be using a Microsoft CA along with OpenSSL to create my Certificates.

Creating the SSL Certificates CA Template

A specific CA Certificate Template is required about for SRM. See my article about Microsoft CA Template for vSphere 5.x here to create one.

Make sure that the template contains the following properties as it won't work without them:
  • Client Authentication
  • Allow private key to be exported

Creating the OpenSSL Template Files

Alright, let's create our OpenSSL Configuration files for both of our pairs Site A and Site B but first of all let's have a look at our vCenter SSL Certificate properties.

vcenter51.katalykt.lan (Site A)
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterServer
commonName = vcenter51.katalykt.lan

vcenter51remote.katalykt.lan (Site B)
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51remote, DNS:vcenter51remote.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterServer
commonName = vcenter51remote.katalykt.lan

As you can see from above, the following properties are identical on both vCenter:

  • countryName
  • stateOrProvinceName
  • localityName
  • 0.organizationName
  • organizationalUnitName
The values which were filled there need to be present within the SRM SSL Certificates so let's create those template!

srm.cfg (vcenter51.katalykt.lan - Site A)
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = GCM
organizationalUnitName = vCenterServer
commonName = SRM

srm.cfg (vcenter51remote.katalykt.lan - Site B)
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51remote.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = GCM
organizationalUnitName = vCenterServer
commonName = SRM

As you can see from both of those template, we copy the previous vCenter properties back there. Our Common Name "SRM" is identical between our two pairs.

Note that I'm using the FQDN of my vCenter in the Subject Alternative Name (SAN) and that it's possible to add the IP of the vCenter if needed (during the installation you may select either a FQDN or an IP).

By doing so your SAN would look like that:

subjectAltName = IP:10.10.10.100, DNS:vcenter51.katalykt.lan

Generating the SRM SSL Certificates

So we've got a Microsoft CA template by now and our OpenSSL templates are ready. All that's left to do is generate the SSL Certificates!

SRM requires a PKCS12 file so we'll have to create it in the end.

I've made a script below which will do everything by itself (Once more adapt it to your needs). Note that the password in the script is the one you'll have to use during the setup.

The logic is as follow:

  • Create an RSA 2048 private key rui.key
  • Create a Certificate Signing Request rui.csr with the SRM OpenSSL Template
  • Request the SSL Certificate rui.crt from our Microsft CA using our "VMwareSSL" template
  • Create a PKCS12 file rui.p12 which will contain both our private key rui.key and the SSL Certificate rui.crt using the given password ("testpassword" in our case)


Generate_SRM_SSL.bat
REM Change this as needed
Set OPENSSL=c:\OpenSSL-Win32\bin\openssl.exe
Set MSCA=DC1\katalykt-DC1-CA
Set MSCATEMPLATE=VMwareSSL
REM Those are the path to the SRM pair A and B
Set SRMA=c:\OpenSSL-Win32\Certificates\SRM-vcenter51
Set SRMB=c:\OpenSSL-Win32\Certificates\SRM-vcenter51remote
REM This is the password used to encode the pkcs 12 file (has to be entered during the installation)
Set PKCSPASS=testpassword

REM Core processing
echo PROCESSING: SRM SSL Certificate - A
cd /d %SRMA%
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config srm.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
%OPENSSL% pkcs12 -export -out rui.p12 -inkey rui.key -in rui.crt -passout pass:%PKCSPASS%

echo PROCESSING: SRM SSL Certificate - B
cd /d %SRMB%
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config srm.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
%OPENSSL% pkcs12 -export -out rui.p12 -inkey rui.key -in rui.crt -passout pass:%PKCSPASS%

Placing the PKCS12 file in SRM

Let's run the SRM setup on our Site A (vcenter51.katalykt.lan)

After a few windows, the setup asks whether we want to use a Self Signed Certificate or a PKCS12 file. We choose the PKCS12 option here!


Alright, we select the rui.p12 which we've generated previously and type the password linked to it ("testpassword" if you didn't change it from the script)


The next window will ask for some information regarding the site such as the Local Site name and the Administrator's E-mail.

Note that the Local Host combo box is quite important and picky as it need to match the Subject Alternative Name (SAN) defined in our template!

As I've only filled the DNS name vcenter51.katalykt.lan in my OpenSSL template I select it from the list.


If everything's fine you should be able to continue the installation normally.

Repeat this for the Site B and you're set!

vendredi 14 mars 2014

Replacing SSL Certificates for VMware vCenter 5.1 / 5.5

Whether it is a fresh install or an existing installation it's a good practice to replace the vCenter solution SSL Certificates.

This operation which used to be a nightmare mixed in java and it's keystore is now oversimplified thanks to the VMware SSL Certificate Automation Tool (as seen here)

If you haven't installed vCenter yet then just go ahead and use the above VMware tool after that everything is installed.

Note that the VMware SSL Certificate Automation Tool has different versions:
  • 1.0.1 shall be used for vCenter 5.1 and vCenter 5.1 Update 1
  • 5.5 shall be used for vCenter 5.5

As usual I'll be using OpenSSL mixed with a Microsoft CA to create my SSL Certificates as I'm replacing the default SSL Certificates of a freshly installed vCenter 5.1.

So we will be replacing the SSL Certificates of those different components and services in this particular order:
  1. Single Sign-On (SSO)
  2. Inventory Service
  3. vCenter
  4. Orchestrator
  5. vSphere Web Client
  6. Log Browser
  7. vSphere Update Manager (VUM)

Let's prepare our structure first of all. I've created a folder called Certificates in my OpenSSL folder which gives me a working path of:

C:\OpenSSL-Win32\Certificates



Within this folder I'm going to create one folder per component:
  • SSO
  • Inventory
  • vCenter
  • Orchestrator
  • WebClient
  • LogBrowser
  • VUM



Creating the OpenSSL Template files

Next, I'll create a configuration file for each of those component in their respective folder:

Note that the property organizationalUnitName need to be different for each component. If you have two or more SSL Certificate with an identical organizationalUnitName then your vCenter may decide to blow itself up.

SSO.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterSSO
commonName = vcenter51.katalykt.lan

Inventory.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterInventoryService
commonName = vcenter51.katalykt.lan

vCenter.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterServer
commonName = vcenter51.katalykt.lan

Orchestrator.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterOrchestrator
commonName = vcenter51.katalykt.lan

WebClient.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterWebClient
commonName = vcenter51.katalykt.lan

LogBrowser.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterLogBrowser
commonName = vcenter51.katalykt.lan

VUM.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = VMwareUpdateManager
commonName = vcenter51.katalykt.lan

Retrieving the Root Certificate

Once that those files are created we need to get a Base64 version of our Root Certificate (and of it's Intermediate CA if needed).

Using the CA Web Enrollment is easy as long as it's active on the desired CA (You can also fetch the Root/Intermediate differently, like from the Certificate MMC Snap-in)

First we head toward the home page

http://dc1.katalykt.lan/certsrv

Then we select Download a CA certificate, certificate chain, or CRL in order to retrieve our Root Certificate


We select Download CA certificate chain (this will download the Root Certificate along with the Intermediate CA certificates if needed) and we make sure that Base 64 is selected!




Once that the chain is downloaded we can open it and as we browse toward the Certificates folder our Root  Certificate (and Intermediate if present) will be shown on the right tab.

Using the contextual menu we choose to export it (All Tasks >> Export...)



Let's export it then!


Once more Base-64 prevails


Here as I only have a single CA in this lab I'm naming my file Root64.cer straight away.

Assuming you have an Intermediate CA (or more) you shall name the certificate according to their level:
  • Root CA: Root1.cer
  • Intermediate CA 1: Root2.cer
  • Intermediate CA 2: Root3.cer
This is important if you're in this case as the Root64.cer will be a concatenation of the Intermediate CA(s) along with the Root CA.



Assuming you have Intermediate CA(s):
 - Repeat the export step for each Intermediate CA with the proper name (Root1.cer Root2.cer...)
 - Create a Root64.cer from the concatenation of the Intermediate CA(s) and the Root CA like the following examples:

copy Root2.cer+Root1.cer Root64.cer

copy Root3.cer+Root2.cer+Root1.cer Root64.cer

I'll place my Root64 in my Certificates folder as follow:

C:\OpenSSL-Win32\Certificates\Root64.cer

Creating the SSL Certificates CA Template

A specific CA Certificate Template is required for the vCenter. See my article about Microsoft CA Template for vSphere 5.x here to create one.

Generating the SSL Certificates

Once that our Root64.cer is created we can focus on creating our SSL Certificates

And now that our OpenSSL Template are ready we can just create one big script which will do everything for us (Adapt it to your needs)

This script will do as follow for each component:
  • Create a private key rui.key in RSA 2048
  • Create a Certificate Signing Request from the current OpenSSL Template
  • Submit the previous request to the CA and (hopefully) generate the Certificate rui.crt
  • Create a chain based on the previously generated Certificate and the Root64.cer

Create_SSL.bat
REM Change this according to your needs
Set OPENSSL=c:\OpenSSL-Win32\bin\openssl.exe
Set SSLPATH=c:\OpenSSL-Win32\Certificates
Set MSCA=DC1\katalykt-DC1-CA
Set MSCATEMPLATE=VMwareSSL
 
REM Core processing
echo PROCESSING: vCenter SSL Certificate
cd /d %SSLPATH%\vcenter
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config vcenter.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem
 
echo PROCESSING: Inventory Service SSL Certificate
cd /d %SSLPATH%\Inventory
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config inventory.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem
 
echo PROCESSING: Single Sign-on SSL Certificate
cd /d %SSLPATH%\SSO
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config SSO.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem
 
echo PROCESSING: VMware Update Manager SSL Certificate
cd /d %SSLPATH%\VUM
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config VUM.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem
 
echo PROCESSING: Web Client SSL Certificate
cd /d %SSLPATH%\webclient
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config webclient.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem
 
echo PROCESSING: Log Browser SSL Certificate
cd /d %SSLPATH%\LogBrowser
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config LogBrowser.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem
 
echo PROCESSING: Orchestrator SSL Certificate
cd /d %SSLPATH%\Orchestrator
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config Orchestrator.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem




Replacing the vCenter SSL Certificates

Alright, after that we've managed to create the chain.pem we may use the VMware SSL Certificate Automation Tool to replace our existing SSL Certificates.

I'll be using the version 1.0.1 in this part since my infrastructure is based on vCenter 5.1 (Remember to use the right version of the tool!).

Make sure that you've properly backed up everything (vCenter/Database) before running the tool. Better safe than sorry.

The tool will ask several times for those passwords:
  • vCenter database password
  • SSO admin name and password
  • vCenter admin name and password

If you forgot the vCenter database password you may reset it as follow:
"C:\Program Files\VMware\Infrastructure\VirtualCenter Server\vpxd.exe" -p

Note that version 1.0 of the tool may whine about Orchestrator with a message like "unable to find vco installation"

First of all we want to modify the ssl-environment.bat so that we don't have to type everything over and over again. Adapt it as needed.

ssl-environment.bat
@echo off
set sso_cert_chain=c:\OpenSSL-Win32\Certificates\SSO\chain.pem
set sso_private_key=c:\OpenSSL-Win32\Certificates\SSO\rui.key
set sso_node_type=single
set sso_admin_is_behind_lb=
set sso_lb_certificate=
set sso_lb_hostname=
set is_cert_chain=c:\OpenSSL-Win32\Certificates\Inventory\chain.pem
set is_private_key_new=c:\OpenSSL-Win32\Certificates\Inventory\rui.key
set vc_cert_chain=c:\OpenSSL-Win32\Certificates\vCenter\chain.pem
set vc_private_key=c:\OpenSSL-Win32\Certificates\vCenter\rui.key
set ngc_cert_chain=c:\OpenSSL-Win32\Certificates\WebClient\chain.pem
set ngc_private_key=c:\OpenSSL-Win32\Certificates\WebClient\rui.key
set logbrowser_cert_chain=c:\OpenSSL-Win32\Certificates\LogBrowser\chain.pem
set logbrowser_private_key=c:\OpenSSL-Win32\Certificates\LogBrowser\rui.key
set vco_cert_chain=c:\OpenSSL-Win32\Certificates\Orchestrator\chain.pem
set vco_private_key=c:\OpenSSL-Win32\Certificates\Orchestrator\rui.key
set vum_cert_chain=c:\OpenSSL-Win32\Certificates\VUM\chain.pem
set vum_private_key=c:\OpenSSL-Win32\Certificates\VUM\rui.key
set sso_admin_user=admin@system-domain
set vc_username=administrator
set gen_cert_server_fqdn=
set gen_cert_server_ip=
set gen_cert_server_short_name=
set gen_cert_country=
set gen_cert_state=
set gen_cert_locality_name=
set gen_cert_organization_name=
set gen_cert_organizational_unit_name=
set gen_cert_key_length=2048
set last_error=
set ROLLBACK_BACKUP_FOLDER=%~dp0backup
set LOGS_FOLDER=%~dp0logs
set CSR_OUTPUT_FOLDER=%~dp0requests

All that's left to do is running ssl-updater.bat and update the desired elements (or you may plan everything up ahead)

Remember that the logical update order is as follow:
  1. Single Sign-On (SSO)
  2. Inventory Service
  3. vCenter
  4. Orchestrator
  5. vSphere Web Client
  6. Log Browser
  7. vSphere Update Manager (VUM)


Make sure that everything works by then by checking:

  • WebClient: Check the https interface of the Web Client on port 9443
  • SSO: Check the STS Certificate tab via the Web Client (Sign-on and Discovery > Configuration)
  • vCenter: Check the https interface of the vCenter server on port 443
  • Inventory Service: Check the https interface of the Inventory Service on port 7444
  • Log Browser: Check that the log browser can properly display logs from the Web Client
  • Orchestrator: Check the https interface of the Orchestrator server
  • Update Manager: Check by the Heavy Client that VUM works correctly.

Finally check the different logs entries about potential SSL warnings or errors and you're set!