mardi 18 mars 2014

Using a custom SSL Certificate for VMware Site Recovery Manager 5.x

During the VMware Site Recovery Manager (SRM) installation you may decide to use a custom SSL Certificate (no more SSL warning yay!)

As you may already know SRM come in pair where you have a Site A and a Site B with a vCenter on each site. 

The following properties on the SRM SSL Certificates need to match the vCenter ones and both vCenter need to have identical values on those properties:
  • Organizational Unit Name (OU)
  • Organization Name (O)
  • Country Name (C)
  • State or Province Name (S)
  • Locality Name (L)
Note that properties Organizational Unit Name and Organization Name are mandatory.

On the other hand the property Common Name (CN) need to be identical on both pair (something like "SRM" is appropriated as stated on the VMware KB here)

I will be using a Microsoft CA along with OpenSSL to create my Certificates.

Creating the SSL Certificates CA Template

A specific CA Certificate Template is required about for SRM. See my article about Microsoft CA Template for vSphere 5.x here to create one.

Make sure that the template contains the following properties as it won't work without them:
  • Client Authentication
  • Allow private key to be exported

Creating the OpenSSL Template Files

Alright, let's create our OpenSSL Configuration files for both of our pairs Site A and Site B but first of all let's have a look at our vCenter SSL Certificate properties.

vcenter51.katalykt.lan (Site A)
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterServer
commonName = vcenter51.katalykt.lan

vcenter51remote.katalykt.lan (Site B)
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51remote, DNS:vcenter51remote.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterServer
commonName = vcenter51remote.katalykt.lan

As you can see from above, the following properties are identical on both vCenter:

  • countryName
  • stateOrProvinceName
  • localityName
  • 0.organizationName
  • organizationalUnitName
The values which were filled there need to be present within the SRM SSL Certificates so let's create those template!

srm.cfg (vcenter51.katalykt.lan - Site A)
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = GCM
organizationalUnitName = vCenterServer
commonName = SRM

srm.cfg (vcenter51remote.katalykt.lan - Site B)
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51remote.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = GCM
organizationalUnitName = vCenterServer
commonName = SRM

As you can see from both of those template, we copy the previous vCenter properties back there. Our Common Name "SRM" is identical between our two pairs.

Note that I'm using the FQDN of my vCenter in the Subject Alternative Name (SAN) and that it's possible to add the IP of the vCenter if needed (during the installation you may select either a FQDN or an IP).

By doing so your SAN would look like that:

subjectAltName = IP:10.10.10.100, DNS:vcenter51.katalykt.lan

Generating the SRM SSL Certificates

So we've got a Microsoft CA template by now and our OpenSSL templates are ready. All that's left to do is generate the SSL Certificates!

SRM requires a PKCS12 file so we'll have to create it in the end.

I've made a script below which will do everything by itself (Once more adapt it to your needs). Note that the password in the script is the one you'll have to use during the setup.

The logic is as follow:

  • Create an RSA 2048 private key rui.key
  • Create a Certificate Signing Request rui.csr with the SRM OpenSSL Template
  • Request the SSL Certificate rui.crt from our Microsft CA using our "VMwareSSL" template
  • Create a PKCS12 file rui.p12 which will contain both our private key rui.key and the SSL Certificate rui.crt using the given password ("testpassword" in our case)


Generate_SRM_SSL.bat
REM Change this as needed
Set OPENSSL=c:\OpenSSL-Win32\bin\openssl.exe
Set MSCA=DC1\katalykt-DC1-CA
Set MSCATEMPLATE=VMwareSSL
REM Those are the path to the SRM pair A and B
Set SRMA=c:\OpenSSL-Win32\Certificates\SRM-vcenter51
Set SRMB=c:\OpenSSL-Win32\Certificates\SRM-vcenter51remote
REM This is the password used to encode the pkcs 12 file (has to be entered during the installation)
Set PKCSPASS=testpassword

REM Core processing
echo PROCESSING: SRM SSL Certificate - A
cd /d %SRMA%
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config srm.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
%OPENSSL% pkcs12 -export -out rui.p12 -inkey rui.key -in rui.crt -passout pass:%PKCSPASS%

echo PROCESSING: SRM SSL Certificate - B
cd /d %SRMB%
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config srm.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
%OPENSSL% pkcs12 -export -out rui.p12 -inkey rui.key -in rui.crt -passout pass:%PKCSPASS%

Placing the PKCS12 file in SRM

Let's run the SRM setup on our Site A (vcenter51.katalykt.lan)

After a few windows, the setup asks whether we want to use a Self Signed Certificate or a PKCS12 file. We choose the PKCS12 option here!


Alright, we select the rui.p12 which we've generated previously and type the password linked to it ("testpassword" if you didn't change it from the script)


The next window will ask for some information regarding the site such as the Local Site name and the Administrator's E-mail.

Note that the Local Host combo box is quite important and picky as it need to match the Subject Alternative Name (SAN) defined in our template!

As I've only filled the DNS name vcenter51.katalykt.lan in my OpenSSL template I select it from the list.


If everything's fine you should be able to continue the installation normally.

Repeat this for the Site B and you're set!

vendredi 14 mars 2014

Replacing SSL Certificates for VMware vCenter 5.1 / 5.5

Whether it is a fresh install or an existing installation it's a good practice to replace the vCenter solution SSL Certificates.

This operation which used to be a nightmare mixed in java and it's keystore is now oversimplified thanks to the VMware SSL Certificate Automation Tool (as seen here)

If you haven't installed vCenter yet then just go ahead and use the above VMware tool after that everything is installed.

Note that the VMware SSL Certificate Automation Tool has different versions:
  • 1.0.1 shall be used for vCenter 5.1 and vCenter 5.1 Update 1
  • 5.5 shall be used for vCenter 5.5

As usual I'll be using OpenSSL mixed with a Microsoft CA to create my SSL Certificates as I'm replacing the default SSL Certificates of a freshly installed vCenter 5.1.

So we will be replacing the SSL Certificates of those different components and services in this particular order:
  1. Single Sign-On (SSO)
  2. Inventory Service
  3. vCenter
  4. Orchestrator
  5. vSphere Web Client
  6. Log Browser
  7. vSphere Update Manager (VUM)

Let's prepare our structure first of all. I've created a folder called Certificates in my OpenSSL folder which gives me a working path of:

C:\OpenSSL-Win32\Certificates



Within this folder I'm going to create one folder per component:
  • SSO
  • Inventory
  • vCenter
  • Orchestrator
  • WebClient
  • LogBrowser
  • VUM



Creating the OpenSSL Template files

Next, I'll create a configuration file for each of those component in their respective folder:

Note that the property organizationalUnitName need to be different for each component. If you have two or more SSL Certificate with an identical organizationalUnitName then your vCenter may decide to blow itself up.

SSO.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterSSO
commonName = vcenter51.katalykt.lan

Inventory.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterInventoryService
commonName = vcenter51.katalykt.lan

vCenter.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterServer
commonName = vcenter51.katalykt.lan

Orchestrator.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterOrchestrator
commonName = vcenter51.katalykt.lan

WebClient.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterWebClient
commonName = vcenter51.katalykt.lan

LogBrowser.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterLogBrowser
commonName = vcenter51.katalykt.lan

VUM.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = VMwareUpdateManager
commonName = vcenter51.katalykt.lan

Retrieving the Root Certificate

Once that those files are created we need to get a Base64 version of our Root Certificate (and of it's Intermediate CA if needed).

Using the CA Web Enrollment is easy as long as it's active on the desired CA (You can also fetch the Root/Intermediate differently, like from the Certificate MMC Snap-in)

First we head toward the home page

http://dc1.katalykt.lan/certsrv

Then we select Download a CA certificate, certificate chain, or CRL in order to retrieve our Root Certificate


We select Download CA certificate chain (this will download the Root Certificate along with the Intermediate CA certificates if needed) and we make sure that Base 64 is selected!




Once that the chain is downloaded we can open it and as we browse toward the Certificates folder our Root  Certificate (and Intermediate if present) will be shown on the right tab.

Using the contextual menu we choose to export it (All Tasks >> Export...)



Let's export it then!


Once more Base-64 prevails


Here as I only have a single CA in this lab I'm naming my file Root64.cer straight away.

Assuming you have an Intermediate CA (or more) you shall name the certificate according to their level:
  • Root CA: Root1.cer
  • Intermediate CA 1: Root2.cer
  • Intermediate CA 2: Root3.cer
This is important if you're in this case as the Root64.cer will be a concatenation of the Intermediate CA(s) along with the Root CA.



Assuming you have Intermediate CA(s):
 - Repeat the export step for each Intermediate CA with the proper name (Root1.cer Root2.cer...)
 - Create a Root64.cer from the concatenation of the Intermediate CA(s) and the Root CA like the following examples:

copy Root2.cer+Root1.cer Root64.cer

copy Root3.cer+Root2.cer+Root1.cer Root64.cer

I'll place my Root64 in my Certificates folder as follow:

C:\OpenSSL-Win32\Certificates\Root64.cer

Creating the SSL Certificates CA Template

A specific CA Certificate Template is required for the vCenter. See my article about Microsoft CA Template for vSphere 5.x here to create one.

Generating the SSL Certificates

Once that our Root64.cer is created we can focus on creating our SSL Certificates

And now that our OpenSSL Template are ready we can just create one big script which will do everything for us (Adapt it to your needs)

This script will do as follow for each component:
  • Create a private key rui.key in RSA 2048
  • Create a Certificate Signing Request from the current OpenSSL Template
  • Submit the previous request to the CA and (hopefully) generate the Certificate rui.crt
  • Create a chain based on the previously generated Certificate and the Root64.cer

Create_SSL.bat
REM Change this according to your needs
Set OPENSSL=c:\OpenSSL-Win32\bin\openssl.exe
Set SSLPATH=c:\OpenSSL-Win32\Certificates
Set MSCA=DC1\katalykt-DC1-CA
Set MSCATEMPLATE=VMwareSSL
 
REM Core processing
echo PROCESSING: vCenter SSL Certificate
cd /d %SSLPATH%\vcenter
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config vcenter.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem
 
echo PROCESSING: Inventory Service SSL Certificate
cd /d %SSLPATH%\Inventory
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config inventory.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem
 
echo PROCESSING: Single Sign-on SSL Certificate
cd /d %SSLPATH%\SSO
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config SSO.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem
 
echo PROCESSING: VMware Update Manager SSL Certificate
cd /d %SSLPATH%\VUM
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config VUM.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem
 
echo PROCESSING: Web Client SSL Certificate
cd /d %SSLPATH%\webclient
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config webclient.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem
 
echo PROCESSING: Log Browser SSL Certificate
cd /d %SSLPATH%\LogBrowser
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config LogBrowser.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem
 
echo PROCESSING: Orchestrator SSL Certificate
cd /d %SSLPATH%\Orchestrator
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config Orchestrator.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
copy /B rui.crt + %SSLPATH%\root64.cer chain.pem




Replacing the vCenter SSL Certificates

Alright, after that we've managed to create the chain.pem we may use the VMware SSL Certificate Automation Tool to replace our existing SSL Certificates.

I'll be using the version 1.0.1 in this part since my infrastructure is based on vCenter 5.1 (Remember to use the right version of the tool!).

Make sure that you've properly backed up everything (vCenter/Database) before running the tool. Better safe than sorry.

The tool will ask several times for those passwords:
  • vCenter database password
  • SSO admin name and password
  • vCenter admin name and password

If you forgot the vCenter database password you may reset it as follow:
"C:\Program Files\VMware\Infrastructure\VirtualCenter Server\vpxd.exe" -p

Note that version 1.0 of the tool may whine about Orchestrator with a message like "unable to find vco installation"

First of all we want to modify the ssl-environment.bat so that we don't have to type everything over and over again. Adapt it as needed.

ssl-environment.bat
@echo off
set sso_cert_chain=c:\OpenSSL-Win32\Certificates\SSO\chain.pem
set sso_private_key=c:\OpenSSL-Win32\Certificates\SSO\rui.key
set sso_node_type=single
set sso_admin_is_behind_lb=
set sso_lb_certificate=
set sso_lb_hostname=
set is_cert_chain=c:\OpenSSL-Win32\Certificates\Inventory\chain.pem
set is_private_key_new=c:\OpenSSL-Win32\Certificates\Inventory\rui.key
set vc_cert_chain=c:\OpenSSL-Win32\Certificates\vCenter\chain.pem
set vc_private_key=c:\OpenSSL-Win32\Certificates\vCenter\rui.key
set ngc_cert_chain=c:\OpenSSL-Win32\Certificates\WebClient\chain.pem
set ngc_private_key=c:\OpenSSL-Win32\Certificates\WebClient\rui.key
set logbrowser_cert_chain=c:\OpenSSL-Win32\Certificates\LogBrowser\chain.pem
set logbrowser_private_key=c:\OpenSSL-Win32\Certificates\LogBrowser\rui.key
set vco_cert_chain=c:\OpenSSL-Win32\Certificates\Orchestrator\chain.pem
set vco_private_key=c:\OpenSSL-Win32\Certificates\Orchestrator\rui.key
set vum_cert_chain=c:\OpenSSL-Win32\Certificates\VUM\chain.pem
set vum_private_key=c:\OpenSSL-Win32\Certificates\VUM\rui.key
set sso_admin_user=admin@system-domain
set vc_username=administrator
set gen_cert_server_fqdn=
set gen_cert_server_ip=
set gen_cert_server_short_name=
set gen_cert_country=
set gen_cert_state=
set gen_cert_locality_name=
set gen_cert_organization_name=
set gen_cert_organizational_unit_name=
set gen_cert_key_length=2048
set last_error=
set ROLLBACK_BACKUP_FOLDER=%~dp0backup
set LOGS_FOLDER=%~dp0logs
set CSR_OUTPUT_FOLDER=%~dp0requests

All that's left to do is running ssl-updater.bat and update the desired elements (or you may plan everything up ahead)

Remember that the logical update order is as follow:
  1. Single Sign-On (SSO)
  2. Inventory Service
  3. vCenter
  4. Orchestrator
  5. vSphere Web Client
  6. Log Browser
  7. vSphere Update Manager (VUM)


Make sure that everything works by then by checking:

  • WebClient: Check the https interface of the Web Client on port 9443
  • SSO: Check the STS Certificate tab via the Web Client (Sign-on and Discovery > Configuration)
  • vCenter: Check the https interface of the vCenter server on port 443
  • Inventory Service: Check the https interface of the Inventory Service on port 7444
  • Log Browser: Check that the log browser can properly display logs from the Web Client
  • Orchestrator: Check the https interface of the Orchestrator server
  • Update Manager: Check by the Heavy Client that VUM works correctly.

Finally check the different logs entries about potential SSL warnings or errors and you're set!

mercredi 12 mars 2014

Preparing a Microsoft CA SSL Certificate Template for vSphere 5.x

Creating an SSL certificate for either VMware vCenter or ESXi requires some specific properties from the Template that will be used to generate them (as shown here).

As stated in the KB:
Starting from Windows Server 2008 and later some properties are no longer present on the Web Server template by default such as:
  • Data Encipherment
  • Nonrepudiation
  • Client Authentication

While vSphere 5.0 requires the use of Nonrepudiation and Client Authentication on the Generated Certificate vSphere 5.1 and 5.5 only require Data Encipherment on them.

Note that it won't hurt to have properties like Nonrepudiation or Client Authentication on 5.1 or 5.5 environments.

Keep in mind that if you plan on using a custom SSL Certificate for VMware Site Recovery Manager (SRM) then you need those properties on the template:
  • Client Authentication
  • Allow private key to be exported

So let's get started!

First of all let's go in our Certification Authority to find our Certificate Templates And select Manage from the contextual menu (or you may use the shortcut certtmpl.msc to go straight to the template console)



Now let's duplicate our Web Server template by using the contextual menu action Duplicate Template



Make sure to select Windows Server 2003 Enterprise as a Minimal Supported CA


Alright, the template just has to be tuned by now!

In the main windows we're going to name our template VMware SSL (note the difference between the display name and the template name, the display name has an escape character while the template name doesn't).

The template name shall be used by tools like certreq, so all upcoming requests shall be adressed to VMwareSSL.


In the Extensions tab we'll start by adding the Client Authentication to the Application Policies (Client Authentication is only needed for vSphere 5.0 but it won't hurt to add it).

Note that VMware Site Recovery Manager (SRM) need the Client Authentication property.


Next we're going to Edit the Key Usage and tick Allow encryption of user data and optionally if you're still on vSphere 5.0 (or below) Signature is proof of origin (nonrepudiation)



If you plan on having and replacing the SSL Certificates for VMware Site Recovery Manager (SRM) in your Infrastructure then make sure that Allow private key to be exported is selected (You can also create another template for it).


Let's make sure that Supply in the request is selected in the Subject Name and we're done


The template is now created. All that's left to do is Issue it to the available Certificate Template of the CA.


Let's Issue the template by using New >> Certificate Template to Issue  from the contextual menu over the Certificate Templates folder


Here we simply select our VMware SSL template and we click on Ok.


Our template is now ready to be used!


lundi 10 mars 2014

Replacing VMware ESXi SSL Certificate

Replacing the default ESXi Certificate is a good security practice. Most vSphere components rely on SSL Certificate for encrypted communication.

The SSL Certificate on an ESXi need to be in an x509 v3 format (See "Replacing Default vCenter 5.1 and ESXi Certificates" here for more information)

I will be using OpenSSL to create the Certificate request before signing it via my Microsoft AD CS.

Let's get started! Here's the OpenSSL template that I'll use for my ESXi (5.1):

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:esxi02, DNS:esxi02.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = ESXi
commonName = esxi02.katalykt.lan

Note that the Common Name (commonName) shall match the FQDN of the ESXi.

So here's my esxi.cfg which contains the above OpenSSL template


Let's start by generating our Private Key rui.key using an RSA 2048 encryption. (Make sure that the Command Prompt is launched by using the "Run as Administrator" feature on Windows)

c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key


Now let's create a Certificate Signing Request (CSR) rui.csr using our Private Key rui.key and our template esxi.cfg

c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config esxi.cfg



Once that our CSR file is ready, we're about to submit it to the Microsoft CA. In this case I'll be using the certreq tool (you can also use the web interface to submit it if available)

Note that I'm using a Template called VMwareSSL (See my article about Microsoft CA Template for vSphere 5.x here for more information about the template's properties)

Note that "DC1\katalykt-DC1-CA" refers to my Microsoft CA's name and that the template name specified matches the "Template Name" of the certificate (not the display name!)



certreq -submit -config "DC1\katalykt-DC1-CA" -attrib "CertificateTemplate:VMwareSSL" rui.csr rui.crt



Alright, if everything goes smooth we should have a rui.crt in our folder. Let's convert it to an x509 format so that our ESXi may understand it.

c:\OpenSSL-Win32\bin\openssl.exe x509 -in rui.crt -out rui.crt



And tadaaa! we just have to place the rui.crt and the rui.key (Certificate & Private Key) on our ESXi. This operation can be done with different tools and may be automated with vSphere CLI or even Power CLI.

After activating SSH on my ESXi I've decide to use WinSCP to copy my certificates over there.



We want to go at /etc/vmware/ssl in order to replace both the existing Private key and it's SSL Certificate


I'll be moving the current SSL Certificate in a folder called ssl_default (The certificate and it's key can be moved safely).



So let's copy the new SSL certificate and it's key on the ESXi.




After a restart of the management agents, our ESXi will proudly display it's brand new SSL Certificate as valid!






Make sure that the CA Root Certificate which signed our ESXi (in our case our "katalykt-DC1-CA") is installed within the "Trusted Root Certification Authorities" of the vCenter server.

If it hasn't be done already, the steps to import are pretty much straightforward:

  • Run mmc.exe on the vCenter Server
  • Select Add/Remove Snap-in...
  • Select Certificates
  • Tick Computer Account
  • Select Local Computer
  • Import the Root CA within on the Certificates folder present within Trusted Root Certification Authorities