lundi 10 mars 2014

Replacing VMware ESXi SSL Certificate

Replacing the default ESXi Certificate is a good security practice. Most vSphere components rely on SSL Certificate for encrypted communication.

The SSL Certificate on an ESXi need to be in an x509 v3 format (See "Replacing Default vCenter 5.1 and ESXi Certificates" here for more information)

I will be using OpenSSL to create the Certificate request before signing it via my Microsoft AD CS.

Let's get started! Here's the OpenSSL template that I'll use for my ESXi (5.1):

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:esxi02, DNS:esxi02.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = ESXi
commonName = esxi02.katalykt.lan

Note that the Common Name (commonName) shall match the FQDN of the ESXi.

So here's my esxi.cfg which contains the above OpenSSL template


Let's start by generating our Private Key rui.key using an RSA 2048 encryption. (Make sure that the Command Prompt is launched by using the "Run as Administrator" feature on Windows)

c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key


Now let's create a Certificate Signing Request (CSR) rui.csr using our Private Key rui.key and our template esxi.cfg

c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config esxi.cfg



Once that our CSR file is ready, we're about to submit it to the Microsoft CA. In this case I'll be using the certreq tool (you can also use the web interface to submit it if available)

Note that I'm using a Template called VMwareSSL (See my article about Microsoft CA Template for vSphere 5.x here for more information about the template's properties)

Note that "DC1\katalykt-DC1-CA" refers to my Microsoft CA's name and that the template name specified matches the "Template Name" of the certificate (not the display name!)



certreq -submit -config "DC1\katalykt-DC1-CA" -attrib "CertificateTemplate:VMwareSSL" rui.csr rui.crt



Alright, if everything goes smooth we should have a rui.crt in our folder. Let's convert it to an x509 format so that our ESXi may understand it.

c:\OpenSSL-Win32\bin\openssl.exe x509 -in rui.crt -out rui.crt



And tadaaa! we just have to place the rui.crt and the rui.key (Certificate & Private Key) on our ESXi. This operation can be done with different tools and may be automated with vSphere CLI or even Power CLI.

After activating SSH on my ESXi I've decide to use WinSCP to copy my certificates over there.



We want to go at /etc/vmware/ssl in order to replace both the existing Private key and it's SSL Certificate


I'll be moving the current SSL Certificate in a folder called ssl_default (The certificate and it's key can be moved safely).



So let's copy the new SSL certificate and it's key on the ESXi.




After a restart of the management agents, our ESXi will proudly display it's brand new SSL Certificate as valid!






Make sure that the CA Root Certificate which signed our ESXi (in our case our "katalykt-DC1-CA") is installed within the "Trusted Root Certification Authorities" of the vCenter server.

If it hasn't be done already, the steps to import are pretty much straightforward:

  • Run mmc.exe on the vCenter Server
  • Select Add/Remove Snap-in...
  • Select Certificates
  • Tick Computer Account
  • Select Local Computer
  • Import the Root CA within on the Certificates folder present within Trusted Root Certification Authorities

Aucun commentaire:

Enregistrer un commentaire