The SSL Certificate on an ESXi need to be in an x509 v3 format (See "Replacing Default vCenter 5.1 and ESXi Certificates" here for more information)
I will be using OpenSSL to create the Certificate request before signing it via my Microsoft AD CS.
Let's get started! Here's the OpenSSL template that I'll use for my ESXi (5.1):
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:esxi02, DNS:esxi02.katalykt.lan [ req_distinguished_name ] countryName = FR stateOrProvinceName = Normandie localityName = Caen 0.organizationName = Katalykt organizationalUnitName = ESXi commonName = esxi02.katalykt.lan
Note that the Common Name (commonName) shall match the FQDN of the ESXi.
So here's my esxi.cfg which contains the above OpenSSL template
Let's start by generating our Private Key rui.key using an RSA 2048 encryption. (Make sure that the Command Prompt is launched by using the "Run as Administrator" feature on Windows)
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
Now let's create a Certificate Signing Request (CSR) rui.csr using our Private Key rui.key and our template esxi.cfg
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config esxi.cfg
Once that our CSR file is ready, we're about to submit it to the Microsoft CA. In this case I'll be using the certreq tool (you can also use the web interface to submit it if available)
Note that I'm using a Template called VMwareSSL (See my article about Microsoft CA Template for vSphere 5.x here for more information about the template's properties)
Note that "DC1\katalykt-DC1-CA" refers to my Microsoft CA's name and that the template name specified matches the "Template Name" of the certificate (not the display name!)
certreq -submit -config "DC1\katalykt-DC1-CA" -attrib "CertificateTemplate:VMwareSSL" rui.csr rui.crt
Alright, if everything goes smooth we should have a rui.crt in our folder. Let's convert it to an x509 format so that our ESXi may understand it.
c:\OpenSSL-Win32\bin\openssl.exe x509 -in rui.crt -out rui.crt
And tadaaa! we just have to place the rui.crt and the rui.key (Certificate & Private Key) on our ESXi. This operation can be done with different tools and may be automated with vSphere CLI or even Power CLI.
After activating SSH on my ESXi I've decide to use WinSCP to copy my certificates over there.
We want to go at /etc/vmware/ssl in order to replace both the existing Private key and it's SSL Certificate
I'll be moving the current SSL Certificate in a folder called ssl_default (The certificate and it's key can be moved safely).
So let's copy the new SSL certificate and it's key on the ESXi.
After a restart of the management agents, our ESXi will proudly display it's brand new SSL Certificate as valid!
Make sure that the CA Root Certificate which signed our ESXi (in our case our "katalykt-DC1-CA") is installed within the "Trusted Root Certification Authorities" of the vCenter server.
If it hasn't be done already, the steps to import are pretty much straightforward:
- Run mmc.exe on the vCenter Server
- Select Add/Remove Snap-in...
- Select Certificates
- Tick Computer Account
- Select Local Computer
- Import the Root CA within on the Certificates folder present within Trusted Root Certification Authorities
Aucun commentaire:
Enregistrer un commentaire