This operation which used to be a nightmare mixed in java and it's keystore is now oversimplified thanks to the VMware SSL Certificate Automation Tool (as seen here)
If you haven't installed vCenter yet then just go ahead and use the above VMware tool after that everything is installed.
Note that the VMware SSL Certificate Automation Tool has different versions:
- 1.0.1 shall be used for vCenter 5.1 and vCenter 5.1 Update 1
- 5.5 shall be used for vCenter 5.5
As usual I'll be using OpenSSL mixed with a Microsoft CA to create my SSL Certificates as I'm replacing the default SSL Certificates of a freshly installed vCenter 5.1.
So we will be replacing the SSL Certificates of those different components and services in this particular order:
- Single Sign-On (SSO)
- Inventory Service
- vCenter
- Orchestrator
- vSphere Web Client
- Log Browser
- vSphere Update Manager (VUM)
Let's prepare our structure first of all. I've created a folder called Certificates in my OpenSSL folder which gives me a working path of:
C:\OpenSSL-Win32\Certificates
Within this folder I'm going to create one folder per component:
- SSO
- Inventory
- vCenter
- Orchestrator
- WebClient
- LogBrowser
- VUM
Creating the OpenSSL Template files
Next, I'll create a configuration file for each of those component in their respective folder:
Note that the property organizationalUnitName need to be different for each component. If you have two or more SSL Certificate with an identical organizationalUnitName then your vCenter may decide to blow itself up.
SSO.cfg
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan [ req_distinguished_name ] countryName = FR stateOrProvinceName = Normandie localityName = Caen 0.organizationName = Katalykt organizationalUnitName = vCenterSSO commonName = vcenter51.katalykt.lan
Inventory.cfg
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan [ req_distinguished_name ] countryName = FR stateOrProvinceName = Normandie localityName = Caen 0.organizationName = Katalykt organizationalUnitName = vCenterInventoryService commonName = vcenter51.katalykt.lan
vCenter.cfg
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan [ req_distinguished_name ] countryName = FR stateOrProvinceName = Normandie localityName = Caen 0.organizationName = Katalykt organizationalUnitName = vCenterServer commonName = vcenter51.katalykt.lan
Orchestrator.cfg
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan [ req_distinguished_name ] countryName = FR stateOrProvinceName = Normandie localityName = Caen 0.organizationName = Katalykt organizationalUnitName = vCenterOrchestrator commonName = vcenter51.katalykt.lan
WebClient.cfg
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan [ req_distinguished_name ] countryName = FR stateOrProvinceName = Normandie localityName = Caen 0.organizationName = Katalykt organizationalUnitName = vCenterWebClient commonName = vcenter51.katalykt.lan
LogBrowser.cfg
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan [ req_distinguished_name ] countryName = FR stateOrProvinceName = Normandie localityName = Caen 0.organizationName = Katalykt organizationalUnitName = vCenterLogBrowser commonName = vcenter51.katalykt.lan
VUM.cfg
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan [ req_distinguished_name ] countryName = FR stateOrProvinceName = Normandie localityName = Caen 0.organizationName = Katalykt organizationalUnitName = VMwareUpdateManager commonName = vcenter51.katalykt.lan
Retrieving the Root Certificate
Once that those files are created we need to get a Base64 version of our Root Certificate (and of it's Intermediate CA if needed).
Using the CA Web Enrollment is easy as long as it's active on the desired CA (You can also fetch the Root/Intermediate differently, like from the Certificate MMC Snap-in)
First we head toward the home page
http://dc1.katalykt.lan/certsrv
Then we select Download a CA certificate, certificate chain, or CRL in order to retrieve our Root Certificate
We select Download CA certificate chain (this will download the Root Certificate along with the Intermediate CA certificates if needed) and we make sure that Base 64 is selected!
Once that the chain is downloaded we can open it and as we browse toward the Certificates folder our Root Certificate (and Intermediate if present) will be shown on the right tab.
Using the contextual menu we choose to export it (All Tasks >> Export...)
Let's export it then!
Once more Base-64 prevails
Here as I only have a single CA in this lab I'm naming my file Root64.cer straight away.
Assuming you have an Intermediate CA (or more) you shall name the certificate according to their level:
- Root CA: Root1.cer
- Intermediate CA 1: Root2.cer
- Intermediate CA 2: Root3.cer
This is important if you're in this case as the Root64.cer will be a concatenation of the Intermediate CA(s) along with the Root CA.
Assuming you have Intermediate CA(s):
- Repeat the export step for each Intermediate CA with the proper name (Root1.cer Root2.cer...)
- Create a Root64.cer from the concatenation of the Intermediate CA(s) and the Root CA like the following examples:
copy Root2.cer+Root1.cer Root64.cer
copy Root3.cer+Root2.cer+Root1.cer Root64.cer
I'll place my Root64 in my Certificates folder as follow:
C:\OpenSSL-Win32\Certificates\Root64.cer
Creating the SSL Certificates CA Template
A specific CA Certificate Template is required for the vCenter. See my article about Microsoft CA Template for vSphere 5.x here to create one.
Generating the SSL Certificates
Once that our Root64.cer is created we can focus on creating our SSL Certificates
And now that our OpenSSL Template are ready we can just create one big script which will do everything for us (Adapt it to your needs)
This script will do as follow for each component:
- Create a private key rui.key in RSA 2048
- Create a Certificate Signing Request from the current OpenSSL Template
- Submit the previous request to the CA and (hopefully) generate the Certificate rui.crt
- Create a chain based on the previously generated Certificate and the Root64.cer
Create_SSL.bat
REM Change this according to your needs Set OPENSSL=c:\OpenSSL-Win32\bin\openssl.exe Set SSLPATH=c:\OpenSSL-Win32\Certificates Set MSCA=DC1\katalykt-DC1-CA Set MSCATEMPLATE=VMwareSSL REM Core processing echo PROCESSING: vCenter SSL Certificate cd /d %SSLPATH%\vcenter %OPENSSL% genrsa 2048 > rui.key %OPENSSL% req -out rui.csr -key rui.key -new -config vcenter.cfg certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt copy /B rui.crt + %SSLPATH%\root64.cer chain.pem echo PROCESSING: Inventory Service SSL Certificate cd /d %SSLPATH%\Inventory %OPENSSL% genrsa 2048 > rui.key %OPENSSL% req -out rui.csr -key rui.key -new -config inventory.cfg certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt copy /B rui.crt + %SSLPATH%\root64.cer chain.pem echo PROCESSING: Single Sign-on SSL Certificate cd /d %SSLPATH%\SSO %OPENSSL% genrsa 2048 > rui.key %OPENSSL% req -out rui.csr -key rui.key -new -config SSO.cfg certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt copy /B rui.crt + %SSLPATH%\root64.cer chain.pem echo PROCESSING: VMware Update Manager SSL Certificate cd /d %SSLPATH%\VUM %OPENSSL% genrsa 2048 > rui.key %OPENSSL% req -out rui.csr -key rui.key -new -config VUM.cfg certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt copy /B rui.crt + %SSLPATH%\root64.cer chain.pem echo PROCESSING: Web Client SSL Certificate cd /d %SSLPATH%\webclient %OPENSSL% genrsa 2048 > rui.key %OPENSSL% req -out rui.csr -key rui.key -new -config webclient.cfg certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt copy /B rui.crt + %SSLPATH%\root64.cer chain.pem echo PROCESSING: Log Browser SSL Certificate cd /d %SSLPATH%\LogBrowser %OPENSSL% genrsa 2048 > rui.key %OPENSSL% req -out rui.csr -key rui.key -new -config LogBrowser.cfg certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt copy /B rui.crt + %SSLPATH%\root64.cer chain.pem echo PROCESSING: Orchestrator SSL Certificate cd /d %SSLPATH%\Orchestrator %OPENSSL% genrsa 2048 > rui.key %OPENSSL% req -out rui.csr -key rui.key -new -config Orchestrator.cfg certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt copy /B rui.crt + %SSLPATH%\root64.cer chain.pem
Alright, after that we've managed to create the chain.pem we may use the VMware SSL Certificate Automation Tool to replace our existing SSL Certificates.
I'll be using the version 1.0.1 in this part since my infrastructure is based on vCenter 5.1 (Remember to use the right version of the tool!).
Make sure that you've properly backed up everything (vCenter/Database) before running the tool. Better safe than sorry.
The tool will ask several times for those passwords:
- vCenter database password
- SSO admin name and password
- vCenter admin name and password
If you forgot the vCenter database password you may reset it as follow:
"C:\Program Files\VMware\Infrastructure\VirtualCenter Server\vpxd.exe" -p
Note that version 1.0 of the tool may whine about Orchestrator with a message like "unable to find vco installation"
First of all we want to modify the ssl-environment.bat so that we don't have to type everything over and over again. Adapt it as needed.
ssl-environment.bat
@echo off set sso_cert_chain=c:\OpenSSL-Win32\Certificates\SSO\chain.pem set sso_private_key=c:\OpenSSL-Win32\Certificates\SSO\rui.key set sso_node_type=single set sso_admin_is_behind_lb= set sso_lb_certificate= set sso_lb_hostname= set is_cert_chain=c:\OpenSSL-Win32\Certificates\Inventory\chain.pem set is_private_key_new=c:\OpenSSL-Win32\Certificates\Inventory\rui.key set vc_cert_chain=c:\OpenSSL-Win32\Certificates\vCenter\chain.pem set vc_private_key=c:\OpenSSL-Win32\Certificates\vCenter\rui.key set ngc_cert_chain=c:\OpenSSL-Win32\Certificates\WebClient\chain.pem set ngc_private_key=c:\OpenSSL-Win32\Certificates\WebClient\rui.key set logbrowser_cert_chain=c:\OpenSSL-Win32\Certificates\LogBrowser\chain.pem set logbrowser_private_key=c:\OpenSSL-Win32\Certificates\LogBrowser\rui.key set vco_cert_chain=c:\OpenSSL-Win32\Certificates\Orchestrator\chain.pem set vco_private_key=c:\OpenSSL-Win32\Certificates\Orchestrator\rui.key set vum_cert_chain=c:\OpenSSL-Win32\Certificates\VUM\chain.pem set vum_private_key=c:\OpenSSL-Win32\Certificates\VUM\rui.key set sso_admin_user=admin@system-domain set vc_username=administrator set gen_cert_server_fqdn= set gen_cert_server_ip= set gen_cert_server_short_name= set gen_cert_country= set gen_cert_state= set gen_cert_locality_name= set gen_cert_organization_name= set gen_cert_organizational_unit_name= set gen_cert_key_length=2048 set last_error= set ROLLBACK_BACKUP_FOLDER=%~dp0backup set LOGS_FOLDER=%~dp0logs set CSR_OUTPUT_FOLDER=%~dp0requests
All that's left to do is running ssl-updater.bat and update the desired elements (or you may plan everything up ahead)
Remember that the logical update order is as follow:
- Single Sign-On (SSO)
- Inventory Service
- vCenter
- Orchestrator
- vSphere Web Client
- Log Browser
- vSphere Update Manager (VUM)
Make sure that everything works by then by checking:
- WebClient: Check the https interface of the Web Client on port 9443
- SSO: Check the STS Certificate tab via the Web Client (Sign-on and Discovery > Configuration)
- vCenter: Check the https interface of the vCenter server on port 443
- Inventory Service: Check the https interface of the Inventory Service on port 7444
- Log Browser: Check that the log browser can properly display logs from the Web Client
- Orchestrator: Check the https interface of the Orchestrator server
- Update Manager: Check by the Heavy Client that VUM works correctly.
Finally check the different logs entries about potential SSL warnings or errors and you're set!
Aucun commentaire:
Enregistrer un commentaire