mardi 18 mars 2014

Using a custom SSL Certificate for VMware Site Recovery Manager 5.x

During the VMware Site Recovery Manager (SRM) installation you may decide to use a custom SSL Certificate (no more SSL warning yay!)

As you may already know SRM come in pair where you have a Site A and a Site B with a vCenter on each site. 

The following properties on the SRM SSL Certificates need to match the vCenter ones and both vCenter need to have identical values on those properties:
  • Organizational Unit Name (OU)
  • Organization Name (O)
  • Country Name (C)
  • State or Province Name (S)
  • Locality Name (L)
Note that properties Organizational Unit Name and Organization Name are mandatory.

On the other hand the property Common Name (CN) need to be identical on both pair (something like "SRM" is appropriated as stated on the VMware KB here)

I will be using a Microsoft CA along with OpenSSL to create my Certificates.

Creating the SSL Certificates CA Template

A specific CA Certificate Template is required about for SRM. See my article about Microsoft CA Template for vSphere 5.x here to create one.

Make sure that the template contains the following properties as it won't work without them:
  • Client Authentication
  • Allow private key to be exported

Creating the OpenSSL Template Files

Alright, let's create our OpenSSL Configuration files for both of our pairs Site A and Site B but first of all let's have a look at our vCenter SSL Certificate properties.

vcenter51.katalykt.lan (Site A)
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51, DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterServer
commonName = vcenter51.katalykt.lan

vcenter51remote.katalykt.lan (Site B)
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51remote, DNS:vcenter51remote.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = vCenterServer
commonName = vcenter51remote.katalykt.lan

As you can see from above, the following properties are identical on both vCenter:

  • countryName
  • stateOrProvinceName
  • localityName
  • 0.organizationName
  • organizationalUnitName
The values which were filled there need to be present within the SRM SSL Certificates so let's create those template!

srm.cfg (vcenter51.katalykt.lan - Site A)
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = GCM
organizationalUnitName = vCenterServer
commonName = SRM

srm.cfg (vcenter51remote.katalykt.lan - Site B)
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter51remote.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = GCM
organizationalUnitName = vCenterServer
commonName = SRM

As you can see from both of those template, we copy the previous vCenter properties back there. Our Common Name "SRM" is identical between our two pairs.

Note that I'm using the FQDN of my vCenter in the Subject Alternative Name (SAN) and that it's possible to add the IP of the vCenter if needed (during the installation you may select either a FQDN or an IP).

By doing so your SAN would look like that:

subjectAltName = IP:10.10.10.100, DNS:vcenter51.katalykt.lan

Generating the SRM SSL Certificates

So we've got a Microsoft CA template by now and our OpenSSL templates are ready. All that's left to do is generate the SSL Certificates!

SRM requires a PKCS12 file so we'll have to create it in the end.

I've made a script below which will do everything by itself (Once more adapt it to your needs). Note that the password in the script is the one you'll have to use during the setup.

The logic is as follow:

  • Create an RSA 2048 private key rui.key
  • Create a Certificate Signing Request rui.csr with the SRM OpenSSL Template
  • Request the SSL Certificate rui.crt from our Microsft CA using our "VMwareSSL" template
  • Create a PKCS12 file rui.p12 which will contain both our private key rui.key and the SSL Certificate rui.crt using the given password ("testpassword" in our case)


Generate_SRM_SSL.bat
REM Change this as needed
Set OPENSSL=c:\OpenSSL-Win32\bin\openssl.exe
Set MSCA=DC1\katalykt-DC1-CA
Set MSCATEMPLATE=VMwareSSL
REM Those are the path to the SRM pair A and B
Set SRMA=c:\OpenSSL-Win32\Certificates\SRM-vcenter51
Set SRMB=c:\OpenSSL-Win32\Certificates\SRM-vcenter51remote
REM This is the password used to encode the pkcs 12 file (has to be entered during the installation)
Set PKCSPASS=testpassword

REM Core processing
echo PROCESSING: SRM SSL Certificate - A
cd /d %SRMA%
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config srm.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
%OPENSSL% pkcs12 -export -out rui.p12 -inkey rui.key -in rui.crt -passout pass:%PKCSPASS%

echo PROCESSING: SRM SSL Certificate - B
cd /d %SRMB%
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config srm.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
%OPENSSL% pkcs12 -export -out rui.p12 -inkey rui.key -in rui.crt -passout pass:%PKCSPASS%

Placing the PKCS12 file in SRM

Let's run the SRM setup on our Site A (vcenter51.katalykt.lan)

After a few windows, the setup asks whether we want to use a Self Signed Certificate or a PKCS12 file. We choose the PKCS12 option here!


Alright, we select the rui.p12 which we've generated previously and type the password linked to it ("testpassword" if you didn't change it from the script)


The next window will ask for some information regarding the site such as the Local Site name and the Administrator's E-mail.

Note that the Local Host combo box is quite important and picky as it need to match the Subject Alternative Name (SAN) defined in our template!

As I've only filled the DNS name vcenter51.katalykt.lan in my OpenSSL template I select it from the list.


If everything's fine you should be able to continue the installation normally.

Repeat this for the Site B and you're set!

Aucun commentaire:

Enregistrer un commentaire