You have observed that whenever you connect to vCenter Server using vSphere Client or connect via web-client you receive a warning that the certificate presented is not trusted and bla bla bla.
For lab environments or small environments Self-Signed certificates works just fine, but knowing how to use Signed Certificates is invaluable.
In this post we are going to cover how to create SSL Certificate request and how to replace them. If you have missed earlier posts of this series I would recommend reading them first from below links:
There are certain prerequisites that must be met before performing the SSL certs creation and replacement. These are listed as below:
1: Microsoft Enterprise CA server deployed along with IIS installed.
2: Web-Certificate Template created for vSphere components.
3: Download and install the vCenter Certificate Automation Tool from VMware.
I have downloaded and extracted Certificate Automation Tool on the same server where my vCenter Server is installed as all components of vCenter is running in a single VM in my lab. You will see files named ssl-environment and ssl-updater after extracting the zip file as shown below.
This is going to be a long post.Before jumping into action lets see a bit of theoretical background about the whole SSL things.
Running the Certificate Automation Tool
- From a command line, navigate to the location where you unzipped the tool and run the command: ssl-updater.bat
To begin with select option 1. This option will explain the steps that need to be done and the order in which to do them.
On selecting option 1, a new menu will be presented. This menu asks what you’re going to update. If you are going to do all of the services listed, select option 8. It will generate an action plan for the upgrade. Copy the steps generated to a text file to recall it later.
Generating Certificate Requests
2.. From the SSL Certificate Automation tool, select Option 2 to Generate Certificate Requests.
3. Select the option for the service you are generating the certificate request for. Enter the information requested for the certificate request.
Note: By default VMware specifies a default value of <service-servername> and uses it to ensure that the DN of the certificate is unique. Do not change this unless there is another field which makes the DN of the certificate unique.
Important: Ensure that the directory in which the SSL Certificate Automation Tool is extracted and the specified CSR directory above do not have spaces in the names or CSR Generation will fail.
In my lab I started with generating certificate request for SSO
Press 2 for Inventory Service
Press 3 for vCenter Server
Repeat steps 2 and 3 for each service which you are generating a certificate for.
After completing this, we have the rui.csr and rui.key files located in each of the respective directories as specified for the different services. The below screenshot shows the csr and key file for SSO service.
To validate that the CSR is created properly navigate to directory “C:\Program Files\VMware\Infrastructure\Inventory Service\bin” and run the command:
# openssl.exe req -in “Path to created certificates”\rui.csr -noout -text
Obtaining the Certificate
After the certificate request is created, it must be presented to the certificate authority for generation of the actual certificate. The authority returns a certificate back and a copy of their root certificate.
Log in to the Microsoft CA certificate authority Web interface. By default, it is https://servername/CertSrv/Default.asp
1: Click the Request a certificate link.
2: Click advanced certificate request.
3: Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file
4. Open the rui.csr file in a notepad and paste the text from the Begin to the End request into the Saved Request box. Select the Certificate Template which you created for your lab and supply additional attributes if there are any. Hit Submit button.
Note: Do not copy the actual —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—–.
Only copy the text in between these lines. You may see = (equal) signs near the Begin and End lines (for example, ==—–END). In this case, you must copy the = (equal) signs.
5. Click Base 64 encoded on the Certificate issued screen and click on Download certificate.
The above steps were for SSO service. Repeat steps 1 to 5 for each service.
6. Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
7. Select the Base 64 option and Click the Download CA Certificate chain link.
8. Save the certificate chain as file in the folder where SSL tool extracted files are present.
9. Double-click the chain file which you just downloaded and navigate to Certificates. Right-click the certificate listed and click All Tasks > Export.
10. An export wizard will be presented to you. Hit Next.
11. Select Base-64 encoded X.509 (.CER) option and hit next.
12. Navigate to directory where you want to save the file by clicking on browse button
13. Save the file as Root64, preferably in same directory where SSL tools were extracted to make sure everything is contained within one folder.
14. Hit finish to complete the certificate export wizard.
A dialog box will appear stating that export was successful. Hit OK.
15.For the certificate chain to be trusted, the root certificate must be installed on the server.
To achieve this double click on the Root64 file which we just exported. Click on Install Certificate.
16. Select Local Machine on Certificate Import Wizard page and hit next.
17. On Certificate Store page select Place all certificates in the following store and hit browse.
18. Install the root certificate into the Trusted Root Certificate Authorities. Hit OK.
19. Hit finish to complete Certificate Import Wizard
A dialog box will appear stating that import was successful. Hit OK.
Creating the PEM files
Once certificates and keys are created, you must create a PEM certificate chain for each certificate. The chain must contain all certificates in the chain, in the order in which they lead to the root certification authority. To create the chain:
- Create a file called chain.pem, located in the folder for the service that you are creating the chain for.
2. Open the rui.cer file in Notepad and copy the contents of the file into the chain.pem file for that service.
3. Open the Root64.cer file in Notepad and paste the contents of the file into the chain.pem file right after the certificate section. Be sure that there is no whitespace in the file in between certificates.
Repeat these steps for each service for which you are replacing the certificate.
After completing this procedure, you now have rui.key and chain.pem files for each service you are implementing custom certificates for. Copy these files to the appropriate server for use with the SSL Certificate Automation Tool
Replacing the SSL Certificates
With this we have came to last section of this post. Now we will be replacing the SSL certificates for different vCenter components.
Launch ssl-updater.bat file by right clicking it and selecting run as Administrator.
Select option 3 to start updating the SSO first.
Next is to update Inventory Service. Select option 4.
Now open the text file where you have saved the detailed steps of upgrade which was generated by this tool on selection option 1 on main menu.
In my lab, the first action for updating Inventory Service was “Update Inventory Service trust to Single Sign-On”
So after selecting 4 in main menu, I selected option 1.
The next step in my action plan was “Update the Inventory Service SSL certificate” and I selected option 3 for this.
Now the next action was to “Update vCenter Server trust to Single Sign-On” so first I selected option 5 to return to main menu and the again option 5 to update vCenter Server and then selected option 1.
The same way you have to complete each steps according to steps laid out in the action plan generated by SSL tool. I am not including all the steps as more or less they are same as depicted above.
Now its time to test our certs.
To test the setup I connected to vCenter Server using web-client and checked the certificate information. The certificate seems legit as you can see in below screenshot which says “Identity of this website has been verified by Alex-CA (my CA server)”
The only Issue which I am unable to solve here is instead of red warning it should show the certificate in green.
Any thoughts on this is highly welcomed.
Update: 31/10/2015: Finally the red warning issue for certificates has been resolved. I will write an another blog on the same explaining the cause of issue and the resolution.
I can now see the certificate status as green when I am trying to access the vCenter Server:
The troubleshooting steps were provided by Bjoern and Yvan. I would like to express my sincere thanks to both.
If you are looking for manual steps for certificate generation the please have a look on below blog posts from Rynardt
Also I would highly suggest to have a look on below blog posts
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂