I recently upgraded to VMware vCenter v5.5 U2 and switched from Windows to the vCenter Server Appliance 5.5 (VCSA). Here are the best resources for replacing the self-signed VCSA certificates with ones signed by an internal Microsoft Certificate Authority server.
Assumptions
- You installed the Linux vCenter Server Appliance 5.5 (VCSA)
- All services except vCenter Update Manager are installed on your VCSA
- You have an internal domain (example.local, but could be anotherexample.com)
- You have a Windows Server 2008 R2 server (or greater) with the Active Directory Certificate Services role installed and configured
Official Documentation
For Windows-based VMware vCenter 5.5 installations, VMware offers the SSL Certificate Automation Tool 5.5. Unfortunately, “The SSL Certificate Automation Tool is available only to machines running Windows operating systems.”
Those who chose to use the vCenter Server Appliance 5.5 (VCSA) must follow KB “Configuring Certificate Authority (CA) signed certificates for vCenter Server Appliance 5.5 (2057223)” to install CA-signed certificates.
Notice that there are more than 75 steps in that KB article. If you leverage scripts written by Derek Seaman and Paul Grevink, you’ll be able to simplify this process.
Step 1: Follow Seaman’s instructions on creating a Certificate Template
Visit “vSphere 5.5 Install Pt. 6: Certificate Template” to create a VMware-specific certificate template on your Microsoft Active Directory Certificate Services server. I named my Certificate Template VMware-55U2-SSL and configured it exactly as Seaman documented.
Step 2: Follow Seaman’s vSphere 5.5 Install Pt. 8: Online SSL Minting
Visit “vSphere 5.5 Install Pt. 8: Online SSL Minting” to download Seaman’s Toolkit Script (Toolkit-55.ps1). You’ll use these script and OpenSSL to create all of your signed certificates. I performed all of this work on my Windows 8.1 laptop while connected to the domain.
These are the values that I used in the script that Seaman provided. Modify to meet your environment.
- $Cert_Dir = “C:\Scripts\SSL-Toolkit\certs”
- $openssldir = “C:\OpenSSL-Win32”
- $Country=”US”
- $State=”IN”
- $City=”Noblesville”
- $org=”My Company Name”
- $rootCA = “mycertserver.example.local”
- $CADownload = “http”
- $ISSUING_CA = “mycertserver.example.local\CERT01”
- $Template = “CertificateTemplate:VMware-55U2-SSL”
Run the script and select Option “8: Mint VCSA SSL certs with an online Microsoft CA.” In my case all vCenter servers are running on the VCSA (myvcsa.example.local) except for vCenter Update Manager (myvcum.example.local). I answer the scripts questions like so and get the following results.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 | PS C:\Scripts\SSL-Toolkit> .\Toolkit-55.ps1 Welcome to the vCenter 5.5 Toolkit Derek Seaman, VCDX #125, derekseaman.com vSphere 5.5 how-to series: vexpert.me\Derek55 Use at your own risk; no warranty implied or stated Windows vCenter only: 1. Mint vCenter SSL certs with an online Microsoft CA 2. Create vCenter CSRs for an offline or non-Microsoft CA 3. Process manually downloaded certificates or resume a pending online request 4. Create vCenter Certificate Automation Batch file 5. Create vCenter and VUM SQL database file 6. Create vCenter DSN 7. Create VUM DSN Linux vCenter Server Appliance (VCSA) only: 8. Mint VCSA SSL certs with an online Microsoft CA 9. Resume a pending online Microsoft CA request 10. Create VCSA CSRs for an offline or non-Microsoft CA ESXi Hosts 11. Mint ESXi SSL certificate with an online Microsoft CA 12. Create ESXi CSRs for an offline or non-Microsoft CA 13. Install manually downloaded certificates or resume a pending online request 14. Quit Please enter an option 1 to 14: 8 Is the vCenter FQDN mylaptop.example.local ? Press ENTER to accept or input a new vCenter FQDN: myvcsa.example.local Enter vCenter IP or press ENTER to leave it out of the SSL cert: Is the vCenter Inventory service FQDN mylaptop.example.local ? Press ENTER to accept or input a new vCenter Inventory service FQDN: myvcsa.example.local Is the vCenter SSO FQDN mylaptop.example.local ? Press ENTER to accept or input a new vCenter SSO FQDN: myvcsa.example.local Is the vCenter Update Manager FQDN mylaptop.example.local ? Press ENTER to accept or input a new vCenter Update Manager FQDN: myvcum.example.local Is the vCenter Web Client FQDN mylaptop.example.local ? Press ENTER to accept or input a new vCenter Web Client FQDN: myvcsa.example.local Is the vCenter Log Browser FQDN mylaptop.example.local ? Press ENTER to accept or input a new vCenter Log Browser FQDN: myvcsa.example.local Is the vCenter Orchestrator FQDN mylaptop.example.local ? Press ENTER to accept or input a new vCenter Orchestator FQDN: myvcsa.example.local Is the AutoDeploy FQDN mylaptop.example.local ? Press ENTER to accept or input a new AutoDeploy FQDN: myvcsa.example.local Is the Dump Collector FQDN mylaptop.example.local ? Press ENTER to accept or input a new Dump Collector FQDN: myvcsa.example.local Is the Syslog FQDN mylaptop.example.local ? Press ENTER to accept or input a new Syslog FQDN: myvcsa.example.local Is the Authentication Proxy FQDN mylaptop.example.local ? Press ENTER to accept or input a new Authentication Proxy FQDN: myvcsa.example.local Downloading root certificate from mycertserver.example.local ... Root CA download successful. Directory: C:\Scripts\SSL-Toolkit\certs Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 6/2/2015 10:34 AM VMware vCenter Service Certificate Loading 'screen' into random state - done Generating a 2048 bit RSA private key ...........+++ ..................+++ writing new private key to 'C:\Scripts\SSL-Toolkit\certs\VMware vCenter Service Certificate\rui-orig.key' ----- writing RSA key d---- 6/2/2015 10:34 AM VMware Inventory Service Certificate Loading 'screen' into random state - done Generating a 2048 bit RSA private key ....................................................................................................................................+++ ..............................+++ writing new private key to 'C:\Scripts\SSL-Toolkit\certs\VMware Inventory Service Certificate\rui-orig.key' ----- writing RSA key d---- 6/2/2015 10:34 AM VMware LDAP Service Certificate Loading 'screen' into random state - done Generating a 2048 bit RSA private key .............................................................................+++ .................................................................+++ writing new private key to 'C:\Scripts\SSL-Toolkit\certs\VMware LDAP Service Certificate\rui-orig.key' ----- writing RSA key d---- 6/2/2015 10:34 AM VMware vCenter VAMI Certificate Loading 'screen' into random state - done Generating a 2048 bit RSA private key ......+++ ........................................+++ writing new private key to 'C:\Scripts\SSL-Toolkit\certs\VMware vCenter VAMI Certificate\rui-orig.key' ----- writing RSA key d---- 6/2/2015 10:34 AM vCenter Web Client Service Certificate Loading 'screen' into random state - done Generating a 2048 bit RSA private key ........+++ ..........................................................................................................................................................................................................+++ writing new private key to 'C:\Scripts\SSL-Toolkit\certs\vCenter Web Client Service Certificate\rui-orig.key' ----- writing RSA key d---- 6/2/2015 10:34 AM VMware Logbrowser Service Certificate Loading 'screen' into random state - done Generating a 2048 bit RSA private key ..................................................................................................................................+++ ............+++ writing new private key to 'C:\Scripts\SSL-Toolkit\certs\VMware Logbrowser Service Certificate\rui-orig.key' ----- writing RSA key d---- 6/2/2015 10:34 AM VMware vSphere Autodeploy Service Certificate Loading 'screen' into random state - done Generating a 2048 bit RSA private key ..................................................+++ .................+++ writing new private key to 'C:\Scripts\SSL-Toolkit\certs\VMware vSphere Autodeploy Service Certificate\rui-orig.key' ----- writing RSA key Submitting certificate request for VMware vCenter Service Certificate Submitting certificate request for VMware Inventory Service Certificate Submitting certificate request for VMware LDAP Service Certificate Submitting certificate request for VMware vCenter VAMI Certificate Submitting certificate request for vCenter Web Client Service Certificate Submitting certificate request for VMware Logbrowser Service Certificate Submitting certificate request for VMware vSphere Autodeploy Service Certificate |
After running the script, the following folders and files were created for me. Awesome!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 | PS C:\Scripts\SSL-Toolkit\certs> Get-ChildItem -Recurse Directory: C:\Scripts\SSL-Toolkit\certs Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 6/2/2015 10:34 AM vCenter Web Client Service Certificate d---- 6/2/2015 10:34 AM VMware Inventory Service Certificate d---- 6/2/2015 10:34 AM VMware LDAP Service Certificate d---- 6/2/2015 10:34 AM VMware Logbrowser Service Certificate d---- 6/2/2015 10:34 AM VMware vCenter Service Certificate d---- 6/2/2015 10:34 AM VMware vCenter VAMI Certificate d---- 6/2/2015 10:34 AM VMware vSphere Autodeploy Service Certificate -a--- 6/2/2015 10:34 AM 1996 root64.cer Directory: C:\Scripts\SSL-Toolkit\certs\vCenter Web Client Service Certificate Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 6/2/2015 10:34 AM 2544 rui.crt -a--- 6/2/2015 10:34 AM 1679 rui.key -a--- 6/2/2015 10:34 AM 5774 rui.rsp -a--- 6/2/2015 10:34 AM 665 vCenter Web Client Service Certificate.cfg -a--- 6/2/2015 10:34 AM 1245 vCenter Web Client Service Certificate.csr Directory: C:\Scripts\SSL-Toolkit\certs\VMware Inventory Service Certificate Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 6/2/2015 10:34 AM 2544 rui.crt -a--- 6/2/2015 10:34 AM 1675 rui.key -a--- 6/2/2015 10:34 AM 5770 rui.rsp -a--- 6/2/2015 10:34 AM 663 VMware Inventory Service Certificate.cfg -a--- 6/2/2015 10:34 AM 1245 VMware Inventory Service Certificate.csr Directory: C:\Scripts\SSL-Toolkit\certs\VMware LDAP Service Certificate Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 6/2/2015 10:34 AM 2536 rui.crt -a--- 6/2/2015 10:34 AM 1679 rui.key -a--- 6/2/2015 10:34 AM 5766 rui.rsp -a--- 6/2/2015 10:34 AM 658 VMware LDAP Service Certificate.cfg -a--- 6/2/2015 10:34 AM 1236 VMware LDAP Service Certificate.csr Directory: C:\Scripts\SSL-Toolkit\certs\VMware Logbrowser Service Certificate Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 6/2/2015 10:34 AM 2544 rui.crt -a--- 6/2/2015 10:34 AM 1675 rui.key -a--- 6/2/2015 10:34 AM 5774 rui.rsp -a--- 6/2/2015 10:34 AM 664 VMware Logbrowser Service Certificate.cfg -a--- 6/2/2015 10:34 AM 1245 VMware Logbrowser Service Certificate.csr Directory: C:\Scripts\SSL-Toolkit\certs\VMware vCenter Service Certificate Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 6/2/2015 10:34 AM 2540 rui.crt -a--- 6/2/2015 10:34 AM 1679 rui.key -a--- 6/2/2015 10:34 AM 5770 rui.rsp -a--- 6/2/2015 10:34 AM 661 VMware vCenter Service Certificate.cfg -a--- 6/2/2015 10:34 AM 1240 VMware vCenter Service Certificate.csr Directory: C:\Scripts\SSL-Toolkit\certs\VMware vCenter VAMI Certificate Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 6/2/2015 10:34 AM 2556 rui.crt -a--- 6/2/2015 10:34 AM 1675 rui.key -a--- 6/2/2015 10:34 AM 5786 rui.rsp -a--- 6/2/2015 10:34 AM 673 VMware vCenter VAMI Certificate.cfg -a--- 6/2/2015 10:34 AM 1261 VMware vCenter VAMI Certificate.csr Directory: C:\Scripts\SSL-Toolkit\certs\VMware vSphere Autodeploy Service Certificate Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 6/2/2015 10:34 AM 2556 rui.crt -a--- 6/2/2015 10:34 AM 1675 rui.key -a--- 6/2/2015 10:34 AM 5782 rui.rsp -a--- 6/2/2015 10:34 AM 672 VMware vSphere Autodeploy Service Certificate.cfg -a--- 6/2/2015 10:34 AM 1257 VMware vSphere Autodeploy Service Certificate.csr |
Step 3: Prepare to install these certs to your VCSA
Snapshot
Shutdown and backup/snapshot your VCSA. This is an error-prone process, so make it easy on yourself to revert back and try again.
Rename Folders
To simplify things in Linux, I used these PowerShell commands to rename my folders to be lowercase and without spaces.
1 2 3 4 5 6 7 | Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\vCenter Web Client Service Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\webclient" Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\VMware Inventory Service Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\inventoryservice" Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\VMware LDAP Service Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\ldap" Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\VMware Logbrowser Service Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\logbrowser" Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\VMware vCenter Service Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\vpxd" Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\VMware vCenter VAMI Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\vami" Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\VMware vSphere Autodeploy Service Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\autodeploy" |
Retrieve your Certificate Server’s certificate chain
- Navigate to the home page of the certificate server (e.g. https://mycertserver.example.local/certsrv/) and click Download a CA certificate, certificate chain or CRL.
- Click the Base 64 option.
- Click the Download CA Certificate chain link.
- Save the certificate chain as cachain.p7b in the “C:\Scripts\SSL-Toolkit\certs\” directory.
Copy certs folder to VCSA
Use WinSCP to copy the C:\Scripts\SSL-Toolkit\certs (including subfolders) to the vCenter Server appliance. I placed /certs on the root.
Convert P7B to PEM
Use Putty to log into the vCenter Server Appliance as root. Following KB 2057223, from the vCenter Server Appliance, run these commands to convert the cachain.p7b file to chain.pem:
- cd ssl/vpxd/
- openssl pkcs7 -print_certs -in cachain.p7b -out cachain.pem
Open the cachain.pem file with VI editor, removing any text before the first —–BEGIN CERTIFICATE—– and after —–END CERTIFICATE—–.
For me, I had to delete these two lines at the top (subject=/DC=local/DC=example/CN=mycertserver AND issuer=/DC=local/DC=example/CN=mycertserver), and a few empty lines at the bottom.
Step 4: Modify Grevink’s certificate installation script
- Open NotePad++
- Navigate to NotePad++ > Settings > Preferences > New Document > Format
- Change the New Document format to “Unix/OSX”, then Close preferences
- Open a new blank document in NotePad++
- Using a browser, visit “Implementing CA signed SSL certificates with vSphere 5.x – Part 3 – vCenter Server Appliance“
- Copy and paste Grevink’s vcsa_certs.sh script to your new, blank, and Unix formatted document
- Provide values to the scripts variables and save as “C:\Scripts\SSL-Toolkit\certs\vcsa_certs.sh”
I used these values:
- SOURCE=”/certs”
- SERVER_DOMAIN=”myvcsa.example.local”
- SSO=”vpxd”
- InventoryService=”inventoryservice”
- Logbrowser=”logbrowser”
- AutoDeploy=”autodeploy”
Step 5: Execute Grevink’s certificate installation script
- Use WinSCP to copy the script from Windows > C:\Scripts\SSL-Toolkit\certs\vcsa_certs.sh to VCSA > /certs/vcsa_certs.sh
- Use Putty on the VCSA to adjust the file permission so that you can run the script: chmod 744 vcsa_certs.sh
- Use Putty to run the script: ./vcsa_certs.sh
When the script is done it will prompt you to reboot your vCenter Server Appliance. After reboot, your VCSA will have CA-signed certs.
Thank you Seaman and Grevink for making this process much easier.
I found this to be very helpful. Thank you!
Here are the only suggestions I can offer. 1) The values in Modify Grevink’s certificate for the variables SOURCE and SERVER_DOMAIN are not to be enclosed in quotes.
2) The instructions to “Convert P7B to PEM” did not work for me. I found that I could not change into the ssl/vpxd directory. Rather, I ran the command in the /certs directory on the appliance. Additionally, I needed to open up the permissions to make it readable for execution.
3) This line: Rename-Item -path “C:\Scripts\SSL-Toolkit\certs\VMware Inventory Service Certificate” -newName “C:\Scripts\SSL-Toolkit\certs\inventoryservice”
creates an all lowercase name for InventoryService, but the Grevink script expects CamelCase style directory name (InventoryService). Same was true for LogBrowser/logbrowser.
Other than that, perfect!
Many thanks!
Thank you Benjamin for sharing your tips.