UPDATE 1/27/2013: I've refreshed this post to reflect changes in VMware KB articles, reader feedback, and general cleanup to make it easier to follow.
UPDATE 10/26/12: VMware has released guidance, in the form of several KB articles, on how to configure SSL certificates for vSphere 5.1. This is a complex process, and the directives given with the 5.1 GA release flat out did not work. Thankfully these new articles are a vast improvement, and closely mirror my original blog posts for the 5.1 GA release. I've since consolidated all of my previous updates plus the new VMware guidance into a refreshed version of the article, so that its less confusing. If you want to start at the beginning of this vCenter 5.1 install series, you can find part one here.
---
In Part 1 of my series on installing VMware vCenter 5.1, we got the SSO Service installed using a remote Microsoft SQL 2008 R2 database. In production environments you should replace all of the default self-signed SSL certificates with trusted certificates. This is a tedious process, and each component has different ways of replacing the certificate. Again, you can check out the official VMware guidance for vSphere 5.1.0 here. ANY production environment should use trusted SSL certs, not just "high security" environments. Key infrastructure is probably running on vSphere, so its security is paramount.
Certificates are tricky, and depending on how you "mint" them (OpenSSL root CA, Microsoft CA, commercial CA, etc.) the steps may differ significantly. This blog series assumes a Microsoft Windows Server 2008 R2 Enterprise root CA that has the web certificate services installed.
The scope of this post will be only to create the SSL certificates for the vCenter 5.1.0 services. Follow-on posts cover the ins and outs of replacing the service specific certificates, as the process differs for each service. For the official VMware KB article on creating the certificates, click here.
Although not mentioned in the VMware KB articles, "Pre-Staging" the SSL certificates is still the easiest method, when doing a clean install, to configure the SSL certificates. This eliminates some of the manual steps as many services (except the SSO) will automatically use the trusted certificates if they are in the right folder during the installation process. You can view a separate post here that I wrote which contains a script to automate the pre-staging process.To be clear, pre-staging is NOT required, but does reduce fresh installation time and effort.
Per VMware KBs, the trusted SSL certificates should have the Data Encipherment key usage attribute. If you are using a Microsoft CA with the default "Web Server" certificate, your minted certificates will NOT have this property. You can check out my blog post here for how to create a custom certificate template that has this required key usage feature. You can see this Key Usage in the screenshot below. I've heard reports of SSL certificates without this property working, but VMware currently has this property as required in their KB articles so I would be safe and use it.
A single SSL certificate, even for all-in-one servers will NOT work. This is due to how various components (such as Inventory Service, vCenter, etc.) register with the SSO service. Multiple SSL certificates are required for a functioning system. For a complete installation of vCenter with VUM, you need seven certificates:
- Inventory Service
- SSO
- Update Manager
- vCenter
- Web Client
- Log Browser
- Orchestrator
Also, you will likely run into major problems if you try and use a commercial CA for your certificates. Many, if not all, will ignore the OU field which the SSO service depends on. Without the required unique OU fields, you will be left with a non-functional system. You really need an internal CA where you can control the certificate templates, and validate the certificates are properly minted. The certificates also require the SAN (subject alternative name) field to be populated as well.
They key difference in each certificate is the "OU" property. This OU property must be unique, as this seems to be the primary means the SSO service differentiates the SSL certificates for each service. Duplicate "OU" values is bad juju and will cause you a lot of grief.
Configuration File Creation
1. Download and install the Windows OpenSSL binary. You need the OpenSSL v1.0.1c (or later) package. Remember to install the appropriate Visual C++ Redistributable package prior to installing OpenSSL.
2. Install OpenSSL with the default path. You need a certificate directory to store all of the configuration files and resulting certificates. I created a directory called Certs on my D drive. You can put this directory anywhere you want.
3. VMware requires that the vCenter related certificates contain a SAN (subject alternative name) field in them. I've provided OpenSSL configuration files below for each of the services. All of the fields in red must be updated with your information. The country code must be only two letters. My folder structure looks like this:
Save each of the configuration files below into their respective directory. Note that VMware has you adding the IP address of the server in the subjectAltName field. You can see the difference here. Through feedback and testing, I haven't seen where leaving out the IP address causes issues. But feel free to add that field, but remember to change out all of your certificates should the server IP address change.
Inventory.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName
[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourCity
0.organizationName = YourCompanyName
organizationalUnitName = vCenterInventoryService
commonName = Server.DomainName
SSO.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName
[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourCity
0.organizationName = YourCompanyName
organizationalUnitName = vCenterSSO
commonName = Server.DomainName
vCenter.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName
[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourCity
0.organizationName = YourCompanyName
organizationalUnitName = vCenterServer
commonName = Server.DomainName
WebClient.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName
[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourCity
0.organizationName = YourCompanyName
organizationalUnitName = vCenterWebClient
commonName = Server.DomainName
VUM.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName
[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourCity
0.organizationName = YourCompanyName
organizationalUnitName = VMwareUpdateManager
commonName = Server.DomainName
LogBrowser.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName
[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourCity
0.organizationName = YourCompanyName
organizationalUnitName = vCenterLogBrowser
commonName = Server.DomainName
Orchestrator.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName
[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourCity
0.organizationName = YourCompanyName
organizationalUnitName = VMwareOrchestrator
commonName = Server.DomainName
Create CSRs
After you tweak and save your OpenSSL configuration files you need to generate the actual CSR files so you can submit that to your CA. First, we need to generate the RSA 2048 bit private keys. I have a two scripts that help automate the certificate process. The first only automates the CSR process, as you may not be using a Microsoft CA which my full automated script requires.
At the end of this post is a script that automates all of the certificate minting process, including creating the CSRs and PFX files. However, it requires the use of an online Microsoft enterprise CA in your domain. Read through all of the steps so you know what is needed, then feel free to use the automated scripts instead of typing all of the commands for each of the certificates.
WARNING: vCenter is extremely picky about the format of the RSA private key file (rui.key) and you will most certainly have a smoking vCenter VM if you don't have the right format. If the header of the RSA key file only reads "-----BEGIN PRIVATE KEY-----" then Houston, you have a major problem.
The format of your RSA private key file should have a header of "-----BEGIN RSA PRIVATE KEY-----". This is the one and ONLY format that vSphere will accept.
1. Use the following OpenSSL command to create a file called rui.key. Run this in each directory, as each certificate should have a unique private key. Note, these steps differ every so slightly from the VMware KB, but produce the same results. These steps produce the RSA key in the proper format from the get-go, without having to convert them like the KB article has you do.
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
Note: I've added a script at the bottom of this post that automates the entire certificate process, after you create the OpenSSL configuration files. Scroll down to the end if you wish to try that out instead of individual commands that are in the next several steps.
2. Using the RSA private key and the service-specific configuration file we need to generate CSRs (certificate signing request) for each service. Run the command below in each service certificate folder, changing the name of the configuration file for each invocation.
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config inventory.cfg
3. After running both commands you should now see rui.csr and rui.key files in each service folder.
Create_CSR.bat
----
CD /d D:\certs\vcenter
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config vcenter.cfg
CD /d D:\certs\Inventory
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config inventory.cfg
CD /d D:\certs\SSO
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config SSO.cfg
CD /d D:\certs\UpdateManager
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config VUM.cfg
CD /d D:\certs\webclient
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config webclient.cfg
CD /d D:\certs\LogBrowser
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config LogBrowser.cfg
CD /d D:\certs\Orchestrator
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config Orchestrator.cfg---
Mint Certificates
There are a couple of ways you can mint the SSL certificates from a Microsoft CA. One is using the traditional web interface. The other, is a command line method to automate the process. I prefer the command line, as it's faster and less error prone.
--Command Line Method--
1. To use the command line method you need to know the hostname of your CA, the "name" of your CA (see first screenshot below), and the certificate "template name" which may NOT the same as the certificate "template display name". The "template name" is usually the template display name without any spaces (see screenshot below).
Select the appropriate certificate template (e.g. "VMware SSL") that has the additional key usage property (dataEncipherment). You can check out my blog post here for how to create a custom certificate template that has this key usage feature.
2. In the first certificate directory run the following command, of course changing the properties as needed for your CA. This will produce the rui.crt file, a newly minted SSL certificate.
certreq -submit -config "D001DC01\Contoso-D001DC01-CA" -attrib "CertificateTemplate:VMwareSSL" rui.csr rui.crt
3. Repeat the minting process for the remaining certificates.
--Web Method--
4. If you want to create the certificate the old fashion method then open the first rui.csr file with NotePad and copy the contents to the clipboard.
5. To create the certificate submit the CSR to the Microsoft CA then download the certificate. Navigate to the homepage of the Microsoft CA (https://YourCAServer/certsrv) and you should see a screen just like the one below. Select "Request a certificate."
6. Select "advanced certificate request."
7. Select the second option shown below:
8. Paste the CSR you generated from OpenSSL into the request window. Change the certificate template to "VMware SSL" or whatever you have defined as your SSL certificate template with the additional key usage property. Again, you can check out my blog post here for how to create a custom certificate template that has this required key usage feature.
If you only see "User" and "Basic EFS" options, then the account you are using lacks the proper permissions on the CA to request certificates. Use a more privileged account to perform the request.
9. Submit the certificate request (Base 64 encoded) then Save As and use a file of rui.crt and place it into the appropriate folder (e.g. D:\Certs\Inventory) directory. If the saved file is mangled, you probably have the enhanced IE security enabled. Turn it off and re-submit the request and it should properly save.
10. Repeat the web-based minting process for the remainder of the certificates. Each folder should have the following files:
Certificate Validation
To validate the certificates have all of the right fields, double click on each rui.crt file and it should open up. Click on the Details tab and verify that the "OU" sub-field of the Subject name matches the service for which you created the certificate for. I would also double check the Subject Alternative Name to ensure both the short hostname and the server's FQDN is listed.
Download Root Certificates
Further in the SSL replacement process we will need the public root certificate(s) file in Base-64 encoded format.
1. Go to the Microsoft CA home page that you used to mint the certificates and click on Download a CA certificate, certificate chain or CRL. Change the encoding method to Base 64 and click Download CA certificate chain. Change the file name to cachain.p7b.
2. Double click on the downloaded certificate, then locate the certificate in the console. If you have more than one certificate in the console, skip to step 3 below. If you have just one certificate, right click on the certificate and select All Tasks -> Export. Select Base-64 encoded and save the certificate with a filename of Root64.cer in the root of the Certs directory.
3. If you have a root and intermediate CA (two or more certs in the console), you have some extra work. Export each certificate from the console and save into different files (e.g. Root64-1.cer and Root64-2.cer). For the purposes of this blog series, you MUST save your Root CA as Root64-1.cer. Any intermediary CAs should be Root64-2.cer, etc. We also need a concatenated file of the CAs (Root64.cer):
copy Root64-1.cer+Root64-2.cer Root64.cer
Don't delete any of these root or intermediary files, as they will be used later in the installation process.
4. You should now have the following folder structure:
Creating PFX Files
1. To create the required PKCS#12 PFX files use the following command for each service (note that "testpassword" is required by VMware. Do NOT try and use a custom password!). Notice that we also embed the root certificate into the PFX file (-certfile). Also, do NOT change the friendly name (-name) of "rui" to anything else. The Profile Driven storage service will likely not function and die with an unhelpful error message.
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
Create_PFX.bat
---
CD /d D:\certs\SSO
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
CD /d D:\certs\Inventory
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
CD /d D:\certs\vCenter
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
CD /d D:\certs\UpdateManager
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
CD /d D:\certs\WebClient
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
CD /d D:\certs\LogBrowser
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
CD /d D:\certs\Orchestrator
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx
----
3. To validate the PFX files were created correctly you can run the following command from one of the service certificate folders:
C:\openssl-win32\bin\openssl pkcs12 -in rui.pfx -info
When you run that command you will be prompted a few times to enter the password, which is 'testpassword'. Validate all of the fields look appropriate.
Create JKS KeyStore
1. We need to create an empty JKS keystore the SSO service will use. In an elevated command prompt enter the command below to create the keystore:
"C:\Program Files\VMware\Infrastructure\jre\bin\keytool.exe" -v -importkeystore -srckeystore D:\certs\sso\rui.pfx -srcstoretype pkcs12 -srcstorepass testpassword -srcalias rui -destkeystore D:\certs\sso\root-trust.jks -deststoretype JKS -deststorepass testpassword -destkeypass testpassword
2. To add your Root CA certificate to the store enter this command. If you have intermediate CAs, for this command use the Root64-1.cer file (not Root64.cer), which should be the root CA certificate.
"C:\Program Files\VMware\Infrastructure\jre\bin\keytool.exe" -v -importcert -keystore D:\certs\sso\root-trust.jks -deststoretype JKS -storepass testpassword -keypass testpassword -file D:\certs\Root64.cer -alias root-ca
When prompted to confirm you trust the certificate, enter yes.
3. If you have intermediary certificate authorities, you have a bit more work to do. You first need to get the hash of your Root64-2.cer file (intermediate CA public certificate). If you have additional intermediate CAs, repeat the process for each one:
openssl x509 -subject_hash -noout -in D:\certs\Root64-2.cer
4. To import the intermediate CA certificates into the JKS keystore run the following command, replacing
keytool -v -importcert -noprompt -trustcacerts -keystore D:\certs\sso\root-trust.jks -deststoretype JKS -storepass testpassword -keypass testpassword -file D:\certs\Root64-2.cer -alias intermediate-YourHash
5. You can now validate that the keystore has all of the required certificates by running the following command:
"C:\Program Files\VMware\Infrastructure\jre\bin\keytool.exe" -list -v -keystore D:\certs\sso\root-trust.jks
6. The SSO service needs a copy of the JKS so enter the following command:
copy D:\certs\sso\root-trust.jks D:\certs\sso\server-identity.jks
Pre-Staging SSL Certificates
If you are performing a fresh install of the vCenter 5.1 components, I strongly urge you to use my pre-staging method of SSL certificate installation. That will save you A LOT of time, pain, and suffering by doing it post-install.
While it won't replace the SSO SSL certificates, it can do the Inventory service, vCenter, web client, and VUM services (sorry, LogBrowser is still outstanding). Check out my blog post here for a batch file that automates the pre-staging process for you. After you complete those steps, you can proceed to Part 3 where we replace the SSO SSL certificates.
Automated Certificate Batch File
Below is the batch file that will create the private RSA keys, create CSRs based on the OpenSSL configuration file, get a minted certificate from a MS CA, then create the PFX file with the VMware password, and makes the PEM files needed for the vCenter certificate automation tool. Fully automated!
To successfully execute the script you need the following:
- All certificate directories created
- All OpenSSL configuration files created
- Downloaded the root CA certificate(s) into the root64.cer file
- Have read and enroll permissions on the CA template you are using
Depending on the security and delegation in your environment, you may not have the rights to request a certificate from the enterprise CA. If that's the case, find someone in the organization which does have the proper permissions to run the script below:
---
Set OpenSSL_BIN=c:\OpenSSL-Win32\bin\openssl.exe
Set Cert_Path=c:\OpenSSL-Win32\certs
Set Cert_Template=VMwareSSL
Set CA_Name=D001DC01\Contoso-D001DC01-CA
set CA_Cert_Path=c:\OpenSSL-Win32\certs\root64.cer
CD /d %Cert_Path%\vcenter
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config vcenter.cfg
certreq -submit -config "%CA_NAME%" -attrib "CertificateTemplate:%Cert_Template%" rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_CERT_Path% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Path% chain.pem
CD /d %Cert_Path%\Inventory
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config inventory.cfg
certreq -submit -config "%CA_NAME%" -attrib "CertificateTemplate:%Cert_Template%" rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_CERT_Path% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Path% chain.pem
CD /d %Cert_Path%\SSO
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config SSO.cfg
certreq -submit -config "%CA_NAME%" -attrib "CertificateTemplate:%Cert_Template%" rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_CERT_Path% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Path% chain.pem
CD /d %Cert_Path%\UpdateManager
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config VUM.cfg
certreq -submit -config "%CA_NAME%" -attrib "CertificateTemplate:%Cert_Template%" rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_CERT_Path% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Path% chain.pem
CD /d %Cert_Path%\webclient
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config webclient.cfg
certreq -submit -config "%CA_NAME%" -attrib "CertificateTemplate:%Cert_Template%" rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_CERT_Path% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Path% chain.pem
CD /d %Cert_Path%\LogBrowser
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config LogBrowser.cfg
certreq -submit -config "%CA_NAME%" -attrib "CertificateTemplate:%Cert_Template%" rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_CERT_Path% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Path% chain.pem
CD /d %Cert_Path%\Orchestrator
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config Orchestrator.cfg
certreq -submit -config "%CA_NAME%" -attrib "CertificateTemplate:%Cert_Template%" rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_CERT_Path% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Path% chain.pem
if i install this software on separate server, the cert will create by this server name not the virture center server right.
ReplyDeleteGreat job
ReplyDeleteHow can i get to Active Directory certificate Service web interface ?
Great article, but no where did this process create a rui.crt file. Did I miss that somewhewre?
ReplyDeleteZubrania: If the AD certificate server has the web services installed you go to http://YourCA/certsrv
ReplyDeleteJonathon: Had a typo in the article..fixed that. Thanks! rui.crt is actually the certificate you download from the CA (which I had originally called rui.cer).
ReplyDeleteI figured that out after a while :) Thanks for updating, still a great article.
DeleteDerek,
ReplyDeletei have 2 server 1) for SSO 2) virture center and all in the .cfg file what server DNS name do i point to? please let me know thanks
The SSO configuration files are for the SSO server, so you use the FQDN of your SSO server.
ReplyDeleteI see you added a batch file to generate the CSRs. I'll take you a step further. You can use this command below to actually submit the CSR to your MS CA and get back the cert. Saves some copy and paste time. Obviously you need to change the template attribute to match yours. I didnt spend time to figure out how to specify the specific CA, so I get a pop up to ok for each one, but a few quick enters and you're done.
ReplyDeletecertreq -submit -attrib "CertificateTemplate:vSphereSSL" rui.csr rui.crt
Tim, thanks for the tip! To specify the CA name you can use:
Deletecertreq -submit -config "D001DC01\Contoso-001DC01-CA" -attrib "CertificateTemplate:VMwareSSL" rui.csr rui.crt
Tim,
DeleteI added a new batch file at the end of my post based on your command line, but also adding the CA name. Full certificate process is now scripted. Thanks for the input.
hi i'm getting "cannot load VC certificate" for the VC install (vcregtool.log) "Invalid DER-encoded certificate data"
ReplyDeleteI have the correct BEGIN/END RSA PRIVATE KEY statements.
I have checked my openssl.cnf against your .cfg examples and they are the same (only the names were changed to protect the innocent).
I create my certs on Linux using openssl 0.9.8. These Linux based certs work in all other instances ( even picky progs like Oracle and WebSphere).
I notice in your posts you use 1.0.1c. Any idea how important that is ?
or perhaps have i walked into another trap. I am currently upgrading, in dev, from 4.1 to 5.1. The prod system is 5.0 so my testing may in vain anyway.
H
Hiney, sounds like one of your certificate files (rui.key or rui.crt) is bad. Can you open the rui.crt key in Windows Explorer and view the properties by double clicking on it? If you open rui.crt in NotePad, is it in ASCII text and nicely formatted?
Deletedouble clicking on rui.key presents the windows can't open this file dialog, in notepad though, it appears to be preperly formatted.
Deletethe rui.crt file begins with te following. should that get removed ? no other service has needed it so far.
"Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c2:d7:ca:40:6b:62:e7:98
Signature Algorithm: sha512WithRSAEncryption
"
h
No that's totally the wrong format for a rui.crt file. It should start with "----BEGIN CERTIFICATE----" and have nicely formatted base-64 text. And it should easily open in Windows Explorer.
DeleteDerek,
ReplyDeleteThank you for this walk through!
When I attempt to run the batch file at the end of your post I am getting a Certificate Request Processor error. "The RPC server is unavaliable. 0x800706ba (win32:1722)" I did download open ssl 64 bit, I'm not sure if this stems from that difference?
Brian, the RPC error would have nothing to do with OpenSSL. That sounds like a firewall issue on the CA.
DeleteMay I just confirm that the ca_certificates.crt is just the "root" CA certificate. So if there is a root and an 1 intermediate CA, then the C:\ProgramData\VMware\SSL folder will contain the ca_certificates.crt (a copy of the root) and then two hash.0 certificates, one for Root and one for Intermediate. All three files are the same base64 format. There is no need to include a copy of the actual certificate that was generated. Therefore, the folder will contain three files (in a Root + 1 Intermediary CA). Thanks
ReplyDeleteAnonymous, since VMware doesn't document the use of ca_certificates.crt, how to handle intermediate is not totally clear. Your plan is where I would start...let us know what your experience is.
Deleteon your step 7 how to create the vmwaressl cert template?
ReplyDeleteI have a link to my blog post in the updated section of this post that shows you how to make the VMware template.
DeleteOh, this is fun. The hash of the root CA certificate is different in different versions of openssl? If I generate the hash using the version on the VCSA (version 0.9.8j-fips), I get a different value than when I generate the hash using the Windows version of OpenSSL (version 1.0.1c). Is that strange? I can copy it from one to the other and back again, checking the hash each time, and it's always the same on the VCSA and always the same on the Windows server, but they aren't the same as each other. I did check for DOS line endings, but there aren't any.
ReplyDeleteOh, I figured it out. There are two different hashing mechanisms. In the newer version of openssl, need to use -subject_hash_old to get the same hash as the version of openssl on the VCSA.
ReplyDeleteHi, this walkthrough is very helpfull!
ReplyDeleteI'm unable to automate fully the certificates creation. When I use the certreq command, it doesn't create the rui.crt file. It only submits it to the pending requests.
I'm not sure, but I think it's because I don't have a Template Name (I don't know how to have one)
Ya you need to use a template name. "WebServer" may work, but I wrote an article here how to create a new template:
Deletehttp://derek858.blogspot.com/2012/09/create-vmware-windows-ca-certificate.html
Hi Derek, in step #15 you've said " Repeat the hashing process for any intermediary CAs, such that the full certificate chain has a set of files named with their hash value. "
ReplyDeleteCan you please clarify that for us please ... for example:
1. for all those certificates we created (Inventory, SSO, VCenter) we should copies of certificates with names from hash values?
2. Should we place those "hashvalue.0" in directories like "C:\ProgramData\VMware\SingleSignOn\SSL" or in a SSL root directory "C:\ProgramData\VMware\SSL"
3. In directories like this one ""C:\ProgramData\VMware\SingleSignOn\SSL" should we place both "ruii.crt" and "hashvalue.0" certs or only one if only one which one?
Thank you very much!
Dejan, No you don't need to place hash files for the service certificates. The hashvalue.0 files are only needed in one directory, the one called out in the installation steps. The service SSL directories should have the rui.crt, rui.key and rui.pfx files.
ReplyDeleteApologies if my question may seem dense! In step 15 I see you have two files with the hash value. I understand that one of them is from the root64.cer from step 14. But where did the other one come from? intermediary CAs? Where is that from?
ReplyDeleteMuch thanks Derek.
Hi,
ReplyDeleteThanks for this guide. I'm working through it slowly. A quick question regarding the hash file. I changed the root64.cer to the hash value with .0 at the end. but it still shows as a certificate file, where as your screenshot shows it as a white icon... Is this OK, if not can you please advise how to solve it?
Thank you
H
@H Limbada: Explorer is probably hiding the file extensions. Make sure file extensions are not hidden. You could also open a command prompt and look at the directory listings to ensure it ends in .0.
DeleteHi,
ReplyDeleteThis has been a great help!!! I have found an issue with Step 14. When using OpenSSL 0.98x, the following x509 command option "-subject_hash_old" will display an error. After installing OpenSSL 1.0.1c the command stated in step 14 worked properly.
Thanks, Greg
Hi
ReplyDeleteWhen I type
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
I get the following prompt:
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
Generate RSA private key, 2048 bit long modulus
...................................+++
is 65537 (0x10001)
When I open the rui.key it does start correctly as indicated above. My concern is that it is trying to access some linux directory even though I'm on Server 2012.
I've installed the 2008 C++ Redistributable package & OpenSSL 32-Bit Lib.
Is the rui.key still workable with?
Run the following command:
Deleteset OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
That should fix your error.
Thanks, but unfortunately it does help so much :
DeleteC:\OpenSSL-Win32\Certs\Inventory>c:\OpenSSL-Win32\bin\openssl.exe req -out rui.c
sr -key rui.key -new -config inventory.cfg
error on line -1 of inventory.cfg
2172:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\
bss_file.c:169:fopen('inventory.cfg','rb')
2172:error:2006D080:BIO routines:BIO_new_file:no such file:.\crypto\bio\bss_file
.c:172:
2172:error:0E078072:configuration file routines:DEF_LOAD:no such file:.\crypto\c
onf\conf_def.c:197:
Any other idea ?
Hi
DeleteI suggest you may actually have a config file called "inventory.cfg.txt" (in your example) and not "inventory.cfg".
Check the filename from a command prompt or by configuring Explorer to not "Hide extensions for known file types" and rename it if necessary.
Then delete your existing rui.key files and try again.
Paul B
Derek, we have a certificate chain with a CA and a SubCA. so the cachain.p7b lists 2 root certificates.
ReplyDeleteWhich one do we need to use for the root64.cer ? (and thus for creating .pfx files)
Do we need both for creating two .0 files?
The process isn't very clear when you have a CA and sub CA. I would start by creating two .0 files. If that doesn't work, open a case with VMware.
DeleteHi Derek, Great Article, I'm trying to replace the certificates, had no problem with 4.1 but hell this is a completely different cake..... We also have a root ca with 2 intermediate ca's and after using the new certificates (hash.0 files created), etc.... the SSO server always stops when starting the service. DO you have some settings on how I can increase logging to find out where the certificate is failing. Would be nice to see what kind of error is causing the issue. invalid chain, missing attribute, etcc.. thx for the good work. Pascal
ReplyDeleteGreat article! I do run into some trouble with the web certsrv. In the WIn 2008r2 server I get only two available templates while when I connect from a win 8 machine I see a lot more templates (including vmware) I tried different users on 2008r2 but nothing seems to help! Any ideas what I'm doing wrong?
ReplyDeleteRegards Eugene
@Eugene: Are you using the same account to logon to the CA with? There's no reason why you can't complete the certificate process with your Win8 computer. Just copy the files back to your vCenter server. Sounds like an authentication/permission problem.
DeleteBTW at step 15 you mention repeating the process for intermediary CAs. As far as I know I don't have any. I installed Certificates Service at my AD specially for this. Will it work without?
ReplyDeleteRegards
@Eugene: Yes, I've only deployed the certs with a single online root CA. It works just fine.
DeleteHi Derek,
ReplyDeleteGreat guide, have a question tho (and im kinda new at using certs as u will notice).
We at our company have a *.company.com bought root cert.
Is there a way to use that here ?
Do i still need to generate the files like you have done in this guide ?
I have a xxxx.key file and a xxxx.cer xxxx.pem xxxx.p7b downloaded. Should i generate the .csr file with our .key and the .cfg file you posted ? or do i download .csr file as well. But i guess i wont get the distinct OU names if i dont do it your way.
Regards
@Stefan: No, you cannot use wildcard certificates. vCenter requires SIX unique certificates, each with different "OU" properties.
Deletethat was what i was afraid of... thanks for your reply :)
DeleteHi Derek,
ReplyDeleteI've been reading your SSL steps in parallel to VMwares' KB....
Could you just confirm whether your CA was a single root CA or whether your cachain.p7b ended up displaying several Subordinate CAs?
My current cachain.p7b shows the RootCA and 2 Subordinates (or intermediates).
Your steps were not clear what to do with these subordinates and after some reading around I noticed that VMware's KB (2037432) does actually state the following:
"This assumes there are no intermediate certificates in the Certificate Authority. If there are two or more levels in the Certificate Authorities, before exporting the certificate into Base-64 encoded X.509 (.CER) if you have multiple certificates on the p7b file, you won't be able to export them to Base64 at the same time. Instead you will have to export them one by one. For example, create files C:\certs\Root64-1.cer and C:\certs\Root64-2.cer etc. You can then concatenate the two files into one, which can be done from the Windows command prompt:
C:\certs>more Root64-1.cer > Root64.cer
C:\certs>more Root64-2.cer >> Root64.cer"
I can only guess that this is how VMware deals with subordinate/intermediate CAs......
currently generating the Root64.cer using VMware's method.... guess I'll update you with regards to whether it works or not! =)
It seems this way of concatenating the intermediate certs seems to work..... =)
DeleteHere's a gotcha relating to steps 12 - 14 in a scenario where there are intermediate CAs in a CA chain. Starting with a pkcs7 (.p7b) file containing the certificate chain, the command "openssl pkcs7 -inform DER -in myChain.p7b -print_certs > ca_certificates.crt" will create a file with all the certificates in the chain in PEM format. This appears to be ok until you get to the very end of this long installation process (post #14) and find that the log browser service still doesn't work after fixing up its CA chain. It turns out that the above openssl command puts comments in the output file: lines listing the subject and issuer of each certificate. This causes the log browser to consider the file invalid as indicated in its log. See C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\log\com.vmware.vide.ws.product-yyyy-mm.i.log. Removing the comments and restarting makes the log browser happy but wipes out any previous configuration done in vCenter. Ouch.
ReplyDeleteIf you also download the individual CA certificates in DER format (Microsoft .cer), the command "openssl x509 -inform DER -in myCACert1.cer -outform PEM -out myCACert1.pem" will create the required PEM file without the comments. The PEM files for all of the certificates in the CA chain can then be concatenated to create a correctly formateed ca_certificates.crt.
Hello Derek,
ReplyDeleteFollowed entire steps mentioned by you. vCenter Installation was successful. However after rebooting the VC VM, VMWare VirtualCenter Management Webservices is not starting. VMWare VirtualCenter Server is however started. Please let me know your thoughts.
Thanks,
Abhi
hello abhi,
Deletehave you got an answer for this problem because i have exactly the same problem
thanks and best regards
Hi Derek,
ReplyDeleteThanks for pulling these information together in this incredible blog.
I am trying to replace the SSL certificates on a vCenter 5.1 virtual appliance with ones signed by my Windows Enterprise CA. I have done everything up to step 12. However I am not sure where to find the equivalent of "C:\ProgramData\VMware\" directory on Linux?
Could you please give me some pointers on that? And do you know if indeed this procedure will work for the virtual appliance?
Thanks in advance.
countryName = YourCountry should contain 2 letter country code not the country name
ReplyDeleteHi Derek
ReplyDeletecouple of notes regarding your article
Cert request should be done under either sysadmin rights or user with Read and Enroll permissions on the certificate template.
Last week I replaced my six vCenter SSL certificates in the course of a tech support case with VMware. I had initially prestaged the certificates based on this series of blog posts. To replace the certificates, I followed VMware's instructions starting at http://kb.vmware.com/kb/2034833. In the first part of the "resolution path" at http://kb.vmware.com/kb/2037432, the OpenSSL configurations for creating the certificate requests are described in steps 3 - 9. Take note in particular of the subjectAltName configurations, where VMware recommends including "DNS:ServerIPAddress". I questioned the support technician about this, since including IP addresses as subject alternative names is both unusual and not recommended. Beyond this, all new certificates would be required with a change in the vCenter server's IP address. Furthermore, the OpenSSL documentation states that the specification should read "IP:ServerIPAddress" rather than "DNS:ServerIPAddress". VMware tech support stuck with the recommendations in their documentation. Although I did not attempt to escalate this question, I believe their thinking around this is fuzzy. They did say that omitting the IP address in the subject alternative name would not break vCenter functionality, but might result in a warning message during installation. I intend when time permits to create another new set of certificates without the IP address in the subject alternative name, but have not yet done so.
ReplyDelete@Jeffry: Thanks for the information on the IP address. I also questioned VMware about that, since it is quite unusual. The information I got back mirrored what you said. Not a hard requirement, but some vCenter components may access servers via IP address and thus may get some certificate warnings. VMware should update the software to only use FQDNs for accessing secure services, IMHO.
ReplyDelete@Jeffry: VMware updated their SSL cert whitepaper, and have "IP" field for the SAN. http://www.vmware.com/files/pdf/techpaper/vsp_51_vcserver_esxi_certificates.pdf
Delete@Derek: I see. I had not looked at the PDF whitepaper previously, and the HTML version at KB 2037432 still shows "DNS: ServerIPAddress" in the SubjectAltName configuration.
DeleteBy the way, and I forgot to mention this earlier, VMware tech support also told me that in an IPv4/IPv6 dual-stack environment, which is our situation, they recommend two IP SANs, one for the IPv4 and one for the IPv6 address of the vCenter server.
My intention is still to try out certificates with no IP SANs to see if this is really an issue of practical significance.
I'm part way through testing new certificates without the IP addresses in their Subject Alternative Names. With regard to creation of the PKCS12 files in step 10 above, the friendly names really have to be "rui", i.e. "-name rui". I had been using mnemonic friendly names for each of the six certificates, and I found that in this case the VMware vSphere Profile-Driven Storage Service won't run after the new vCenter Server certificate is put in place. When started, it stops after about 7 seconds with the completely unhelpful service specific error "Incorrect function" in the Windows System event log. The only symptom of this is the lack of data in the Storage Views tab in the vSphere client. There may be other issues, but rather than proceeding further, I'm going to regenerate all the PKCS12 files using the friendly name "rui" and start over.
ReplyDeleteHi Derek, thank you for this blog.
ReplyDeleteI have no Microsoft Ca, so I had to buy the certificates from an external company (I have used Standard SSL from Go Daddy).
But the certificates which the generate has this subject:
CN = VC.internal.domain.local
OU = Domain Control Validated
O = VC.internal.domain.local
You're writing the OU should display the servicename, without it won't work.
Do you know, what I'm doing wrong?
Premium SSL with EV doesn't work because the FQDN is only internal.
@Simon: The OU property must be unique for each of the certificates. GoDaddy may not support a custom OU property field. I would contact their SSL certificate support staff and ask them.
ReplyDelete@Derek, I have asked them, they say no public CA can do this with a internal FQDN.
DeleteAnswer from GoDaddy Support: "The OU portion of the request gets stripped from the request on our end. The domain control validated is inserted by the server. The OU field should have no bearing on whether the SSL works or not, the server should only be looking at the common name field."
I'm now installing the vCenter anyways with your manual, hopefully it works.
@Simon: Ya clearly GoDaddy doesn't know vCenter depends on the OU field.
Delete@Derek, the installation is failed an I get the error "Failed to connect to VMware Lookup Service https://vcenter.intern.company.local:7444/lookupservice/sdk - SSL certificate verification failed."
DeleteI'm now in contact with VMware - maybe they have a solution. But I think the problem is GoDaddy. I have asked them if it's possible to generate Certs with the OU that we need for vCenter.
I'll keep you up to date.
@Simon,
DeleteDo you have any updates? I'm about to do the same thing by buying 6 different Certificates from GoDaddy but after reading your comment, I'm putting them on hold and wondering if I should deploy Windows AD Certificate Server instead.
@Derek,
Is it necessary to use external CA or I can just use a local AD CA just like your blog instruction above and we should be fine?
I might just get a warning if trying to login to the vSphere Web Client externally?
Thanks all
@IamxCPx: It is recommended to use a trusted INTERNAL CA for the vCenter certificates. There's almost no reason I can think of for vCenter that you would want commercial certs. View Security Server, yes a commercial makes sense, but not for internal vCenter certs. Given the requirements for unique OU fields, I would urge the use of a properly configured and trusted internal CA.
DeleteThanks Derek.
DeleteI'll go deploy an AD CA then.
I wonder if I should go with Windows 2012 cert server instead of 2008?
Nice Blog btw.
Your guide helps me a lot.
Unfortunately I already deployed View 5.1 so will have to track back to install the certs. :)
Hi Derek,
ReplyDeleteThank you for this blog! Question concerning step 12. When I exported the cachain.p7b in step 8E and opened per step 8F, I have a subordinate root cert and a root cert. All our certs are issued by the subordinate. Should I create the Root64.cer from the root cert or from the subordinate cert? When I generate the hash, do I need the one from the root cert, subordinate cert, or both?
Thanks
@Anonymous: I've updated the blog instructions to incorporate the recommendations for a subordinate CA in the VMware KBs.
DeleteDerek and friends,
ReplyDeleteThis probably is a dumb question but for the values in red: "server.domain"
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName
commonName = Server.DomainName
do i specify my vCenter Server for all or my actual DNS server and for the commonName is the vCenter server?
Nothing out there that actually tells you what it should be that's why i'm asking.
@TOMIA: You always use the server hostname of wherever the service (e.g. vCenter) is being installed. If you are installing all components on one server, then the server name is that server's hostname, not a DNS server. You never include DNS servers in a SSL certificate. It is always bound to the server that is hosting the secure service (or a load balancer).
DeleteHi, looks as if there are updates to the following VMware KBs regarding vCenter and Certificates. Hope they fix all my issues :-)
ReplyDelete2037432
2035011
Regards Paul
I followed the steps here and it solved my issue.
ReplyDeleteDerek,
ReplyDeleteQuestion for you.
We created all of these custom .cfg on each folder.
Do we need to point the OpenSSL to those individual cfg prior to do step 4?
Because if we do, we need to do:
set OPENSSL_CONF=c:\Certs\[vCenter Components Folder]\[Custom File name].cfg
or we can just use the default, openssl.cfg located on the bin directory?
Hi Derek,
ReplyDeleteFor some reason I kept getting error when I issued command:
openssl.exe req -out rui.csr -key rui.key -new -config sso.cfg
It stated:
Loading 'screen' into random state - done
problems making Certificate Request
4040:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:.\crypto\asn1\a_object.c:109:
4040:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:.\crypto\x509\x509name.c:285:name=countryName_default
I have tried using OpenSSL 0.9.8. (32 and 64-bit) and also OpenSSL 1.0 (32 and 64-bit)
Do you by any chance know what's going on there?
I'm stuck right now.
Thanks!!
@iamxCPx: The country name must only be two characters (e.g. US or NZ).
DeleteI did. :)
Delete[ req_distinguished_name ]
countryName = US
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = CO
stateOrProvinceName_default = Some-State
etc...
I tried the VMware KB and it was the same thing.
This has driving me insane. Lol.
Been spending time on this for a good 4+ hours trying to make sure I didn't misspelled anything and I didn't.
I ended up opening a case with VMware. Hopefully they know what's up.
Just want to give an update.
DeleteI finally has finished setting up the SSL on vCenter, vCenter SSO, vCenter Inventory Service that lives on a separate VM.
It took about 8 hours with VMware support on the line trying to go through their KB one by one.
The lesson I learned from this that I can share with everyone:
1. FOLLOW Derek recommendation above to "Pre-Staging" your SSL certificates. :)
2. The VMware KB is not designed for SSO and Inventory Service to live in a different servers. There are too many miss-typed or reference too. I have concluded that those instructions are for people that installed those components in one vCenter Server.
3. If you can live with it, install all vCenter components in one VM servers and beef it up. Splitting them up is a nightmare. VMware Engineer that helped me from Europe after the one in India finished their shift, agreed with me. He has helped many customers with the same problem as mine. He said they will fix it on VMware 6.0, it will be easier in regards to SSL.
Hope that helps.
Cheers!
@IamxCPx: I'm in the process of refreshing all of the articles to include my lessons learned, reader feedback, and changes in KB articles. I've added your recommendation for an all-in-one server to Part 1 of my series.
Delete@iamxcpx: No, the steps in the blog are complete. No need to set a variable.
ReplyDeleteHi Derek, if all the certs are used in a single server install can the hostname i.e myserver.mydomain.com be the same for all the certs too?
ReplyDeleteCheers
Paul
@anonymous: Yes the hostname can and must be the same if all services are on the same server. But the OU value must be unique for each certificate, or SSO will not function properly.
DeleteIn an SRM environment would it be OK to use the same certificates for both vCenter instances?
ReplyDeleteAs per your article I didn't add the IP address field when generating the certs.
@Anonymous: I haven't used SRM or know the vCenter requirements, so I don't want to venture a guess.
DeleteNo worries. For the amount of work involved I think i'll take the safe route and generate a fresh set per server.
DeleteGreat series by the way.
Cheers.
oh btw, your pfx script has a typo on the line for the Webclient:
ReplyDeleteC:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile D:\root64.cer -name rui -passout pass:testpassword -out rui.pfx
The path is incorrect to the root64 certificate.
Should be D:\certs\root64.cer
Cheers,
J
Thanks..fixed it!
DeleteFantastic post thanks Derek, I wouldn't have been able to complete the cert installation without your help, the VMware documentation is lacking to say the least. If anyone's interested I've converted the script to PowerShell, it creates the config files and directory structure then requests the certs from a Microsoft CA.... email me at jonesy5090 at gmail dot com.
ReplyDeleteNicely done. This will help me tremendously. I do have to say that VMware simplicity is gone. This makes me want to rip out VM and use one of their competitors. I honestly don't have the time for this kind of setup. I can only imagine the problems associated with this configuration when things go wrong.
ReplyDeleteDerek: Regarding your note in the install guide of using Open SSL 1.0.1c or later.
ReplyDeleteDon't use 1.0.1e - the hash value it generates for root/intermediary certs is incorrect. It's best to use OpenSSL 0.9.8.
Otherwise - a huge thank you for your guide :)
-Nick Bowie
@Nick: I tried 1.0.1e, and got the same hashes as 0.9.8 and 1.0.1c. But with 1.x you have to use a different hashing command or you will get a different result. I added a note at the beginning of Part 1, and a blurb inline in Part 3 about that. If you get different results using the proper switch, then please let me know. My results show the same hash value.
DeleteAh, I must have missed that. Thank you.
ReplyDeleteI'm not sure if I missed it somewhere, but I tried to follow your guide and I was missing this crucial piece for the pre-staging of certs. The root64.cer file needs to be renamed to ca_certificates.crt and placed here on the vCenter prior to installation.
ReplyDeleteC:\ProgramData\VMware\SSL
If you don't do that, the vCenter install will not complete successfully. I spent a few hours with VMware on the phone and they noticed I had missed that step.
@anonymous: Yes I have that included in part 3 of the series under "update trusted certificate store".
Delete@Unknown: Every service MUST have a unique certificate with the OU property different in each certificate. I have yet to hear of a commercial CA that honors the OU field in the CSR. So your best bet is an internal CA. A single wildcard cert will NOT work since the OU property is key in vSphere 5.1. Very silly requirement, but it is what it is.
ReplyDeleteHi Derek,
ReplyDeleteI have to say Fantastic post. Keep up the good work.
I'm having some issues with the keystore part. I get the following output:
"C:\Program Files\VMware\Infrastructure\jre\bin\keytool.exe" -v -importcert
-keystore D:\Install\certs\testvcc01\sso\root-trust.jks -deststoretype JKS -stor
epass testpassword -keypass testpassword -file D:\Install\certs\testvcc01\Root64
-1.cer -alias root-ca
keytool error: java.security.NoSuchAlgorithmException: 1.2.840.113549.1.1.10 Sig
nature not available
java.security.NoSuchAlgorithmException: 1.2.840.113549.1.1.10 Signature not avai
lable
at java.security.Signature.getInstance(Signature.java:193)
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:431)
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:389)
at sun.security.tools.KeyTool.addTrustedCert(KeyTool.java:1919)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:818)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
Any ideas?
Thanks.
Regards,
Arif
@Anonymous: What algorithm was used by the CA to sign the certificate? SHA1? SHA256? Something else?
DeleteHi Derek,
DeleteWe have a Windows Root CA and an Intermediate CA. I followed your instructions and created the VMwareSSL template on the Intermediate CA.
I'm going to try again and let you know the result.
Best,
Arif
Hi Derek,
DeleteI looked at the rui.crt file and the root64-1.cer file and they are both using RSASSA-PSS as the Signature Algorithm and SHA1 as the Signature hash algorithm.
Best,
Arif
Hi Derek,
DeleteThe strangest thing. If I use the Root64-2 then everything works fine. I'm on step 3 now and I've checked the replaced certificate and it looks fine. On step 3.10 I'm getting the vmomiError when updating the services.
Getting there one step at the time ! :)
Best,
Arif
Hi Derek,
ReplyDeleteI've tried it again and still the same error. Where can I find the algorithm used?
Thanks.
Best,
Arif
Hi Derek, first of all great thanks for your blog, it's amazing!
ReplyDeleteWhen try to install vcenter server i get this error
"Setup Failed to validate vmware vCenter inventory service, error occurred while talking to the vcenter single sign on admin service"
In vminst.log i get
ThumbprintTrustManager] Server certificate chain is not trusted
Maybe i was little beat confused about directory c:\programdata\VMware\SSL
actualy, follow your doc, it contains ca_certificates.crt that is the copy of root64.cer that is certificate from enterprise domain CA without any intermediate ca, and another file tha is hashvalue.0 compute fro root64.cer with openssl last version with command _hash_old like you suggest on your blog
where i get a mistake?
Many thanks
Derek, this question comes from a lack of experience with proper certificates on vCenter, but is there any special guidance on how to re-issue these certs when they are about to expire? Or would one basically just follow the same exact steps to put updated certs on? Of course in two years there may be a better tool than 1.0 Cert Manager that came out, so it might be simpler.
ReplyDelete