So what's new on the vSphere 5.1 SSL front? Late last week VMware released their first stab at easing the SSL certificate replacement torture in vSphere 5.1 with a basic command line tool which helps automate the process. I covered the announcement here. Since I'm pretty familiar with the pain and suffering vSphere 5.1 certificates has caused me, I wanted to see if this tool would make life easier.
Since the process is a bit long and only semi-automated, I've broken down the process into a series of posts:
Part 2 (SSO and Inventory)
Part 3 (vCenter and Orchestrator)
Part 4 (Web client and Log Browser)
Before you begin this process, you MUST read through all of the limitations ("Known Issues") of the v1.0 tool. The list is pretty extensive, and there was one biggie that jumped out at me. If during the vCenter VUM installer you elect to use the server FQDN instead of the IP address (which I would argue is a best practice), then you can't use this tool to replace the VUM certificate. Really? Ouch. The tool also doesn't help you generate any of the certificates, or a new requirement of certificate chain files for each of the seven services. So you still have a lot of pre-work to get to the point of even trying to use the tool. This is not a fully automated end-to-end tool that is wizard driven, which we desperately need.
Going into this with my eyes wide open, and somewhat tempered expectations of what it will do for me, I decided to give it a whirl. VMware's KB article on the tool guides you through the process, but as usual, I think the process can use a bit more elaboration and screenshots.
In my case I have a Windows Server 2012 CA, and all of the vCenter services are installed on a single Windows Server 2008 R2 VM. My vCenter databases are on an external SQL 2008 R2 VM.
Prerequisites
Since this tool doesn't help you create the certificate request files, generate the certificates, or the new PEM chain files we must do that prior to using the tool. I've updated my vCenter 5.1 Installation: Part 2 (Create vCenter SSL Certificates) to address the new requirements and the addition of the Orchestrator certificate. So open up that post and follow through the entire certificate generation process, except for creating the JKS keystore. The script at the end of that post has been updated to create the newly required chained PEM files for each service. So if you've used that script before, grab the updated version and run it.
Now that you've run through that long post to create all the certificate files, you should have a directory structure that looks like the screenshot below. I have these folders residing under D:\certs.
Inside each of the seven folders you should have the same set of files, as shown below with the appropriate configuration file.
- SSO administrator and password
- vCenter administrator and password
- Original vCenter database password
Configuring the Tool
1. Download the SSL Certificate Automation Tool from My VMware.
2. Copy it to your vCenter server and unzip it to a safe place, such as D:\.
3. Open the ssl-environment.bat file and fill in all of the missing paths. In my case I set the following:
set sso_cert_chain=D:\certs\sso\chain.pem
set sso_private_key=D:\certs\sso\rui.key
set sso_node_type=single
set is_cert_chain=D:\certs\inventory\chain.pem
set is_private_key_new=D:\certs\inventory\rui.key
set vc_cert_chain=D:\certs\vCenter\chain.pem
set vc_private_key=D:\certs\vCenter\rui.key
set ngc_cert_chain=D:\certs\WebClient\chain.pem
set ngc_private_key=D:\certs\WebClient\rui.key
set logbrowser_cert_chain=D:\certs\LogBrowser\chain.pem
set logbrowser_private_key=D:\certs\LogBrowser\rui.key
set vco_cert_chain=D:\certs\Orchestrator\chain.pem
set vco_private_key=D:\certs\Orchestrator\rui.key
set vum_cert_chain=D:\certs\UpdateManager\chain.pem
set vum_private_key=D:\certs\UpdateManager\rui.key
4. Open an elevated command prompt and run the ssl-environment.bat script.
Now that we have generated all of the required certificate files and set the environmental variables, we can walk through the planner and then actually replace the certificates. Replacing the SSO and Inventory SSL certificates are covered in Part 2.
Hi Derek, for what you know it's' hard to add the step for request certificate if you use a internal CA like microsoft? i followed your 15 step SSL integration and all the things gone well, but with your howto and the vmware program, we can achieve a fully automated replace procedure using interna CA
ReplyDelete