Create VMware SSL Certificate Requests

Create VMware SSL Certificate Requests

August 14, 2014 6 By Eric Shanks

piotr_halas_padlockI’ve seen quite a few VMware environments where when you login, you get that silly error message about a certificate not being trusted.  This is something we can fix and more importantly be sure that the connections are trusted and encrypted.

SSLerror

Prerequisites

 

I prefer to create my certificate requests right from the VMware vCenter Server, so I install both the SSL Automation Tool and OpenSSL directly on the vCenter Server.  If you’re using the VMware vCenter Server Appliance you’ll need to do this someplace else and there are some additional steps not listed in this post.  Please see this KB article for more info:  vCSA SSL Certs

 

Running the Certificate Automation Tool

You can run the SSL-Updater tool by double clicking the batch file in the directory where you unzipped the tools.  Look for ssl-updater.bat.  Note:  it might be useful to run this as Administrator if UAC is on.

SSLTool1

When you run the SSL Tool, you’ll get a menu with options.  To begin with you should select option 1.  This option will explain the steps that need to be done and the order in which to do them.

SSLTool2

When you select option 1, you’ll be presented with a new menu.  This menu asks what you’re going to update.  If you are going to do all of the services listed, look for option 8.  You can see from the screenshot that the steps will be listed.  You should copy that list to a text file or something to recall it later.

SSLTool3

 

Assuming you didn’t copy the list, and that the tool isn’t modified too much, you can use the list below.

 

1. Go to the machine with Single Sign-On installed and – Update the Single Sign-On SSL certificate.

2. Go to the machine with Inventory Service installed and – Update Inventory Service trust to Single Sign-On.

3. Go to the machine with Inventory Service installed and – Update the Inventory Service SSL certificate.

4. Go to the machine with vCenter Server installed and – Update vCenter Server trust to Single Sign-On.

5. Go to the machine with vCenter Server installed and – Update the vCenter Server SSL certificate.

6. Go to the machine with vCenter Server installed and – Update vCenter Server trust to Inventory Service.

7. Go to the machine with Inventory Service installed and – Update the Inventory Service trust to vCenter Server.

8. Go to the machine with vCenter Orchestrator installed and – Update vCenter Orchestrator trust to Single Sign-On.

9. Go to the machine with vCenter Orchestrator installed and – Update vCenter Orchestrator trust to vCenter Server.

10. Go to the machine with vCenter Orchestrator installed and – Update the vCenter Orchestrator SSL certificate.

11. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to Single Sign-On.

12. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to Inventory Service.

13. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to vCenter Server.

14. Go to the machine with vSphere Web Client installed and – Update the vSphere Web Client SSL certificate.

15. Go to the machine with Log Browser installed and – Update the Log Browser trust to Single Sign-On.

16. Go to the machine with Log Browser installed and – Update the Log Browser SSL certificate.

17. Go to the machine with vSphere Update Manager installed and – Update the vSphere Update Manager SSL certificate.

18. Go to the machine with vSphere Update Manager installed and – Update vSphere Update Manager trust to vCenter Server.

 

Create the Requests

From the Automation Tool, we can now select option 2 which is the generate certificate signing requests.  From here, we’ll need to select the service that we are creating a request for.  No, you can’ t do them all at once

Select the service, and answer the questions.  You’ll need to know things like IP Addresses, DNS Names, Locations and a file location to export the requests and private keys.

SSLTool4

 

When the process is done, you’ll see three files in the file location you specified.  Next, repeat this process for the rest of the services that you want to sign.

SSLTool5

 

Once these files have been created, you can take the certificate signing requests and upload them to the Certificate Authority to obtain the certificate.  You should be able to do this by going to https://NAMEOFCA/certsrv/default.asp assuming you followed the prior posts about setting up a Certificate Authority for your home lab.

Once here, choose “Request a Certificate”.

SSLTool6

Choose “Advanced Certificate Request”.

SSLTool7

 

Choose the base-64-encoded option.

SSLTool8

 

Now you need to take the rui.csr file and copy the entire contents into the web page request box.  Choose the VMware-SSL certificate template (or any other Web Template you have created).

 

 

 

SSLTool9

Choose the Base64 encoded option and then click the “Download Certificate”.

SSLTool10

 

 

Save the file as rui.crt in the same directory as where the request came from.  This needs to be the same one that the Automation Tool created them in for the later steps to work correctly.  Once this is done, repeat the process for each of the services you are going to request SSL certificates for.

SSLTool11

 

Once you’ve requested all of the certificates, go back to the default CA page and click the “Download a CA certificate, certificate chain, or CRL” link.

SSLTool12

Here we will download the RootCA.  Choose Base64 and select the appropriate CA Certificate from the list.  Then click “Download CA certificate chain” link.

SSLTool13

Now, save this file as “cachain.p7b” and I usually do this in the parent directory of the services I’m requesting.  I don’t think this one matters too much.

SSLTool14

 

Once exported, you need to open the cachain.p7b file, and export it.

SSLTool15

Export the file.

SSLTool16

 

When prompted, select the Base-64 encoded X.509 (.CER) option.

SSLTool17

 

Save the file as Root64.cer

SSLTool18

 

Now we need to open the rui.crt files for each of the services that we now have certificates for and paste the contents of the Root64.cer certificate to the end of the file.  From the screenshot below, you can see my SSO Service rui.crt file has the Root64.cer file appended to the end.

SSLTool19

 

Save the file as chain.pem in the service folder.  Don’t forget to do this same thing for each of the services you’ve requested.

SSLTool20

 

 

Summary

Whew!  I know there are quite a few steps here, but I assure you that the hard parts are over.  In the next post, we’ll show you how to replace the default certificates in vCenter with the new certificates that you’ve created.  We’re almost there.