In our last post Certificate Management in vSphere 6 we had a look on architecture of VMCA and what it do.
In this post I will walk through the steps needed to replace vSphere 6 SSL certificates.
In this post we will be covering following items:
- Creating certificate templates for vSphere 6
- Replacing Machine SSL certificates.
- Replace VMCA Root certificate
If you have missed earlier posts of this series, then you can read them from below links
1: Setup CA Server for vSphere Lab
2: Set Up Automatic Certificate Enrollment
3: Request Internal Certificate from CA Server
4: Everything You Should Know About Certificate Management in vSphere 6
Lets the fun begin.
Create certificate templates
As per VMware KB Article 2112009 we need to create 2 certificate templates:
- Machine SSL and Solution User certificates
- Certificate template for VMCA as a Subordinate CA
To create the certificate templates, RDP to your Enterprise CA server and click Start > Run, type certtmpl.msc, and click OK.
Right click on Certificate Templates directory and select Manage.
From the list of the templates, right-click Web Server and click Duplicate Template.
Under compatibility tab, select CA as Server 2008 and appropriate version of os family for certificate recipients
Important Note: If you select Server 2012 as CA in above window, then the version of certificate template created will be v4 and it will not be visible while requesting a certificate.
On general tab, provide a name for the template and adjust validity period setting as per your need.
Click the Subject Name tab. Ensure that the Supply in the request option is selected.
Click the Extensions tab. Select Application Policies and click Edit.
Select Server Authentication and click Remove.
Note: If Client Authentication exists, remove this from Application Policies as well.
Now select Key Usage and click Edit. Select the Signature is proof of origin (nonrepudiation) option.
Leave all other options as default.
At last click on security tab and make sure your user has rights to Enroll for certificates.
Hit OK to finish the template creation wizard.
Now we will create certificate template for VMCA as subordinate.
To do so, select “Subordinate Certification Authority” template and click on Duplicate Template.
Select Server 2008 as CA and appropriate os family as cert recipient.
Click the General tab. In the Template display name field, enter name for the new template. Make sure that “Publish certificate in Active Directory” is selected.
Click the Extensions tab. Select Key Usage and click Edit.
Ensure that Digital Signature, Certificate signing and CRL signing are enabled.
Under security tab, make sure user has permission to enroll for certificate.
Hit OK to save the template.
Add newly created templates to Certificate Templates list
Right-click Certificate Templates and click New > Certificate Template to Issue.
Select the newly created template and it OK. The newly created template will be then enabled.
Creating Certificate Signing Request
Connect to your vCenter Server via RDP and perform following steps:
1: Browse to C:Program FilesVMwarevCenter Servervmcadcertool.cfg and edit as follows according to your environment
2: Run the command C:Program FilesVMwarevCenter Servervmcadcertificate-manager.bat to launch Certificate Manager menu.
3: Select Option 1 (Replace Machine SSL certificate with Custom Certificate)
Provide the administrator@vsphere.local password when prompted.
Select option 1 “Generate Certificate Signing Request(s) and Key(s) for machine SSL certificate”
Enter path to the directory in which you want to save the certificate signing request and the private key
4: Once the command completes, you will see 2 files in the directory name provided above.
Transfer these files onto your CA server
5: Open machine_ssl.csr file in a notepad and copy the contents of the file including
6: Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv/
Click the Request a certificate link.
Click advanced certificate request.
7: Paste the content of file (including –BEGIN CERTIFICATE REQUEST– to –END CERTIFICATE REQUEST– lines) copied in step 5 in Base-64-encoded box.
From the Certificate Template dropdown, select the template which you created earlier and hit submit.
8: Select Base 64 encoded on the Certificate issued screen and click the Download Certificate link.
Also download the certificate chain from the same screen.
9: Copy the downloaded files to the directory where your csr and key files (generated in step 4) are stored. Rename the downloaded file in step 8 to machine.cer and chain file to cachain.p7b
10: Right click on cachain.p7b file and select open
In the newly opened window, select Certificates folder and from right hand side pane select CA Server cert > All Tasks > Export
Hit next to continue certificate export wizard
Select Base-64 encoded x.509 and hit next.
Browse to the directory where certificate will be exported. Name the exported file as root64.cer
Now copy the machine.cer, machine_ssl.key and root64.cer file on your vCenter Server.
Launch Certificate Manager again and choose option 1.
Now select option 2 i.e Import Custom Certificate option and
- Provide the path to the new certificate
- Provide the path to the key
- Provide the path to your Root certificate
Press “Y” when asked for confirmation for replacing the SSL certs
Now Login to vCenter Web Client and you will see your URL appears as green
If you see the certificate info by clicking on the green lock icon you will see this cert has been issued by your CA server
Replace VMCA Root certificate
Step 1. Edit the certool.cfg file – template file for CSR
The file is located at: C:Program FilesVMwarevCenter Servervmcadcertool.cfg
Modify this file as per your environment. My certool.cfg file looks like below
#
# Template file for a CSR request
#
# Country is needed and has to be 2 characters
Country = IN
Name = Alex Co.
Organization = Cloud
OrgUnit = Alex CLoud
State = Karnataka
Locality = Bangalore
IPAddress = 192.168.109.2
Email = vcadmin@alex.com
Hostname = vcentersrv01.alex.local
Step 2. Generate CSR files
Select Option 2 to “Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates”
Enter your SSO Password
Select Option 1 to “Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate”
Provide the path to store your CSR and Key
Once the script completes you will see the csr and key file created in the directory provided by you
Transfer these files over to your CA server.
Step 3. Sign your CSR
Loin to your CA server and click on Request a certificate > Advanced Certificate Request
When you sign this certificate make sure you select the template which you duplicated from “Subordinate Certificate Authority”
Select Base 64 encoded and “Download certificate ”
Rename the downloaded file to vmca.cer
Also download CA server root certificate. From CA server home page click on “Download a CA certificate,certificate chain or CRL”
Click on Download CA certificate and save the downloaded file as rootca.cer
Now open vmca.cer and rootca.cer in notepad. Create a new text file and first copy the contents of vmca.cer into the new file and then paste the content of rootca.cer file. Save the file as chain.cer
Copy chain.cer file and root_signing_cert.key to your vCenter Server.
Step 4: Import Custom certificate(s) and key(s) for VMCA Root Signing certificate
Launch certificate-manager tool and select option 2 to “Import Custom certificate(s) and key(s) for VMCA Root Signing certificate”
Provide the chain.cer
Provide the root_signing_cert.key
Select ‘Y’
Verify the configuration of certool.cfg file and then wait for completion of cert replacement process
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable
Good write up
You should put a warning that the certificates need to be generated 24hrs before they are imported
This appears to be for both Machine and subca (Just broke my PSC, that god for snapshots)
Excellent point Troy. I read on several blogs about 24 hours thing. Luckily in my lab I did not faced that issue, but yeah I should have included that warning.
Thanks for the heads up. I will update the blog post soon.