Setup SSL Certificate For vSphere Lab-Part-4-Creating and Replacing vSphere SSL Certificates

You have observed that whenever you connect to vCenter Server using vSphere Client or connect via web-client you receive a warning that the certificate presented is not trusted and bla bla bla.

For lab environments or small environments Self-Signed certificates works just fine, but knowing how to use Signed Certificates is invaluable.

In this post we are going to cover how to create SSL Certificate request and how to replace them. If you have missed earlier posts of this series I would recommend reading them first from below links:

1: Installing and Configuring CA Server

2: Creating Certificate Templates

3: Creating SSL Web Certificates Template for VMware

Prerequisites

There are certain prerequisites that must be met before performing the SSL certs creation and replacement. These are listed as below:

1: Microsoft Enterprise CA server deployed along with IIS installed.
2: Web-Certificate Template created for vSphere components.
3: Download and install the vCenter Certificate Automation Tool from VMware.

I have downloaded and extracted Certificate Automation Tool on the same server where my vCenter Server is installed as all components of vCenter is running in a single VM in my lab. You will see files named ssl-environment and ssl-updater after extracting the zip file as shown below.

This is going to be a long post.Before jumping into action lets see a bit of theoretical background about the whole SSL things.

Running the Certificate Automation Tool

  1. From a command line, navigate to the location where you unzipped the tool and run the command: ssl-updater.bat

When you run the SSL Tool, you’ll get a menu with options.  

To begin with select option 1.  This option will explain the steps that need to be done and the order in which to do them.

On selecting option 1, a new menu will be presented.  This menu asks what you’re going to update.  If you are going to do all of the services listed, select option 8. It will generate an action plan for the upgrade. Copy the steps generated to a text file to recall it later.

Generating Certificate Requests

2.. From the SSL Certificate Automation tool, select Option 2 to Generate Certificate Requests.

3. Select the option for the service you are generating the certificate request for. Enter the information requested for the certificate request.

Note: By default VMware specifies a default value of <service-servername> and uses it to ensure that the DN of the certificate is unique. Do not change this unless there is another field which makes the DN of the certificate unique.

Important: Ensure that the directory in which the SSL Certificate Automation Tool is extracted and the specified CSR directory above do not have spaces in the names or CSR Generation will fail.

In my lab I started with generating certificate request for SSO

Press 2 for Inventory Service

Press 3 for vCenter Server

Repeat steps 2 and 3 for each service which you are generating a certificate for.

After completing this, we have the rui.csr and rui.key files located in each of the respective directories as specified for the different services. The below screenshot shows the csr and key file for SSO service.

To validate that the CSR is created properly navigate to directory “C:Program FilesVMwareInfrastructureInventory Servicebin” and run the command:

# openssl.exe req -in “Path to created certificates”rui.csr -noout -text

Obtaining the Certificate

After the certificate request is created, it must be presented to the certificate authority for generation of the actual certificate. The authority returns a certificate back and a copy of their root certificate.

Log in to the Microsoft CA certificate authority Web interface. By default, it is https://servername/CertSrv/Default.asp

1: Click the Request a certificate link.

2: Click advanced certificate request.

3: Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file

4. Open the rui.csr file in a notepad and paste the text from the Begin to the End request into the Saved Request box. Select the Certificate Template which you created for your lab and supply additional attributes if there are any. Hit Submit button.

Note: Do not copy the actual —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—–.

Only copy the text in between these lines. You may see = (equal) signs near the Begin and End lines (for example, ==—–END). In this case, you must copy the = (equal) signs.

5. Click Base 64 encoded on the Certificate issued screen and click on Download certificate.

The above steps were for SSO service. Repeat steps 1 to 5 for each service.

6. Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.

7. Select the Base 64 option and Click the Download CA Certificate chain link.

8. Save the certificate chain as file in the folder where SSL tool extracted files are present.

9. Double-click the chain file which you just downloaded  and navigate to Certificates.  Right-click the certificate listed and click All Tasks > Export.

10. An export wizard will be presented to you. Hit Next.

11. Select Base-64 encoded X.509 (.CER) option and hit next.

12. Navigate to directory where you want to save the file by clicking on browse button

13. Save the file as Root64, preferably in same directory where SSL tools were extracted to make sure everything is contained within one folder.

14. Hit finish to complete the certificate export wizard.

A dialog box will appear stating that export was successful. Hit OK.

15.For the certificate chain to be trusted, the root certificate must be installed on the server.

To achieve this double click on the Root64 file which we just exported. Click on Install Certificate.

16. Select Local Machine on Certificate Import Wizard page and hit next.

17. On Certificate Store page select Place all certificates in the following store and hit browse.

18. Install the root certificate into the Trusted Root Certificate Authorities. Hit OK.

19. Hit finish to complete Certificate Import Wizard

A dialog box will appear stating that import was successful. Hit OK.

Creating the PEM files

Once certificates and keys are created, you must create a PEM certificate chain for each certificate. The chain must contain all certificates in the chain, in the order in which they lead to the root certification authority. To create the chain:

  1. Create a file called chain.pem, located in the folder for the service that you are creating the chain for.

2. Open the rui.cer file in Notepad and copy the contents of the file into the chain.pem file for that service.

3. Open the Root64.cer file in Notepad and paste the contents of the file into the chain.pem file right after the certificate section. Be sure that there is no whitespace in the file in between certificates.

Repeat these steps for each service for which you are replacing the certificate.

After completing this procedure, you now have rui.key and chain.pem files for each service you are implementing custom certificates for. Copy these files to the appropriate server for use with the SSL Certificate Automation Tool

Replacing the SSL Certificates

With this we have came to last section of this post. Now we will be replacing the SSL certificates for different vCenter components.

Launch ssl-updater.bat file by right clicking it and selecting run as Administrator.

Select option 3 to start updating the SSO first.

Next is to update Inventory Service. Select option 4.

Now open the text file where you have saved the detailed steps of upgrade which was generated by this tool on selection option 1 on main menu.

In my lab, the first action for updating Inventory Service was “Update Inventory Service trust to Single Sign-On”

So after selecting 4 in main menu, I selected option 1.

The next step in my action plan was “Update the Inventory Service SSL certificate” and I selected option 3 for this.

Now the next action was to “Update vCenter Server trust to Single Sign-On” so first I selected option 5 to return to main menu and the again option 5 to update vCenter Server and then selected option 1.

The same way you have to complete each steps according to steps laid out in the action plan generated by SSL tool. I am not including all the steps as more or less they are same as depicted above.

Now its time to test our certs.

To test the setup I connected to vCenter Server using web-client and checked the certificate information. The certificate seems legit as you can see in below screenshot which says “Identity of this website has been verified by Alex-CA (my CA server)”

The only Issue which I am unable to solve here is instead of red warning it should show the certificate in green.

Any thoughts on this is highly welcomed.

Update: 31/10/2015: Finally the red warning issue for certificates has been resolved. I will write an another blog on the same explaining the cause of issue and the resolution.

I can now see the certificate status as green when I am trying to access the vCenter Server:

The troubleshooting steps were provided by Bjoern and Yvan. I would like to express my sincere thanks to both.

Additional References:

If you are looking for manual steps for certificate generation the please have a look on below blog posts from Rynardt

1: Prepare OpenSSL and Microsoft CS

2: Generate a new SSL Certificate Request

3: Submit the new Certificate Request to a Certificate Authority

4: Create a new PFX-Formatted Certificate

5: Replace vCenter Server SSL Certificates

Also I would highly suggest to have a look on below blog posts

http://open902.com/create-a-windows-enterprise-ca-and-issue-certificates-for-vra-and-other-vmware-products-with-examples/

Home Lab SSL Certificates by Eric Shanks

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂

9 thoughts on “Setup SSL Certificate For vSphere Lab-Part-4-Creating and Replacing vSphere SSL Certificates

  1. Hi Manish (btw why changing this so beautiful first name with the so common Alex ? but I digress a bit don’t I ?)

    Anyway, I noticed by your screenshots that you are using Chrome. Since a while now, Google decided to degrade sites using certificates ciphered with SHA1. This is why these sites appear with the red crossed-out lock. See the page https://www.globalsign.com/en/blog/google-to-display-warnings-on-sites-that-use-sha-1-certificates/ for further details.

    The MS CA you used to create your certificate probably still use this default ciphering method. You have to change to the SHA256 method and recreate your certificates in order to get rid of this unpleasant warnings.

    See these links for further details
    http://blogs.technet.com/b/pki/archive/2013/09/19/upgrade-certification-authority-to-sha256.aspx
    https://technet.microsoft.com/en-us/library/dn771627.aspx

    Except this minor oversight, your article is simply brilliant, you rock ! Thanks for the work !

    Cheers

    e-Van

  2. Hi Alex,

    first of all great blog post.

    I think your problem with the red certificate warnings in Chrome is based on the fact that you are using ‘SHA1’ as signature algorythm. Look at your certificate update tool, it even warned you that you have used an insecure signature algorythm. Try changing the setup of your CA:

    certutil -setreg cacspCNGHashAlgorithm SHA256
    net stop certsvc
    net start certsvc

    After this generate the certificates again. Now the new algorythm should be used and after implementing the new certs they should show up green in chrome.

    Best regards,
    Bjoern

    • Hi Bjoern,

      Thanks for your valuable comment. I was thinking the same as the certificate itself says that you are using SHA-1 encryption method. I will definitely give a try the steps which you depicted in comments and will update the article as well as here in comments.

      Many Thanks,

      Regards,
      Alex

    • Hi Bjoern,

      Thanks a lot for the steps which you have provided. I followed the steps and re-generated the certificates and it worked like a charm. No red warnings on my sites now. Everything comes in green (which is apparently may fav color 😉 )

      Many Thanks once again

  3. Pingback: Lesson Learnt While Working With SSL Certificates | Go Virtual.

  4. Pingback: Newsletter: October 31, 2015 | Notes from MWhite

  5. Pingback: Everything You Should Know About Certificate Management in vSphere 6 – Virtual Reality

Leave a ReplyCancel reply