Using Custom Certificates in vSphere Replication

In this post we will be working on using a custom signed certificates (CA Signed) on vSphere Replication Appliance.

Unlike vCenter Server, there is no automated way of replacing the default certificates on VR appliance and all it needs a bit of manual effort. VMware has outlined the steps in the official KB-2080395 to do so.

Before performing these steps, make sure you have already replaced the default certificates on your vCenter Server.

vSphere Replication appliance ships with openssl and you can use this to generate the certificate signing requests for the vSphere Replication appliance

Perform following steps to replace the default certs with CA signed certs:

1: Create openssl config file

SSH to your VR appliance and create an configuration file for Replication Appliance. Contents of this file would look like as shown below. You need to change the fields marked in bold.

vrs01:~ # vi vrs01.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: vrs01, IP: 192.168.109.40, DNS: vrs01.alex.local

[ req_distinguished_name ]
countryName = IN
stateOrProvinceName = Karnataka
localityName = Bangalore
0.organizationName = Alex.Co
organizationalUnitName = Cloud
commonName = 192.168.109.40

2: Generate the certificate signing request:

vrs01:~/certs # openssl req -new -nodes -out vrs.csr -keyout vrs-orig.key -config vrs01.cfg

Generating a 2048 bit RSA private key
……………………………+++
…………………………………………………………………+++
writing new private key to ‘vrs-orig.key’
—–

3: Convert the key to the RSA format:

vrs01:~/certs # openssl rsa -in vrs-orig.key -out vrs01.key
writing RSA key

You will now see following files created in your current directory

vrs01:~/certs # ll
-rw-r–r– 1 root root 1675 Jun 24 14:14 vrs-orig.key
-rw-r–r– 1 root root 1171 Jun 24 14:14 vrs.csr
-rw-r–r– 1 root root 581 Jun 24 14:09 vrs01.cfg
-rw-r–r– 1 root root 1675 Jun 24 14:15 vrs01.key

4: Generate a signed certificate

Copy the vrs.csr file to your certificate authority and receive the signed certificate back.

  • Launch certificate authority web interface ( http://<servername>/CertSrv/)
  • Click Request a certificate > Advanced certificate request.
  • Open the certificate request in a plain text editor and copy the contents of tis file including —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– lines into the Saved Request box.
  • Click Web Server when selecting the Certificate Template and click Submit to submit the request.
  • Click Base 64 encoded on the Certificate issued screen and click Download Certificate.
  • save the certificate as vrs-ca.cer

transfer vrs-ca.cer to your VR appliance using winscp selecting Text Mode or ASCII mode to avoid the issue of special characters.

5: Convert the .cer file to .crt format

vrs01:~/certs # openssl x509 -in vrs-ca.cer -out vrs_01.crt

6: Convert the signed certificate to PKCS#12 format

vrs01:~/certs # openssl pkcs12 -export -in vrs_01.crt -inkey vrs01.key -name “vrs01” -passout pass:XXXXXX -out vrs01.p12

7: Add your certificate to the HMS trust store

By default vSphere Replication verifies remote server certificates using the thumbprint only. If you select the Accept only SSL certificates signed by a trusted Certificate Authority option in the VAMI, this causes vSphere Replication to verify the validity of the certificate as well as the thumbprint.

This means that the certificate authority that issued the certificates for vSphere Replication and vCenter Server must be trusted by vSphere Replication. By default, vSphere replication trusts all certificate authorities that the Java Virtual Machine trusts.

To do so perform the following steps:

7a: Download CA server root certificate. From CA server home page click on “Download a CA certificate,certificate chain or CRL”. Click on Download CA certificate and save the downloaded file as Root64.cer

7b: Copy Root64.cer file to the VR appliance using winscp in Text or ASCII mode transfer settings

7c: Run below command to import the certificate into the HMS truststore:

/usr/java/default/bin/keytool -import -trustcacerts -alias root -file /root/certs/Root64.cer -keystore /opt/vmware/hms/security/hms-truststore.jks -storepass Jf4HXhRTLERSgT10

Note: If you get this error “keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect” while running the above command, then run below command to find the truststore password

/opt/vmware/hms/bin/hms-configtool -cmd list | grep truststore

On successful completion of command you will see something like below:

Owner: CN=CASRV-CA, DC=alex, DC=local
Issuer: CN=CASRV-CA, DC=alex, DC=local
Serial number: 52e164a699c8b0a54887123a7f602a14
Valid from: Fri Jun 10 19:15:52 IST 2016 until: Thu Jun 10 19:25:51 IST 2021
Certificate fingerprints:
MD5: D2:4E:87:97:13:DD:E4:C2:2E:B1:93:22:71:A1:8A:B9
SHA1: F7:5B:70:29:C6:8C:8F:F7:25:99:49:03:95:07:44:EF:D6:4D:17:13
SHA256: 2D:CA:2E:65:BF:69:13:36:7E:83:77:01:94:06:C3:5D:84:52:2B:B7:3E:D0:6B:58:29:E0:D2:F0:F8:AA:B7:B7
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 04 00 43 00 41 …C.A

#2: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00 …

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3B 2E D1 3C 87 92 D1 85 78 05 70 49 EE 57 45 30 ;..<….x.pI.WE0
0010: 4D E4 CC 3F M..?
]
]

Trust this certificate? [no]: Yes
Certificate was added to keystore

7d: Run below command to verify the certificate is now present in the HMS truststore:

vrs01:~/certs # /usr/java/default/bin/keytool -list -v -keystore /opt/vmware/hms/security/hms-truststore.jks -storepass Jf4HXhRTLERSgT10

You will see following as output

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: root
Creation date: Jun 25, 2016
Entry type: trustedCertEntry

Owner: CN=CASRV-CA, DC=alex, DC=local
Issuer: CN=CASRV-CA, DC=alex, DC=local
Serial number: 52e164a699c8b0a54887123a7f602a14
Valid from: Fri Jun 10 19:15:52 IST 2016 until: Thu Jun 10 19:25:51 IST 2021
Certificate fingerprints:
MD5: D2:4E:87:97:13:DD:E4:C2:2E:B1:93:22:71:A1:8A:B9
SHA1: F7:5B:70:29:C6:8C:8F:F7:25:99:49:03:95:07:44:EF:D6:4D:17:13
SHA256: 2D:CA:2E:65:BF:69:13:36:7E:83:77:01:94:06:C3:5D:84:52:2B:B7:3E:D0:6B:58:29:E0:D2:F0:F8:AA:B7:B7
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 04 00 43 00 41 …C.A

#2: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00 …

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3B 2E D1 3C 87 92 D1 85 78 05 70 49 EE 57 45 30 ;..<….x.pI.WE0
0010: 4D E4 CC 3F M..?
]
]

*******************************************
*******************************************

8: Replace certificates on vSphere Replication Appliance

Connect to VR appliance VAMI console and log in as root: https://VRM IP:5480

Navigate to the Configuration tab.

Select Browse next to the Upload PKCS#12 (*.pfx) file and locate the certificate file you created.

vrs02.PNG

Click Upload, Install and enter the certificate password when prompted to install the new certificate.

As soon as new certificate is installed, VAMI will generate a message that it is going to kick you out of the console and you have to login again to pick the new certificate. You will see the green lock button telling you that it’s a trusted certificate.

vrs04.PNG

Thats it.  The new certificate is now applied

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

Leave a Reply