Refresh/Regenerate/Replace Esxi 6.0 SSL Certificates

To improve security in your virtualized environment, it is advisable to use the signed certificates because  ‘self-signed’ certificate will not be trusted by default in it’s communications with other systems. There are various ways to deploy signed certificates on your Esxi hosts and in this post we will look at available options.

Refreshing Esxi Certificates

If you have updated the certificate information and want to push those changes to certificate installed on Esxi host, the simplest method is to do a refresh certificate. Lets understand this by an example.

Suppose this is the current configuration of the vCenter certificate where country name is US and Org Unit is “VMware Engineering”

esxcert-1

Now suppose you have updated the various configuration value for your vCenter certificate as shown below

esxcert-2

Now if you select the Esxi host and navigate to Manage > Settings > Certificates, you will see it still contains the old information i.eRead More

Configure and manage VMware Endpoint Certificate Store

VMware Endpoint Certificate Store (VECS) serves as a local repository for certificates, private keys, and other certificate information that can be stored in a keystore. You can decide not to use VMCA as your certificate authority and certificate signer, but you must use VECS to store all vCenter certificates, keys, and so on. ESXi certificates are stored locally on each host and not in VECS.

VECS runs as part of the VMware Authentication Framework Daemon (VMAFD). VECS runs on every embedded deployment, Platform Services Controller node, and management node (vCenter) and holds the keystores that contain the certificates and keys.

VECS polls VMware Directory Service (vmdir) periodically for updates to the TRUSTED_ROOTS store. You can also explicitly manage certificates and keys in VECS using vecs-cli commands.

VECS Default Stores

1: Machine SSL Store (MACHINE_SSL_CERT)

This store is used by the reverse proxy service on every vSphere node. This store is also used by the VMware Directory Service (vmdir) on embedded deployments and on each Platform Services Controller node.Read More

Replacing vSphere 6.0 certificates using VMCA as a Subordinate CA

vSphere 6.0 brought many enhancements with it and one of the most significant among them was VMware Certificate Authority which is VMware’s own CA and it eases the pain of certificate management in vSphere 6.

VMCA is itself a fully functional CA and can be used to issue certificates to all vSphere 6 components (vCenter and ESXi hosts) in your environment. VMCA dont have any graphical interface like Microsoft CA and is totally command line driven.

VMCA is part of Platform services controller and there are various deployment model available for configuring VMCA including:

  • VMCA as Root CA
  • VMCA as Subordinate CA to an External Enterprise CA
  • External CA
  • Hybrid mode

Derek Seamen has explained about these deployment options in greater detail here

By default, the VMCA self-signs its own certificate which is used by vCenter server and Esxi hosts. If  your organization policy don’t allow using self-signed certs then you can replace the certs generated by VMCA and sending them to an enterprise CA for signing.Read More

Using Custom Certificates in vSphere Replication

In this post we will be working on using a custom signed certificates (CA Signed) on vSphere Replication Appliance.

Unlike vCenter Server, there is no automated way of replacing the default certificates on VR appliance and all it needs a bit of manual effort. VMware has outlined the steps in the official KB-2080395 to do so.

Before performing these steps, make sure you have already replaced the default certificates on your vCenter Server.

vSphere Replication appliance ships with openssl and you can use this to generate the certificate signing requests for the vSphere Replication appliance

Perform following steps to replace the default certs with CA signed certs:

1: Create openssl config file

SSH to your VR appliance and create an configuration file for Replication Appliance. Contents of this file would look like as shown below. You need to change the fields marked in bold.

vrs01:~ # vi vrs01.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key… Read More

Replacing Esxi 6 SSL Certificates

In our last post Replacing vSphere 6 SSL Certificates we learned how to replace Machine certificates and VMCA root certificates. In this post we will learn how to replace Esxi default ssl certificates with certificates signed by CA server.

If you have missed earlier posts of this series, then you can read them from below links

1: Setup CA Server for vSphere Lab

2: Set Up Automatic Certificate Enrollment

3: Request Internal Certificate from CA Server

4: Everything You Should Know About Certificate Management in vSphere 6

5: Replacing vSphere 6 SSL Certificates

ESXi host uses default certificates that are created during installation. These certificates are not verifiable and are not signed by a trusted certificate authority. If using default certificates do not fall under security policy of your organization, then you need the self-signed certificates from your CA server.

Note: ESXi hosts that are upgraded from vSphere 5.x to vSphere 6.0 will continue using their Certificate Authority signed certificates if they were replaced in the previous versions.… Read More

Replacing vSphere 6 SSL Certificates

In our last post Certificate Management in vSphere 6 we had  a look on architecture of VMCA and what it do.

In this post I will walk through the steps needed to replace vSphere 6 SSL certificates.

In this post we will be covering following items:

  • Creating certificate templates for vSphere 6
  • Replacing Machine SSL certificates.
  • Replace VMCA Root certificate

If you have missed earlier posts of this series, then you can read them from below links

1: Setup CA Server for vSphere Lab

2: Set Up Automatic Certificate Enrollment

3: Request Internal Certificate from CA Server

4: Everything You Should Know About Certificate Management in vSphere 6

Lets the fun begin.

Create certificate templates

As per VMware KB Article 2112009 we need to create 2 certificate templates:

  • Machine SSL and Solution User certificates
  • Certificate template for VMCA as a Subordinate CA

To create the certificate templates, RDP to your Enterprise CA server  and click Start > Run, type certtmpl.msc,… Read More

Everything You Should Know About Certificate Management in vSphere 6

SSL certificates played an important role in vSphere 5.1, and managing the certificates that the vSphere environment emerged as another challenge for most of the vsphere Admins. Replacing SSL certs in prior versions of vSphere (5.5 and 5.1) was a big headache.

Although vSphere 5.5 simplified the process of certificate replacement easy via the command line tools, but still it required a lot of steps to replace certs on each endpoint (vCenter Server, Single Sign On, Inventory Service, Web Client).

Derek Seaman’s had done an excellent service for VMware community and developed a tool (vSphere Toolkit) which further simplified the process of replacing certificate and took much of the pain out of it. You can download vSphere toolkit for previous version of vSphere from here.

In past I wrote a blogpost on how to replace vSphere (vCenter + Esxi) certificates, and you can read it from Here.

In vSphere 6 VMware tried to address SSL certificates in a different manner and made managing SSL certificates a lot easier than previous releases.… Read More

Request Internal Certificate from CA Server

In last post Set Up Automatic Certificate Enrollment we walked through the steps for completing automated certificate enrollment.

In this post I will walk through the process on how to request an internal SSL certificate from an IIS web server in the domain, against our internal deployed CA.

Create Web Server Certificate Template for SSL Certs

Connect to the Enterprise CA and open the Certification Authority console.

Expand the certification authority so that you can see Certificate Templates. Right-click Certificate Templates and then click Manage.

caa-1

In the details pane of the Certificate Templates console, right-click the Web Server template and then click Duplicate Template.

caa-2

If you are prompted to select a template version, select Window Server 2008 R2 and then click OK.

caa-3

caa-4

In the General tab, under Template display name, type a name that you want to use for the template. For example, Lab Certs. Change the validity period as per your config.… Read More

Set Up Automatic Certificate Enrollment

In our last post Setup CA Server we saw installation/configuration of CA server. In this post we will see how to automate certificate enrollment process.

For fewer number of components you can generate and sign certificates manually and then replace it one by one. in a small environment. But if you have many servers running in lab or say you are using CA in production where you have 100’s of servers, then replacing the certs manually is a time consuming and very tedious job.

We can automate the automate the certs enrollment via Active Directory to save time. Using Active Directory domain with an Enterprise CA; we can deploy certificates on clients that are part of domain automatically using a process known as autoenrollment. This saves a lot of time and reduces the amount of administrative overhead required to deploy certificates on to client systems. For this to work, we need GPO linked to our domain or an OU configured with the autoenroll policy.… Read More

Setup CA Server for vSphere Lab- Say Good Bye to Self-Signed Certs

A while back I wrote a post on Configuring CA Server on Server 2008 so that one can use signed certificate in lab or even in production.

Most vSphere appliances/softwares comes with a self-signed certs and works just fine in home lab. But if you are like me and get annoyed by  the warning message “Your connection is not secure”, then generate signed certificates to use in your lab and get rid of the ugly browser warning message.

As I stated in my earlier post on SSL certs that self-signed certs works just fine but it’s good to know how to work with signed certificates as in production environment organizations don’t use self-signed certificates and rely on SSL certificates bought from 3rd party like Thawte or Verisign.

There are 2 types of CA server: Standalone and Enterprise.

Enterprise Root CA: The enterprise root CA is the most trusted CA in an organization and should be installed before any other CA.… Read More