Replacing vSphere 6 SSL Certificates

Manish Jha

In our last post Certificate Management in vSphere 6 we had  a look on architecture of VMCA and what it do.

In this post I will walk through the steps needed to replace vSphere 6 SSL certificates.

In this post we will be covering following items:

  • Creating certificate templates for vSphere 6
  • Replacing Machine SSL certificates.
  • Replace VMCA Root certificate

If you have missed earlier posts of this series, then you can read them from below links

1: Setup CA Server for vSphere Lab

2: Set Up Automatic Certificate Enrollment

3: Request Internal Certificate from CA Server

4: Everything You Should Know About Certificate Management in vSphere 6

Lets the fun begin.

Create certificate templates

As per VMware KB Article 2112009 we need to create 2 certificate templates:

  • Machine SSL and Solution User certificates
  • Certificate template for VMCA as a Subordinate CA

To create the certificate templates, RDP to your Enterprise CA server  and click Start > Run, type certtmpl.msc,… Read More

Everything You Should Know About Certificate Management in vSphere 6

Manish Jha

SSL certificates played an important role in vSphere 5.1, and managing the certificates that the vSphere environment emerged as another challenge for most of the vsphere Admins. Replacing SSL certs in prior versions of vSphere (5.5 and 5.1) was a big headache.

Although vSphere 5.5 simplified the process of certificate replacement easy via the command line tools, but still it required a lot of steps to replace certs on each endpoint (vCenter Server, Single Sign On, Inventory Service, Web Client).

Derek Seaman’s had done an excellent service for VMware community and developed a tool (vSphere Toolkit) which further simplified the process of replacing certificate and took much of the pain out of it. You can download vSphere toolkit for previous version of vSphere from here.

In past I wrote a blogpost on how to replace vSphere (vCenter + Esxi) certificates, and you can read it from Here.

In vSphere 6 VMware tried to address SSL certificates in a different manner and made managing SSL certificates a lot easier than previous releases.… Read More

Request Internal Certificate from CA Server

Manish Jha

In last post Set Up Automatic Certificate Enrollment we walked through the steps for completing automated certificate enrollment.

In this post I will walk through the process on how to request an internal SSL certificate from an IIS web server in the domain, against our internal deployed CA.

Create Web Server Certificate Template for SSL Certs

Connect to the Enterprise CA and open the Certification Authority console.

Expand the certification authority so that you can see Certificate Templates. Right-click Certificate Templates and then click Manage.

caa-1

In the details pane of the Certificate Templates console, right-click the Web Server template and then click Duplicate Template.

caa-2

If you are prompted to select a template version, select Window Server 2008 R2 and then click OK.

caa-3

caa-4

In the General tab, under Template display name, type a name that you want to use for the template. For example, Lab Certs. Change the validity period as per your config.… Read More

Set Up Automatic Certificate Enrollment

Manish Jha

In our last post Setup CA Server we saw installation/configuration of CA server. In this post we will see how to automate certificate enrollment process.

For fewer number of components you can generate and sign certificates manually and then replace it one by one. in a small environment. But if you have many servers running in lab or say you are using CA in production where you have 100’s of servers, then replacing the certs manually is a time consuming and very tedious job.

We can automate the automate the certs enrollment via Active Directory to save time. Using Active Directory domain with an Enterprise CA; we can deploy certificates on clients that are part of domain automatically using a process known as autoenrollment. This saves a lot of time and reduces the amount of administrative overhead required to deploy certificates on to client systems. For this to work, we need GPO linked to our domain or an OU configured with the autoenroll policy.… Read More

Setup CA Server for vSphere Lab- Say Good Bye to Self-Signed Certs

Manish Jha

A while back I wrote a post on Configuring CA Server on Server 2008 so that one can use signed certificate in lab or even in production.

Most vSphere appliances/softwares comes with a self-signed certs and works just fine in home lab. But if you are like me and get annoyed by  the warning message “Your connection is not secure”, then generate signed certificates to use in your lab and get rid of the ugly browser warning message.

As I stated in my earlier post on SSL certs that self-signed certs works just fine but it’s good to know how to work with signed certificates as in production environment organizations don’t use self-signed certificates and rely on SSL certificates bought from 3rd party like Thawte or Verisign.

There are 2 types of CA server: Standalone and Enterprise.

Enterprise Root CA: The enterprise root CA is the most trusted CA in an organization and should be installed before any other CA.… Read More

Install vCloud Director 8 with High Availability

Manish Jha

vCloud Director 8.0 is the latest version available for service providers and can be downloaded from here.

It’s been quite sometime that I am dealing with vCloud Director in our production environment and as well as my test lab. In past I have written a post on how to install vCloud Director 5.5. You can also read the entire vCloud Director post series from Here

Since v8 is out there in market for sometime, I decided to try my hands on it and implement that in my homelab.

There are various posts available on internet about what is vCloud Director and what it does. So I will not talk much about it and jump directly into action.

In this post we will be going to learn how to deploy vCloud Director with high availability.

Pre-requisites before installing vCloud Director:

1: Two server (for 2 vcd cells) with Redhat as guest operating system installed and configured.… Read More

Unable to start vApp-Invalid vApp properties:Invalid property value size

Manish Jha

I recently deployed vSphere replication appliance in vCloud Director and while powering it on I was facing one error

Unable to start vAPP- Invalid vApp properties:Invalid property value size

Due to this power on operation on vApp was failing time and again.

I checked the vCD logs and did not found any error messages for my vApp. All I got was few debug messages:

Read More

vRealize Log Insight: Part-2: Installation/Configuration

Manish Jha

In last post Log Insight Introduction of this series we had a look on what is vRealize Log Insight and where did it came from. What is the advantage of using it and how it fit together with other VMware components.

In this post we are going to see basic installation/configuration of the Log Insight appliance.

vRealize Log Insight is available in the form of OVA file and you can evaluate the product by registering and downloading it from here

You can choose to deploy the downloaded ova file as it is or can convert it to ovf file using ovftool. You can use the command shown in following example to do so:

PS C:UsersAdministrator> ovftool “C:UsersAdministratorDownloadsVMware-softOVA FilesLog-Insight-3.3.1.ova” “C:Us
ersAdministratorDownloadsVMware-softOVA FilesLog-Insight-3.3.1.ovf”

Output:

=======================================================
Opening OVA source: C:UsersAdministratorDownloadsVMware-softOVA FilesLog-Insight-3.3.1.ova
Opening OVF target: C:UsersAdministratorDownloadsVMware-softOVA FilesLog-Insight-3.3.1.ovf
Writing OVF package: C:UsersAdministratorDownloadsVMware-softOVA FilesLog-Insight-3.3.1.ovf
Transfer Completed
Warning:
– ExtraConfig option ‘keyboard.typematicmindelay’ is not allowed, will skip it.… Read More

vRealize Log Insight: Part-1: Introduction

Manish Jha

This week I decided to test my hands on the log management tool from VMware i.e vrealize Log Insight. We have this tool in our production environment and have to jump into analysis of Alerts received from this tool. Due to lack of knowledge troubleshooting sometime becomes very difficult so I decided to deploy this in my lab and play around options.

What is vRealize Log Insight?

vRealize Log Insight is a log management tool that aggregates logs from various systems into one place.The cool aspect of Log Insight is that it supports the collection of logs either from VMware infrastructure (i.e. ESXi hosts) either from physical infrastructure (i.e. physical servers, physical switches, etc.) either from application (i.e. virtual/physical machines guest operating systems).

With the introduction of vCenter Log Insight (Later renamed as vRealize Log Insight) VMware joined the already crowded log analytics market. There are several other products in market such as Splunk, LogRhythm, Sumo Logic and Loggly which are used for data center log consolidation and analysis.… Read More

Unregistering vSphere Replication Plugin from vCenter

Manish Jha

This week I was having some trouble with vSphere Replication appliances in my lab and decided to rip apart my replication setup. I logined to my VR appliance VAMI address and unregistered VRMS from vCenter Server. Deleted my replication appliance in order to deploy it from scratch.

To my surprise vSphere Replication plugin was still present in my vCenter Server, even after I logged out and logged in back to webclient.

mob-0

I tried to reboot my vCenter Server to see if it clears the plugin, but that trick didn’t worked for me.

Now the only option left was to uninstall the plugin was using vSphere MOB. If you are like me and dont know much about MOB then I would recommend reading this blogpost.

I followed following steps to successfully remove replication plugin from my vCenter Server.

1; Open your favourite browser and point it to URL https://vCenter-FQDN/mob and login.… Read More