vSphere: How to implement CA signed certificates

Hello everyone,

With the video tutorial I made for the implementation of CA signed certificate on vSphere, I am writing a tutorial to have a quick view of what you need to do instead of watching the video again and again. Let’s begin!

Prerequisite:

• Download VMware Certificate Toolkit: https://sourceforge.net/projects/vmwarecertificatetoolkit/
• Download SSL Automation Tool, available on the vSphere Installation ISO
• Any kind of certificate authority to create the CA Certificate, this can be Active Directory Certificate Authority, OpenTrust….
• A working vSphere platform, my tool has been tested on vSphere 5.1 and 5.5

Part 1: Creating the certificate requests and RSA keys

     1. To begin, you just need to open VCT (I am currently using the version 0.1.5), and click on the PKCS10 button:

To implement CA signed certificate on a vSphere platform, you need to update the following services:

• Single Sign On
• Inventory Services
• vCenter Server
• Web Client
• Log Browser
• Update Manager
• Orchestrator

For each of those service you are going to create a certificate request with the CSR format and RSA key. Those file will be created with VCT without the need of OpenSSL.

     2. Specify a destination folder by clicking on the “Options” tab, click on Browse and select a repository:

     3. Let’s create the SSO certificate Request. Back to the Request Costumization tab, you now have to enter the information needed for the certificate:

Select the size of the RSA key, it can be 2048 or 4096, depending on the security policies of your company.

The SubjectAltNAme are the different name of the server that will be protected by the certificate, you can specify the shortname, FQDN and IP address of your SSO server.

Then specify the country code, the name of the country, the city and the name of your company.

Select the service you want to update, in your case it is SSO

Specify the CommonName which is the principal name that will identify the certificate. The common name has to be one of the name you specified in the SubjectAlternativeName field.

     4. Click on Generate Certificate Request:

You can see that VCT create a VCT folder called VCTcerts and two files: rui.csr and rui.key

Those two files should like this:

     5. Repeat this process for the other services

If all the service are on the same server, you just need to change the OrganizationalUnitName and click on “Generate Certificate Request”. If not you need to change the informations in SubjectAltName, OrganizationUnitName and CommonName.

At the end you should have something like this in the VCTcerts folder:

And on each folder a unique rui.key file and a rui.csr with the correct CommonName, SubjectAltName and OrganizationalUnitName.

Part 2: Create CA Signed Certificate

This step is normally accomplished by the security team of your company but it is interesting to see how it’s made.

     6. Connect to your certificate authority, in my case this is Microsoft Active Directory Certificate Services:

     7. Click on “Request a certificate

     8. Click on “Advanced certificate request”

     9. Select the VMware Template

If you don’t have the template you can follow the KB2062108: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2062108

     10. Go to the SSO folder in the VCTcerts folder and copy the content of the rui.csr:

     11. Paste the content of the request

     12. Click on the “Submit” button

     13. Select “Base 64 encoded

     14. Click on “Download certificate”

     15. Put the downloaded certificate in the SSO folder on VCTcerts and rename it to rui.crt

The content of the SSO folder should look like this, then you can open the certificate to verify that this is a valid certificate.

     16. Repeat the steps from 7 to 15 from the other services. At the end, the VCTcerts folder must have service folders that contains 3 files: rui.key  -  rui.csr -  rui.crt

Part 3: Creating the chain files

To update a service with a new certificate, you need a chain file that will contain the certificate signed by the certificate authority, the intermediate certificate of the authority if you have one, and the root certificate of the authority.

     17. Download the intermediate and the root certificate of the authority by using Microsoft Active Directory Certificate Services, click on “Download a CA certificate, certificate chain, or CRL”

     18. In my case, I don’t have intermediate certificate authority. Select a Base 64 certificate and click on “Download CA certificate”. Place this certificate in the VCTcerts folder and rename it if you want:

     19. Open VCT and click on the “Chain .pem” button, specify the path to the root certificate of the authority and the VCT folder path:

     20. Click on the load button, if everything is ok you should see that VCT loaded all the certificate as shown on the picture below:

     21. Click on the “Generate Chain” button, you will see on the log panel that VCT created a .pem file for each service:

At the point, the content of one of the service you want to update should look like this:

Part 5: Creating the SSL Environment file

1. On VCT, click on the “SSL-environment” button, specify the path to the VCTcerts folder and click on load:

1. Scroll down, specify the SSO Admin User, the vCenter Admin User and the destination folder which is going to be the VCTcerts folder:

1. Click on “Generate SSL Environment file”. A .bat file has been created in the VCTcerts folder. This file is used by SSL Automation tool and contains all the path to the certificates and keys so you don’t to waste time to type it.

The VCTcerts folder now should look like this:

Part 6: Implementing the certificates

1. Connect to you vCenter server using Terminal Service and transfert the VCTcerts folder. I created the VCTcerts folder on the C drive of my laptop with VCT, on the server, place the VCTcerts folder in the same location, the C drive.
2. Transfert also the SSL Automation tool to the vCenter Server next to the VCTcerts folder:

1. From the VCTcerts folder, copy the ssl-environment file to the “SSL automation tool” folder and replace the original file by the new one.
2. Open a “cmd” prompt with administrator right and go to the “SSL automation tool” folder.

1. Execute “ssl-environment.bat” to load the environment variables
2. Execute “ssl-updater.bat”

1. At this point you just need to follow step by step the procedure to update all the service for your infrastructure:

Update Procedure Step By Step

1. 1. Go to the machine with Single Sign-On installed and - Update the Single Sign-On SSL certificate.
2. 2. Go to the machine with Inventory Service installed and - Update Inventory Service trust to Single Sign-On.
3. 3. Go to the machine with Inventory Service installed and - Update the Inventory Service SSL certificate.
4. 4. Go to the machine with vCenter Server installed and - Update vCenter Server trust to Single Sign-On.
5. 5. Go to the machine with vCenter Server installed and - Update the vCenter Server SSL certificate.
6. 6. Go to the machine with vCenter Server installed and - Update vCenter Server trust to Inventory Service.
7. 7. Go to the machine with Inventory Service installed and - Update the Inventory Service trust to vCenter Server.
8. 8. Go to the machine with vCenter Orchestrator installed and - Update vCenter Orchestrator trust to Single Sign-On.
9. 9. Go to the machine with vCenter Orchestrator installed and - Update vCenter Orchestrator trust to vCenter Server.
10. 10. Go to the machine with vCenter Orchestrator installed and - Update the vCenter Orchestrator SSL certificate.
11. 11. Go to the machine with vSphere Web Client installed and - Update vSphere Web Client trust to Single Sign-On.
12. 12. Go to the machine with vSphere Web Client installed and - Update vSphere Web Client trust to Inventory Service.
13. 13. Go to the machine with vSphere Web Client installed and - Update vSphere Web Client trust to vCenter Server.
14. 14. Go to the machine with vSphere Web Client installed and - Update the vSphere Web Client SSL certificate.
15. 15. Go to the machine with Log Browser installed and - Update the Log Browser trust to Single Sign-On.
16. 16. Go to the machine with Log Browser installed and - Update the Log Browser SSL certificate.
17. 17. Go to the machine with vSphere Update Manager installed and - Update the vSphere Update Manager SSL certificate.
18. 18. Go to the machine with vSphere Update Manager installed and - Update vSphere Update Manager trust to vCenter Server.

1. I am going to show you the Single Sign-On update, type 3 “Update Single Sign-On”
2. Type 1 “Update the Single Sign-On SSL Certificate”
3. You can see that all the path to the certificate are already loaded, so just press “Enter” for the chain and the private key, type the SSO password and type “no” for the load balancer.
4. Then you just have to follow the Update Procedure, it can take a while to update the services because you have to restart the services multiple time. When arrived to the step 18 of the Update Procedure, the whole infrastructure is updated with CA signed certificates
5. If you have any errors, this might be a certificate problem, please check one by one the CRT file and the chain file.
6. Hope it will help you to update you infrastructure, you can still watch the video if you feel there is something wrong during this process. Feel free to leave me comments and share this tutorial or on VMware Certificate Toolkit