HP OneView SSL Replacement with Signed Certificate

 

RHP Logoecently for a secure client I have had to do a full end to end SSL replacement, VMware and ESXi was easy once you followed the guide

OneView for vCenter was a bit more tricky, so here is how I got it to work!

HP OneView SSL Replacement with Signed Certifcates from a Microsoft CA

 

  1. Create CSR in IIS, and submit it to your CA, in my case a Microsoft CA
  2. Once you have the OVC.cer back, go back to IIS and “complete certificate signing request
  3. Start the CertMgr MMC console, for Local Computer and under Personal\Certificates the complete requested will seen. The certificate will be icon with a small key to indicate the private key is attached.
  4. Export the Certificate,
    1. choose to export the private key
    2. As a PFX file, include all certs in the chain and DO NOT delete the private key, and DO NOT export extended properties
    3. Give it a password you will remember, I normally use just “testpassword”
    4. Export to a known location, I normally using a Certs working folder i.e. c:\certs\hostname\export-with-privatekey.pfx
  5. Now you need to split the certificate into a private key and server certificate
    1. Use Openssl

      Run the following command to extract the private key:

      openssl pkcs12 -in c:\certs\hostname\export-with-privatekey.pfx -nocerts -nodes -out c:\certs\hostname\privatekey.key

      Run the following command to remove the encryption:

      openssl rsa -in c:\certs\hostname\privatekey.key -out c:\certs\hostname\privatekey-nopassword.key

      Run the following command to extract the public key:

      openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem

  6. Now rename
    1. Certificate.pem to server.pem
    2. Privatekey-nopassword.key to server.key

     

Now we have the certificates we need to install the Public Certificates from your CA into the CACERTS on your OVV server. At this point if you are running it as virtual windows vm, TAKE A SNAPSHOT

  1. Obtain the root ca certificate any intermediate certificates from the ca
  2. You require the keytool app so cd to c:\progam files (x86)\hp\hp oneview for vcenter\java\bin
  3. Then run the following in this work through I have a root and a intermediate certificate
    1. Keytool -import “c:\progam files (x86)\hp\hp oneview for vcenter\java\lib\security\cacerts” -alias root -file c:\certs\ca-root.cer
      1. Default password should be changeit
      2. Confirm yes to import
    2. Keytool -import “c:\progam files (x86)\hp\hp oneview for vcenter\java\lib\security\cacerts” -alias intermediate -file c:\certs\ca-root.cer
      1. Again default password changeit
      2. And confirm yes it required

     

Now we must replace the server certificate and private key created earlier (recommend backing up existing pem and key files before continuing)

  1. Browse to c:\progam files (x86)\hp\hp oneview for vcenter\uim
  2. Copy and replace the server.key and server.pem files created earlier over the existing files

Now I found it best to just restart the server then just restart the services

  1. After the reboot confirm all HP Oneview Services start as expected
  2. If you start the HP OneView for Storage Admin Portal you can confirm it is using the trusted certificate (to stop errors worth installing the intermediate and root certificates obatined earlier into the local computer store on the oneView box)
  3. Also check that you can still access the vSphere Web Client, I have had issues with the cert replacement and though I backed out the Oneview server by rolling the snapshot I had to restart the vCenter Appliance to get a login, as it just hung at the login page authorizing my login.

     

     

 


Leave a Reply

Your email address will not be published. Required fields are marked *