vCenter 6 SSL Certificate Replacement, external Platform Storage Controller

Intermediate SSL Signed Certs with an External Platform Service Controller

I am not going to talk about the ins and outs of each setup, I am just to going to run through the configuration of this one setup based on using a Internal Microsoft CA. this is using the appliance based deployments of both the PSC and vCenter.

CREATE SSL SIGNING TEMPLATE

  • First step is to create the Certificate Signing Template
  • Open up Certificate Template MMC “certtmpl.msc” and locate the “Subordinate Certification Authority”

  • Right click and “Duplicate Template”
  • Under General ensure “Publish certificate in Active Directory is selected” and update the name to vSphereVMCS. validadity/renewal amened as per local policy
  • Under the Compatibility tab and change both compatibility settings to Windows Server 2008
  • Under the Extensions Tab, select key usage, ensure it is set as below
  • Start the Certificate Authority plugin, under “Certificate Templates”, right choose “New”,”Certificate Template to Issue” and select the vSphere6VCMA certificate just created.

    Create SSL Signing Request

    This will create a signing request to be signed by the MS CA

    BEFORE STARTING THIS SECTION ENSURE YOU HAVE A SNAPSHOT OF THE PSC AND VCENTER APPLIANCES

  • Access the external PSC via Putty, if the shell is enot enabled at log in run
    • Shell.set –enabled ture
    • Shell
    • To transfer files via WinSCP,
      • chsh -s “/bin/bash” root

    Thanks VirtualGhetto for this info

  • Create a directory to store requests and returned files for SSL signing normallu I just go for one in root
    • First ensure you are in root directory
    • Then use mkdir to create the ssl directory as below
  • Then cd to the Certificate manager tool
  • Then start the Certificate manager program (don’t forget ./ start at the beginning to launch the program)
  • Choose Option number two
    • Provide the SSO admin password
    • Select option 1 “Generate Certificate Signing Request and key for VMCA Root Signing Certificate”
    • Provide the path to the SSL folder create earlier, i.e. /ssl
  • Create a local directory on your working server to store the requests and responses, normally I create c:\ssl. Leave putty open but now use WinSCP and obtain the Root_Signing_CERT.cer and Root_Signing_cert.key files to be submitted to the MSCA
    • Before downloading in WINSCP ensure the transfer method is set to “text” rather then binary. Download the files from \ssl to c:\ssl
  • Now submit the files for signing
  • Log into the MS CA https://hostname/certsrv
  • Click the Request a certificate link.
  • Click advanced certificate request.
  • Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
  • Open the file c:\ssl\certificate_signing_request_cert.csr, I normally recommend Notepad++ for this. Copy everything
  • And paste the content into the CA signing request form, Select the Certificate Template, “vsphere6VMCA” created earlier and subit the request
  • Select Base64 and Download Certificate and save as c:\ssl\certficate_signing_request.cer
  • Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
  • Select the Base 64 option.
  • Click the Download CA Certificate chain link.
  • Save the certificate chain as cachain.p7b in the c:\ssl folder.
  • Double-click the cachain.p7b file to open it in the Certificate Manager.
  • Navigate to C:\ssl\cachain.p7b > Certificates.
  • Right-click the certificate listed and click All Actions > Export.
    • Click Next.
    • Select Base-64 encoded X.509 (.CER), and then click Next.
  • Save as c:\ssl\cachain.cer
  • Using WinSCP upload the two cer file created to /ssl folder on the external PSC 9don’t to copy in text mode not binary). On putty if it is open from earlier press 2 to return to the command line, then cd to the ssl directory i.e.
    • cd /ssl
  • Then create one file from the two files
    • Cat certificate_signing_request.cer cachain.cer > psc.cer
    • This creates a single file combining the signing request and chain files.
  • Start the certificate manager tool again
  • Then cd to the Certificate manager tool
  • Then start the Certificate manager program (don’t forget ./ start at the beginning to launch the program)
  • Choose Option number two
    • Provide the SSO admin password
  • (Have you taken a VM snapshot before starting this bit?) Then choose option 2 “Import custom certificates and keys to replace existing VMCA root signing certificate”
  • Enter the path to each file
  • Confirm to replace the root certifcate
  • Then complete the configuration of certtool.cfg
    • Ensure the hostname is the name of the PSC, the other options are decided by your environment
  • The system will then replace the certificates on your PSC, and will return back successful
  • Now as you can see above you need to stop and start the vCenter services
  • SSH onto the vcenter box, as earlier you may need to access the shell
    • Shell.set –enabled ture
    • Shell
    • To transfer files via WinSCP,
      • chsh -s “/bin/bash” root
  • And run the stop and start commands from above.
  • Next step is to update the certificates from the PSC onto the vCenter appliance.
  • On the vCenter Appliance cd to the Certificate Manager tool, in the same place as on the PSC (so see above)

    Replacing the vSphere 6.0 Machine SSL certificate with a VMware Certificate Authority issued certificate

  • Then choose option 3 “Replace machine SSL Certificate with VMCA Certificates”
    • Enter SSO Admin password
    • Then FQDN of PSC server
    • Then complete the certtool.cfg file as earlier in step 32 (except in the last option to set hostname now use FQDN of vcenter appliance rather then psc appliance)
    • Then confirm to regenerate the Machine SSL Cert using VMCA

    Replacing the vSphere 6.0 Solution User certificates with VMware Certificate Authority issued certificates

  • Restart the certificate Manager tool. Then choose option 6 “Replace solution user certificates with VMCA Certificates”
    • Enter SSO Admin password
    • Then FQDN of PSC server
    • *The certtool.cfg setting will taken from when it was run above. So you will not be prompted this time.
    • Then confirm to regenerate the Machine SSL Cert using VMCA

_cert

Leave a Reply

Your email address will not be published. Required fields are marked *