Intermediate SSL Signed Certs with an External Platform Service Controller
I am not going to talk about the ins and outs of each setup, I am just to going to run through the configuration of this one setup based on using a Internal Microsoft CA. this is using the appliance based deployments of both the PSC and vCenter.
CREATE SSL SIGNING TEMPLATE
- First step is to create the Certificate Signing Template
-
Open up Certificate Template MMC “certtmpl.msc” and locate the “Subordinate Certification Authority”
- Right click and “Duplicate Template”
- Under General ensure “Publish certificate in Active Directory is selected” and update the name to vSphereVMCS. validadity/renewal amened as per local policy
- Under the Compatibility tab and change both compatibility settings to Windows Server 2008
-
- Under the Extensions Tab, select key usage, ensure it is set as below
-
Start the Certificate Authority plugin, under “Certificate Templates”, right choose “New”,”Certificate Template to Issue” and select the vSphere6VCMA certificate just created.
Create SSL Signing Request
This will create a signing request to be signed by the MS CA
BEFORE STARTING THIS SECTION ENSURE YOU HAVE A SNAPSHOT OF THE PSC AND VCENTER APPLIANCES
-
Access the external PSC via Putty, if the shell is enot enabled at log in run
- Shell.set –enabled ture
- Shell
-
To transfer files via WinSCP,
- chsh -s “/bin/bash” root
Thanks VirtualGhetto for this info
-
Create a directory to store requests and returned files for SSL signing normallu I just go for one in root
- First ensure you are in root directory
- Then use mkdir to create the ssl directory as below
-
Then cd to the Certificate manager tool
-
Then start the Certificate manager program (don’t forget ./ start at the beginning to launch the program)
-
Choose Option number two
- Provide the SSO admin password
- Select option 1 “Generate Certificate Signing Request and key for VMCA Root Signing Certificate”
-
Provide the path to the SSL folder create earlier, i.e. /ssl
-
Create a local directory on your working server to store the requests and responses, normally I create c:\ssl. Leave putty open but now use WinSCP and obtain the Root_Signing_CERT.cer and Root_Signing_cert.key files to be submitted to the MSCA
-
Before downloading in WINSCP ensure the transfer method is set to “text” rather then binary. Download the files from \ssl to c:\ssl
-
- Now submit the files for signing
- Log into the MS CA https://hostname/certsrv
- Click the Request a certificate link.
- Click advanced certificate request.
- Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
-
Open the file c:\ssl\certificate_signing_request_cert.csr, I normally recommend Notepad++ for this. Copy everything
-
And paste the content into the CA signing request form, Select the Certificate Template, “vsphere6VMCA” created earlier and subit the request
- Select Base64 and Download Certificate and save as c:\ssl\certficate_signing_request.cer
- Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
- Select the Base 64 option.
- Click the Download CA Certificate chain link.
- Save the certificate chain as cachain.p7b in the c:\ssl folder.
- Double-click the cachain.p7b file to open it in the Certificate Manager.
-
Navigate to C:\ssl\cachain.p7b > Certificates.
-
Right-click the certificate listed and click All Actions > Export.
- Click Next.
- Select Base-64 encoded X.509 (.CER), and then click Next.
- Save as c:\ssl\cachain.cer
-
Using WinSCP upload the two cer file created to /ssl folder on the external PSC 9don’t to copy in text mode not binary). On putty if it is open from earlier press 2 to return to the command line, then cd to the ssl directory i.e.
- cd /ssl
-
Then create one file from the two files
-
Cat certificate_signing_request.cer cachain.cer > psc.cer
- This creates a single file combining the signing request and chain files.
-
- Start the certificate manager tool again
-
Then cd to the Certificate manager tool
-
Then start the Certificate manager program (don’t forget ./ start at the beginning to launch the program)
-
Choose Option number two
- Provide the SSO admin password
- (Have you taken a VM snapshot before starting this bit?) Then choose option 2 “Import custom certificates and keys to replace existing VMCA root signing certificate”
-
Enter the path to each file
- Confirm to replace the root certifcate
-
Then complete the configuration of certtool.cfg
-
Ensure the hostname is the name of the PSC, the other options are decided by your environment
-
-
The system will then replace the certificates on your PSC, and will return back successful
- Now as you can see above you need to stop and start the vCenter services
-
SSH onto the vcenter box, as earlier you may need to access the shell
- Shell.set –enabled ture
- Shell
-
To transfer files via WinSCP,
- chsh -s “/bin/bash” root
- And run the stop and start commands from above.
- Next step is to update the certificates from the PSC onto the vCenter appliance.
-
On the vCenter Appliance cd to the Certificate Manager tool, in the same place as on the PSC (so see above)
-
Then choose option 3 “Replace machine SSL Certificate with VMCA Certificates”
- Enter SSO Admin password
- Then FQDN of PSC server
- Then complete the certtool.cfg file as earlier in step 32 (except in the last option to set hostname now use FQDN of vcenter appliance rather then psc appliance)
- Then confirm to regenerate the Machine SSL Cert using VMCA
-
Restart the certificate Manager tool. Then choose option 6 “Replace solution user certificates with VMCA Certificates”
- Enter SSO Admin password
- Then FQDN of PSC server
- *The certtool.cfg setting will taken from when it was run above. So you will not be prompted this time.
- Then confirm to regenerate the Machine SSL Cert using VMCA
_cert