Get Adobe Flash player

Guides for Replacing the VirtualCenter Certificate

In my post 730 Days Later – Replace The VirtualCenter Default SSL Certificate I pointed out the SSL certificate installed by VirtualCenter expires after 2 years. I did not document how to replace the default cert, but instead I linked to VMware’s guide for readers to explore. Thank goodness Leo Raikhman has picked up where I left off on his Leo’s Ramblings Blog! Leo has created 2 great “how to” posts for replacing certificates using OpenSSL that are much easier to follow then VMware’s guide.

In the post VirtualCenter CA Configuration Leo covers replacing the default certificate with a stand alone OpenSSL version that expires after 10 years. However, in his post More nonsense with VirtualCenter certificates – part 2 he provides instructions for using a domain enforced Windows Certificate Authority.

Read Leo’s posts in their entirety at the links above, but I am copying his instructions here for my personal knowledgebase. As a matter of fact, I recommend adding Leo’s RSS feed to your reader and bookmarking his site. He has been consistently creating posts relevant and helpful for virtual administrators.

The rest of this post is taken completely from the posts on the Leo’s Ramblings Blog.

Replace stand alone certificate

So, you’ll need several things to get started:

All of the above need to be installed on the same server using default options.

Now for assumptions that you’ll need to change for your infrastructure to have a 10-year certificate (3650 days):

  • Company name: Contoso Pty. Ltd.
  • Country Code: AU
  • State: NSW
  • Suburb: Woodsmith
  • Department: Information Technology
  • Admin email: bob@contoso.com.au
  • VirtualCenter Server name: auconvc01.contoso.com.au

Now to make all this stuff work, edit C:\OpenSSL\bin\openssl.cfg:

#

# OpenSSL example configuration file.

# This is mostly being used for generation of certificate requests.

#

# This definition stops the following lines choking if HOME isn’t

# defined.

HOME = .

RANDFILE = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:

#oid_file = $ENV::HOME/.oid

oid_section = new_oids

# To use this configuration file with the “-extfile” option of the

# “openssl x509? utility, name here the section containing the

# X.509v3 extensions to use:

# extensions =

# (Alternatively, use a configuration file that has only

# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by ‘ca’ and ‘req’.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6

####################################################################

[ ca ]

default_ca = CA_default # The default ca section

####################################################################

[ CA_default ]

dir = ./demoCA # Where everything is kept

certs = $dir/certs # Where the issued certs are kept

crl_dir = $dir/crl # Where the issued crl are kept

database = $dir/index.txt # database index file.

#unique_subject = no # Set to ‘no’ to allow creation of

# several ctificates with same subject.

new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate

serial = $dir/serial # The current serial number

crlnumber = $dir/crlnumber # the current crl number

# must be commented out to leave a V1 CRL

crl = $dir/crl.pem # The current CRL

private_key = $dir/private/cakey.pem# The private key

RANDFILE = $dir/private/.rand # private random number file

x509_extensions = usr_cert # The extentions to add to the cert

# Comment out the following two lines for the “traditional”

# (and highly broken) format.

name_opt = ca_default # Subject Name options

cert_opt = ca_default # Certificate field options

# Extension copying option: use with caution.

# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

# so this is commented out by default to leave a V1 CRL.

# crlnumber must also be commented out to leave a V1 CRL.

# crl_extensions = crl_ext

default_days = 3650 # how long to certify for

default_crl_days= 30 # how long before next CRL

default_md = sha1 # which md to use.

preserve = no # keep passed DN ordering

# A few difference way of specifying how similar the request should look

# For type CA, the listed attributes must be the same, and the optional

# and supplied fields are just that :-)

policy = policy_match

# For the CA policy

[ policy_match ]

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

# For the ‘anything’ policy

# At this point in time, you must list all acceptable ‘object’

# types.

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

####################################################################

[ req ]

default_bits = 1024

default_keyfile = privkey.pem

distinguished_name = req_distinguished_name

attributes = req_attributes

x509_extensions = v3_ca # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for

# input_password = secret

# output_password = secret

# This sets a mask for permitted string types. There are several options.

# default: PrintableString, T61String, BMPString.

# pkix : PrintableString, BMPString.

# utf8only: only UTF8Strings.

# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

# MASK:XXXX a literal mask value.

# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings

# so use this option with caution!

string_mask = nombstr

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]

countryName = Country Name (2 letter code)

countryName_default = AU

countryName_min = 2

countryName_max = 2

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = NSW

localityName = Suburb Name (full name)

localityName_default = Woodsmith

0.organizationName = Organization Name (eg, company)

0.organizationName_default = Contoso Pty. Ltd.

# we can do this but it is not needed normally :-)

#1.organizationName = Second Organization Name (eg, company)

#1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName = Organizational Unit Name (eg, section)

organizationalUnitName_default = Information Technology

commonName = Common Name (eg, YOUR name)

commonName_max = 64

emailAddress = Email Address

emailAddress_default = bob@contoso.com.au

emailAddress_max = 64

# SET-ex3 = SET extension number 3

[ req_attributes ]

challengePassword = A challenge password

challengePassword_min = 4

challengePassword_max = 20

unstructuredName = An optional company name

[ usr_cert ]

# These extensions are added when ‘ca’ signs a request.

# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.

# nsCertType = server

# For an object signing certificate this would be used.

# nsCertType = objsign

# For normal client use this is typical

# nsCertType = client, email

# and for everything including object signing:

# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape’s comment listbox.

nsComment = “OpenSSL Generated Certificate”

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# An alternative to produce certificates that aren’t

# deprecated according to PKIX.

# subjectAltName=email:move

# Copy subject details

# issuerAltName=issuer:copy

#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

# Extensions for a typical CA

# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical

# extensions.

#basicConstraints = critical,CA:true

# So we do this instead.

basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will

# prevent it being used as an test self-signed certificate it is best

# left out by default.

# keyUsage = cRLSign, keyCertSign

# Some might want this also

# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation

# subjectAltName=email:copy

# Copy issuer details

# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!

# obj=DER:02:03

# Where ‘obj’ is a standard or added object

# You can even override a supported extension:

# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.

# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy

authorityKeyIdentifier=keyid:always,issuer:always

[ proxy_cert_ext ]

# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.

# nsCertType = server

# For an object signing certificate this would be used.

# nsCertType = objsign

# For normal client use this is typical

# nsCertType = client, email

# and for everything including object signing:

# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape’s comment listbox.

nsComment = “OpenSSL Generated Certificate”

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# An alternative to produce certificates that aren’t

# deprecated according to PKIX.

# subjectAltName=email:move

# Copy subject details

# issuerAltName=issuer:copy

#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName

# This really needs to be in place for it to be a proxy certificate.

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

In the above, all bold are edits you will be required to do for your site. Bold red are edits and additions you will need to add to the above file.

  • Now, open up C:\OpenSSL\bin and rename the PEM directory to PEM.old.
  • Open up a command prompt and run c:\perl\bin\perl c:\openssl\bin\ca.pl -newca. As you are doing this, fill in the site details as above – for the common name, just put in “server“.
  • In the same command prompt, change directory to C:\OpenSSL\bin and run openssl genrsa 1024 > rui.key
  • Run openssl req -new -key rui.key > rui.csr -config openssl.cfg. When it asks for the common name, type in the FQDN of the VirtualCenter server (auconvc01.contoso.com.au)
  • Run openssl ca -out rui.crt -config openssl.cfg -infiles rui.csr
  • Run openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:vmware -out rui.pfx

At this point, you’ve created 3 files – rui.key, rui.crt and rui.pfx

Go into C:\Documents and Settings\All Users\Application Data\VMware\Infrastructure\VMware VirtualCenter Server\ and rename the SSL directory to SSL.old. Then create a directory called SSL. Copy the created files into this directory.

Next, open up the Microsoft Management Console (Start -> Run -> MMC) and open up the snap-in for Computer Account Certificates. Import the rui.crt certificate file into the Trusted Publishers container. Then restart the VirtualCenter service.

Replace with Windows Certificate Authority

Instructions:

  1. First download openssl from here
  2. Install OpenSSL
  3. Download the openssl.cfg file from here
  4. Copy the above file into the bin\ directory of the above install, next to the openssl.exe binary

Open up a command prompt

  1. CD to the directory openssl.cfg was copied to
  2. Run: openssl genrsa 1024 > rui.key
  3. Run: openssl req -new -key rui.key > rui.csr -config openssl.cfg and when asked for common name, fill in the hostname or the FQDN of the VirtualCenter server
  4. Goto Microsoft Certificate Services Web Enrollment, usually on your domain controller (eg: http://domaincontroller/certsrv)
  5. “Request a certificate” and “submit an advanced certificate request”
  6. “Submit a certificate request by using a base-64-encoded CMC or
    PKCS #10 file, or submit a renewal request by using a base-64-encoded
    PKCS #7 file”
  7. Paste the contents of the rui.csr file into the field “Saved Request:”, choose with “Certificate Template:” for “Web Server”
  8. Select “Base 64 encoded” and download the certificate (rename it to
    rui.crt) to the bin directory in which you were working in the command
    prompt
  9. Back in the command prompt, run: openssl pkcs12 -export -in rui.crt -inkey rui.key -name FQDNofVirtualCenterServer -out rui.pfx
  10. Copy the files : rui.key , rui.crt and rui.pfx to C:\Documents and
    Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\

CD in the command prompt to the VMware VirtualCenter Server install directory and run vpxd -p. This will re-initialize the database on your SQL server with the new certificate. You will be asked for the DB password – input it.

Restart the VirtualCenter Service.

The problem is that now the ESX hosts don’t have the right certificate and are unable to communicate. Just disconnect them and reconnect them to re-enable HA/DRS/VMotion functionality.

Related Posts

Badges

follow-me-twitter

I blog with Blogsy

Comments / DISQUS