In this article I want to share some do’s and don’ts of implementing CA signed certificates in VMware vCenter 5.5. Although some tooling is available to automate the entire process, implementing certificates in a vSphere environment can be quite challenging. Depending on your exact configuration, you can end up with updating the certificates in over 7 different places, all linked to each other.
I hope you will find my tips & tricks useful, here we go:
- First of all: make a snapshot of all components that are involved in the update process. You can always roll-back in case of problems.
- You need access to the VMs running the different VMware vCenter services (if applicable).
- You need the passwords of the administrator@vsphere.local account and an vCenter administrator account. You will also need the original database password.
- Notice that the administrator@vsphere.local account cannot contain special characters such as &, ^, %, or <, because the configuration of the inventory service will fail. Read this VMware KB for more info.
- If you’re using a Windows Certificate Authority for the certificate signing, create a new VMware SSL certificate template. Instructions are available in this VMware KB.
- Use the SSL Certificate Automation Tool, download available here. Important: only version 5.5 of this tool support vSphere 5.5, version 1.x doesn’t support vSphere 5.5. The SSL Certificate Automation Tool only supports Windows 2008 en Windows 2012 based vCenter Server installations.
- For your convenience: edit and update the ssl-environment.bat (part of the SSL Certificate Automation Tool) with values that are applicable to your environment.
- Use the SSL Certificate Automation Tool for creating the Certificate Signing Requests (CSR’s) and for updating the current certificates.
- Run a command prompt and use option 1 in the SSL Certificate Automation Tool to plan the steps of the update process. Run a second command prompt to execute the actual steps using ssl-update.bat. Use “run as administrator” when starting the command prompt.
- When uploading the CSR’s (generated by the SSL Certificate Automation Tool) to a Windows CA, make sure you use the earlier created VMware SSL certificate template and download the certificate (not the chain) as Base 64 encoded .cer certificates.
- You will also need to download the root certificate of your CA. Download this certificate (not the chain) in p7b format, open the certificate and export the certificate as base 64 X.509 .cer certificate.
- You have to combine the the individual certificates for each server with the root CA certificate into a new .pem file. More information on this step and the previous two steps is in this VMware KB article. Use a good text editor, like Notepad++ or UltraEdit, for this task.
- When updating your certificates, follow the exact steps as displayed by the “Plan you steps” option in the SSL Certificate Automation Tool.
For the rest: drink some beer, and cross your fingers. Good luck!
2 Comments
Fabian Lenz
Great collection of important things to consider.
Probably some things to add, that I have experienced while dealing with vCenter certificates (and I spent far too much time with those things 😉 )
-> Make yourself familiar with SSL and it’s components (private-/public key, chain-files, csr)
-> Store all relevant components persistent,secure and reliable and be aware of the period of validity of ssl certificates
-> Create/Test a JAVA_HOME environment variable pointing to the JRE of your vCenter installation.
-> Make sure each certificate has a unique DN
-> Make sure only no multiple ServiceIDs are stored in vpxd.cfg (%ProgramData%\VMware\VMware VirtualCenter\)
viktorious
Great addition Fabian, thanks for sharing!