CA (say Microsoft AD) cert and key to have VMCA sign it’s own certs with and make them trusted.First thing, we need to set up an
AD cert template for vSphere 6.0, that’s in my article here.Next, log in to your vCenter Server Appliance as root and enter:
shell.set --enabled True
shellVCSA underlying OS CLICreate a directory to store our
csr and key:mkdir /root/SSLCerts/usr/lib/vmware-vmca/bin/certificate-manager _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.0 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|option 1 to replace the machine_ssl cert an AD signed one.You will now be prompted for your
SSO user password (usually administrator@vsphere.local unless you’ve changed it during setup like me), so enter it.No you’re going to be asked:
1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate
Option [1 or 2]: 1option 1 to generate the csr for signing by AD.Choose an output directory (
/root/SSLCerts created earlier).Please provide a directory location to write the CSR(s) and PrivateKey(s) to:
Output directory path: /root/SSLCerts
2015-07-19T18:48:25.878Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/root/SSLCerts/machine_ssl.key', '--pubkey', '/tmp/pubkey.pub']
2015-07-19T18:48:26.144Z Done running command
2015-07-19T18:48:26.145Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencsrfromcert', '--privkey', '/root/SSLCerts/machine_ssl.key', '--cert', '/tmp/vecs_crt.crt', '--csrfile', '/root/SSLCerts/machine_ssl.csr']
2015-07-19T18:48:26.245Z Done running command
CSR generated at: /root/SSLCerts/machine_ssl.csr.csr was generated at: /root/SSLCerts/machine_ssl.csr so we will cat the output file (open another ssh session to the vc) to get the csr:cd /root/SSLCerts/
cat machine_ssl.csrcsr format:vc1:~/SSLCerts # cat machine_ssl.csr
-----BEGIN CERTIFICATE REQUEST-----
{CSR HERE}
-----END CERTIFICATE REQUEST-----AD CertSvc (usually at: https://{DCnameorIP}/CertSrv/en-US/) and follow this procedure:- Request Certificate
- Advanced Certificate Request
- Certificate Template: vSphere 6.0
- Paste the
csrin and clicksubmit.
Next, download the certificate as
Base 64 encoded (not the chain!).Open the cert with notepad/sublime text or such and paste the content into a new file on the
vcsa:vi /root/SSLCerts/machine_ssl.cervi into insert mode:icer file, then hit Esc, write and quit the file::wqCA root certificate in Base 64 also and add it to another file, as above, called ca.cer.You should now have 4 files in
/root/SSLCerts/:- ca.cer
- machine_ssl.cer
- machine_ssl.csr
- machine_ssl.key
ssh session where certificate manager is running enter option 1 and enter the requested signed cert file paths: 1. Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate
2. Exit certificate-manager
Option [1 or 2]: 1
Please provide valid custom certificate for Machine SSL.
File : /root/SSLCerts/machine_ssl.cer
Please provide valid custom key for Machine SSL.
File : /root/SSLCerts/machine_ssl.key
Please provide the signing certificate of the Machine SSL certificate
File : /root/SSLCerts/ca.cer
You are going to replace Machine SSL cert using custom cert
Continue operation : Option[Y/N] ? : y
Status : 100% Completed [All tasks completed successfully] 
References:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2111571&src=vmw_so_vex_mgray_1080
http://blogs.vmware.com/vsphere/2015/07/custom-certificate-on-the-outside-vmware-ca-vmca-on-the-inside-replacing-vcenter-6-0s-ssl-certificate.html?src=vmw_so_vex_mgray_1080
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2097936&src=vmw_so_vex_mgray_1080
credit:https://blah.cloud/security/using-ad-signed-certificates-with-vcenter-server-appliance-6/
AWS Training in Bangalore - Live Online & Classroom
ReplyDeletemyTectra Amazon Web Services (AWS) certification training helps you to gain real time hands on experience on AWS. myTectra offers AWS training in Bangalore using classroom and AWS Online Training globally. AWS Training at myTectra delivered by the experienced professional who has atleast 4 years of relavent AWS experince and overall 8-15 years of IT experience. myTectra Offers AWS Training since 2013 and retained the positions of Top AWS Training Company in Bangalore and India.
IOT Training in Bangalore - Live Online & Classroom
IOT Training course observes iot as the platform for networking of different devices on the internet and their inter related communication. Reading data through the sensors and processing it with applications sitting in the cloud and thereafter passing the processed data to generate different kind of output is the motive of the complete curricula. Students are made to understand the type of input devices and communications among the devices in a wireless media.
Thank you a lot for providing individuals with a very spectacular possibility to read critical reviews from this site.Block Chain Training in chennai
ReplyDeleteWow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.
ReplyDeleterpa training in Chennai | rpa training in pune
rpa online training | rpa training in bangalore
Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.
ReplyDeleterpa training in Chennai | rpa training in pune
rpa online training | rpa training in bangalore