Thursday, 11 May 2017

Using AD signed certificates with vCenter Server Appliance 6

Creating signed certs for vCenter has never been easy, with the new release of 6.0 though this has changed somewhat, there is a built in certificate manager that allows you to import a CA (say Microsoft AD) cert and key to have VMCA sign it’s own certs with and make them trusted.
First thing, we need to set up an AD cert template for vSphere 6.0, that’s in my article here.
Next, log in to your vCenter Server Appliance as root and enter:
shell.set --enabled True
shell
This will get us access to the VCSA underlying OS CLI
Create a directory to store our csr and key:
mkdir /root/SSLCerts
Next we will need to launch the certificate manager, execute:
/usr/lib/vmware-vmca/bin/certificate-manager
You will see a display like so:
 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
|                                                                     |
|      *** Welcome to the vSphere 6.0 Certificate Manager  ***        |
|                                                                     |
|                   -- Select Operation --                            |
|                                                                     |
|      1. Replace Machine SSL certificate with Custom Certificate     |
|                                                                     |
|      2. Replace VMCA Root certificate with Custom Signing           |
|         Certificate and replace all Certificates                    |
|                                                                     |
|      3. Replace Machine SSL certificate with VMCA Certificate       |
|                                                                     |
|      4. Regenerate a new VMCA Root Certificate and                  |
|         replace all certificates                                    |
|                                                                     |
|      5. Replace Solution user certificates with                     |
|         Custom Certificate                                          |
|                                                                     |
|      6. Replace Solution user certificates with VMCA certificates   |
|                                                                     |
|      7. Revert last performed operation by re-publishing old        |
|         certificates                                                |
|                                                                     |
|      8. Reset all Certificates                                      |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
We are going to use option 1 to replace the machine_ssl cert an AD signed one.
You will now be prompted for your SSO user password (usually administrator@vsphere.local unless you’ve changed it during setup like me), so enter it.
No you’re going to be asked:
     1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate

     2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate

Option [1 or 2]: 1
We want to choose option 1 to generate the csr for signing by AD.
Choose an output directory (/root/SSLCerts created earlier).
Please provide a directory location to write the CSR(s) and PrivateKey(s) to: 
Output directory path: /root/SSLCerts
2015-07-19T18:48:25.878Z   Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/root/SSLCerts/machine_ssl.key', '--pubkey', '/tmp/pubkey.pub']
2015-07-19T18:48:26.144Z   Done running command
2015-07-19T18:48:26.145Z   Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencsrfromcert', '--privkey', '/root/SSLCerts/machine_ssl.key', '--cert', '/tmp/vecs_crt.crt', '--csrfile', '/root/SSLCerts/machine_ssl.csr']
2015-07-19T18:48:26.245Z   Done running command

CSR generated at: /root/SSLCerts/machine_ssl.csr
As you can see the .csr was generated at: /root/SSLCerts/machine_ssl.csr so we will cat the output file (open another ssh session to the vc) to get the csr:
cd /root/SSLCerts/
cat machine_ssl.csr
Output will be in standard csr format:
vc1:~/SSLCerts # cat machine_ssl.csr 
-----BEGIN CERTIFICATE REQUEST-----
{CSR HERE}
-----END CERTIFICATE REQUEST-----
Load up AD CertSvc (usually at: https://{DCnameorIP}/CertSrv/en-US/) and follow this procedure:
  • Request Certificate
  • Advanced Certificate Request
  • Certificate Template: vSphere 6.0
  • Paste the csr in and click submit.
CSR Request
Next, download the certificate as Base 64 encoded (not the chain!).
Open the cert with notepad/sublime text or such and paste the content into a new file on the vcsa:
vi /root/SSLCerts/machine_ssl.cer
Put vi into insert mode:
i
Paste in the contents of the cer file, then hit Esc, write and quit the file:
:wq
Download the CA root certificate in Base 64 also and add it to another file, as above, called ca.cer.
You should now have 4 files in /root/SSLCerts/:
  • ca.cer
  • machine_ssl.cer
  • machine_ssl.csr
  • machine_ssl.key
Back in the first ssh session where certificate manager is running enter option 1 and enter the requested signed cert file paths:
     1. Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate

     2. Exit certificate-manager 

Option [1 or 2]: 1

Please provide valid custom certificate for Machine SSL.
File : /root/SSLCerts/machine_ssl.cer

Please provide valid custom key for Machine SSL.
File : /root/SSLCerts/machine_ssl.key

Please provide the signing certificate of the Machine SSL certificate
File : /root/SSLCerts/ca.cer

You are going to replace Machine SSL cert using custom cert
Continue operation : Option[Y/N] ? : y
Status : 100% Completed [All tasks completed successfully] 
And we’re done!
Valid cert on vCenter 6.0 Web Client
References:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2111571&src=vmw_so_vex_mgray_1080
http://blogs.vmware.com/vsphere/2015/07/custom-certificate-on-the-outside-vmware-ca-vmca-on-the-inside-replacing-vcenter-6-0s-ssl-certificate.html?src=vmw_so_vex_mgray_1080
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2097936&src=vmw_so_vex_mgray_1080




credit:https://blah.cloud/security/using-ad-signed-certificates-with-vcenter-server-appliance-6/

26 comments:

  1. AWS Training in Bangalore - Live Online & Classroom
    myTectra Amazon Web Services (AWS) certification training helps you to gain real time hands on experience on AWS. myTectra offers AWS training in Bangalore using classroom and AWS Online Training globally. AWS Training at myTectra delivered by the experienced professional who has atleast 4 years of relavent AWS experince and overall 8-15 years of IT experience. myTectra Offers AWS Training since 2013 and retained the positions of Top AWS Training Company in Bangalore and India.


    IOT Training in Bangalore - Live Online & Classroom
    IOT Training course observes iot as the platform for networking of different devices on the internet and their inter related communication. Reading data through the sensors and processing it with applications sitting in the cloud and thereafter passing the processed data to generate different kind of output is the motive of the complete curricula. Students are made to understand the type of input devices and communications among the devices in a wireless media.

    ReplyDelete
  2. Thank you a lot for providing individuals with a very spectacular possibility to read critical reviews from this site.Block Chain Training in chennai

    ReplyDelete
  3. Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.

    rpa training in Chennai | rpa training in pune

    rpa online training | rpa training in bangalore

    ReplyDelete
  4. Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.

    rpa training in Chennai | rpa training in pune

    rpa online training | rpa training in bangalore

    ReplyDelete
  5. I found this informative and interesting blog so i think so its very useful and knowledge able.I would like to thank you for the efforts you have made in writing this article.
    python training in pune
    python training institute in chennai
    python training in Bangalore

    ReplyDelete
  6. A very nice guide. I will definitely follow these tips. Thank you for sharing such detailed article. I am learning a lot from you.

    rpa training in electronic-city | rpa training in btm | rpa training in marathahalli | rpa training in pune

    ReplyDelete
  7. Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
    Best Devops Training in pune
    Devops Training in Chennai

    ReplyDelete
  8. All are saying the same thing repeatedly, but in your blog I had a chance to get some useful and unique information, I love your writing style very much, I would like to suggest your blog in my dude circle, so keep on updates.
    Selenium Training in Chennai
    Best selenium training in chennai
    iOS Training in Chennai
    Digital Marketing Training in Chennai
    .Net coaching centre in chennai
    JAVA Training
    Best JAVA Training institute in Chennai
    Java Courses in Chennai

    ReplyDelete

  9. Whoa! I’m enjoying the template/theme of this website. It’s simple, yet effective. A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appeal. I must say you’ve done a very good job with this.


    Amazon Web Services Training in Velachery, Chennai |AWS Training in Velachery , Besant Technologies

    Amazon Web Services Training in Chennai | AWS Training in Chennai

    Amazon Web Services Training in Chennai |Best AWS Training in Chennai

    Amazon Web Services Training in Chennai | AWS Training in OMR,Chennai

    ReplyDelete
  10. It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...

    Article submission sites
    Guest posting sites

    ReplyDelete
  11. I am really enjoying reading your well written articles.
    It looks like you spend a lot of effort and time on your blog.
    I have bookmarked it and I am looking forward to reading new articles. Keep up the good work..
    Best Java Training Institutes in Bangalore
    big data training in bangalore
    big data courses in bangalore
    hadoop training institutes in bangalore
    Java Course in Bangalore
    Java Training Institutes in Bangalore

    ReplyDelete
  12. Amazing blog you have given and you made a great work.surely i would look into this insight and i hope it will help me to clear my points.please share more information's.
    python scripting training in bangalore
    python language training in bangalore
    python training courses in bangalore

    ReplyDelete
  13. I think you have a long story to share and i am glad after long time finally you cam and shared your experience.
    python training in chennai
    python course in chennai
    python training in bangalore

    ReplyDelete
  14. This is a good post. This post give truly quality information. I’m definitely going to look into it. Really very useful tips are provided here. thank you so much. Keep up the good works.

    Ethical Hacking Course in Chennai 
    Hacking Course in Chennai 
    Ethical Hacking Training in Chennai 
    Best Python Training Institutes in Chennai
    Python Training courses
    Python Training classes in Chennai

    ReplyDelete
  15. I found your blog while searching for the updates, I am happy to be here. Very useful content and also easily understandable providing.. Believe me I did wrote an post about tutorials for beginners with reference of your blog. 
    Devops Training courses
    Devops Training in Bangalore
    Best Devops Training in pune
    Devops interview questions and answers

    ReplyDelete
  16. Amazing Article ! I have bookmarked this article page as i received good information from this. All the best for the upcoming articles. I will be waiting for your new articles. Thank You ! Kindly Visit Us @ Coimbatore Travels | Ooty Travels | Coimbatore Airport Taxi | Coimbatore taxi

    ReplyDelete