Thursday 11 May 2017

Using AD signed certificates with vCenter Server Appliance 6

Creating signed certs for vCenter has never been easy, with the new release of 6.0 though this has changed somewhat, there is a built in certificate manager that allows you to import a CA (say Microsoft AD) cert and key to have VMCA sign it’s own certs with and make them trusted.
First thing, we need to set up an AD cert template for vSphere 6.0, that’s in my article here.
Next, log in to your vCenter Server Appliance as root and enter:
shell.set --enabled True
shell
This will get us access to the VCSA underlying OS CLI
Create a directory to store our csr and key:
mkdir /root/SSLCerts
Next we will need to launch the certificate manager, execute:
/usr/lib/vmware-vmca/bin/certificate-manager
You will see a display like so:
 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
|                                                                     |
|      *** Welcome to the vSphere 6.0 Certificate Manager  ***        |
|                                                                     |
|                   -- Select Operation --                            |
|                                                                     |
|      1. Replace Machine SSL certificate with Custom Certificate     |
|                                                                     |
|      2. Replace VMCA Root certificate with Custom Signing           |
|         Certificate and replace all Certificates                    |
|                                                                     |
|      3. Replace Machine SSL certificate with VMCA Certificate       |
|                                                                     |
|      4. Regenerate a new VMCA Root Certificate and                  |
|         replace all certificates                                    |
|                                                                     |
|      5. Replace Solution user certificates with                     |
|         Custom Certificate                                          |
|                                                                     |
|      6. Replace Solution user certificates with VMCA certificates   |
|                                                                     |
|      7. Revert last performed operation by re-publishing old        |
|         certificates                                                |
|                                                                     |
|      8. Reset all Certificates                                      |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
We are going to use option 1 to replace the machine_ssl cert an AD signed one.
You will now be prompted for your SSO user password (usually [email protected] unless you’ve changed it during setup like me), so enter it.
No you’re going to be asked:
     1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate

     2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate

Option [1 or 2]: 1
We want to choose option 1 to generate the csr for signing by AD.
Choose an output directory (/root/SSLCerts created earlier).
Please provide a directory location to write the CSR(s) and PrivateKey(s) to: 
Output directory path: /root/SSLCerts
2015-07-19T18:48:25.878Z   Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/root/SSLCerts/machine_ssl.key', '--pubkey', '/tmp/pubkey.pub']
2015-07-19T18:48:26.144Z   Done running command
2015-07-19T18:48:26.145Z   Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencsrfromcert', '--privkey', '/root/SSLCerts/machine_ssl.key', '--cert', '/tmp/vecs_crt.crt', '--csrfile', '/root/SSLCerts/machine_ssl.csr']
2015-07-19T18:48:26.245Z   Done running command

CSR generated at: /root/SSLCerts/machine_ssl.csr
As you can see the .csr was generated at: /root/SSLCerts/machine_ssl.csr so we will cat the output file (open another ssh session to the vc) to get the csr:
cd /root/SSLCerts/
cat machine_ssl.csr
Output will be in standard csr format:
vc1:~/SSLCerts # cat machine_ssl.csr 
-----BEGIN CERTIFICATE REQUEST-----
{CSR HERE}
-----END CERTIFICATE REQUEST-----
Load up AD CertSvc (usually at: https://{DCnameorIP}/CertSrv/en-US/) and follow this procedure:
  • Request Certificate
  • Advanced Certificate Request
  • Certificate Template: vSphere 6.0
  • Paste the csr in and click submit.
CSR Request
Next, download the certificate as Base 64 encoded (not the chain!).
Open the cert with notepad/sublime text or such and paste the content into a new file on the vcsa:
vi /root/SSLCerts/machine_ssl.cer
Put vi into insert mode:
i
Paste in the contents of the cer file, then hit Esc, write and quit the file:
:wq
Download the CA root certificate in Base 64 also and add it to another file, as above, called ca.cer.
You should now have 4 files in /root/SSLCerts/:
  • ca.cer
  • machine_ssl.cer
  • machine_ssl.csr
  • machine_ssl.key
Back in the first ssh session where certificate manager is running enter option 1 and enter the requested signed cert file paths:
     1. Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate

     2. Exit certificate-manager 

Option [1 or 2]: 1

Please provide valid custom certificate for Machine SSL.
File : /root/SSLCerts/machine_ssl.cer

Please provide valid custom key for Machine SSL.
File : /root/SSLCerts/machine_ssl.key

Please provide the signing certificate of the Machine SSL certificate
File : /root/SSLCerts/ca.cer

You are going to replace Machine SSL cert using custom cert
Continue operation : Option[Y/N] ? : y
Status : 100% Completed [All tasks completed successfully] 


Valid cert on vCenter 6.0 Web Client
References:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2111571&src=vmw_so_vex_mgray_1080
http://blogs.vmware.com/vsphere/2015/07/custom-certificate-on-the-outside-vmware-ca-vmca-on-the-inside-replacing-vcenter-6-0s-ssl-certificate.html?src=vmw_so_vex_mgray_1080
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2097936&src=vmw_so_vex_mgray_1080




credit:https://blah.cloud/security/using-ad-signed-certificates-with-vcenter-server-appliance-6/

87 comments:

  1. Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.

    rpa training in Chennai | rpa training in pune

    rpa online training | rpa training in bangalore

    ReplyDelete
  2. Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.

    rpa training in Chennai | rpa training in pune

    rpa online training | rpa training in bangalore

    ReplyDelete
  3. I really like your blog. You make it interesting to read and entertaining at the same time. I cant wait to read more from you.
    Data Science training in Chennai | Data science training in bangalore
    Data science training in pune| Data science online training
    Pyton training in Kalyan nagar

    ReplyDelete
  4. I found this informative and interesting blog so i think so its very useful and knowledge able.I would like to thank you for the efforts you have made in writing this article.
    python training in pune
    python training institute in chennai
    python training in Bangalore

    ReplyDelete
  5. A very nice guide. I will definitely follow these tips. Thank you for sharing such detailed article. I am learning a lot from you.

    rpa training in electronic-city | rpa training in btm | rpa training in marathahalli | rpa training in pune

    ReplyDelete
  6. Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
    Best Devops Training in pune
    Devops Training in Chennai

    ReplyDelete
  7. All are saying the same thing repeatedly, but in your blog I had a chance to get some useful and unique information, I love your writing style very much, I would like to suggest your blog in my dude circle, so keep on updates.
    Selenium Training in Chennai
    Best selenium training in chennai
    iOS Training in Chennai
    Digital Marketing Training in Chennai
    .Net coaching centre in chennai
    JAVA Training
    Best JAVA Training institute in Chennai
    Java Courses in Chennai

    ReplyDelete
  8. It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...

    Article submission sites
    Guest posting sites

    ReplyDelete
  9. I am really enjoying reading your well written articles.
    It looks like you spend a lot of effort and time on your blog.
    I have bookmarked it and I am looking forward to reading new articles. Keep up the good work..
    Best Java Training Institutes in Bangalore
    big data training in bangalore
    big data courses in bangalore
    hadoop training institutes in bangalore
    Java Course in Bangalore
    Java Training Institutes in Bangalore

    ReplyDelete
  10. Amazing blog you have given and you made a great work.surely i would look into this insight and i hope it will help me to clear my points.please share more information's.
    python scripting training in bangalore
    python language training in bangalore
    python training courses in bangalore

    ReplyDelete
  11. This is a good post. This post give truly quality information. I’m definitely going to look into it. Really very useful tips are provided here. thank you so much. Keep up the good works.

    Ethical Hacking Course in Chennai 
    Hacking Course in Chennai 
    Ethical Hacking Training in Chennai 
    Best Python Training Institutes in Chennai
    Python Training courses
    Python Training classes in Chennai

    ReplyDelete
  12. A universal message I suppose, not giving up is the formula for success I think. Some things take longer than others to accomplish, so people must understand that they should have their eyes on the goal, and that should keep them motivated to see it out til the end.
    angularjs Training in bangalore

    angularjs Training in bangalore

    angularjs Training in btm

    angularjs Training in electronic-city

    angularjs online Training

    angularjs Training in marathahalli

    ReplyDelete
  13. Inspiring writings and I greatly admired what you have to say , I hope you continue to provide new ideas for us all and greetings success always for you.
    Keep update more information..


    Selenium training in bangalore
    Selenium training in Chennai
    Selenium training in Bangalore
    Selenium training in Pune
    Selenium Online training
    Selenium interview questions and answers

    ReplyDelete
  14. Very Clear Explanation. Thank you to share this

    R Language Training in Chennai

    ReplyDelete
  15. These concept is a good way to enhance the knowledge.I like it and help me to development very well.Thank you for this brief explanation and very nice information.Well, got a good knowledge.
    Devops Training in Chennai | Devops Training Institute in Chennai

    ReplyDelete
  16. Great post, informative and helpful post and you are obviously very knowledgeable in this field. Very useful and solid content. Thanks for sharing


    Data Science in Bangalore

    ReplyDelete
  17. This post is good enough to make somebody understand this amazing thing, and I’m sure everyone will appreciate this interesting things.
    data analytics course malaysia

    ReplyDelete
  18. I was just browsing through the internet looking for some information and came across your blog. I am impressed by the information that you have on this blog. It shows how well you understand this subject. Bookmarked this page, will come back for more.

    Data Science Course

    ReplyDelete
  19. Attend The Python training in bangalore From ExcelR. Practical Python training in bangalore Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Python training in bangalore.
    python training in bangalore

    ReplyDelete
  20. Took me time to understand all of the comments, but I seriously enjoyed the write-up. It proved being really helpful to me and Im positive to all of the commenters right here! Its constantly nice when you can not only be informed, but also entertained! I am certain you had enjoyable writing this write-up.

    Big Data Course

    ReplyDelete
  21. The expense related with purchasing a noteworthy appliance is regularly high. It would be disappointing in the event that you burned through a huge number of dollars on an appliance and it separates in under a time of utilization! Assistenza Electrolux Roma

    ReplyDelete
  22. . Have them do the repairs under the defensive front of your guarantee. Likewise, you should ensure you are appropriately repaid for all charges subsequent to having your appliance repaired. Stove repair in Orange County

    ReplyDelete
  23. Thanks for sharing this valuable information and we collected some information from this post.web design company in velachery

    ReplyDelete
  24. It's the main reason why everyone will always recommend you to buy the most trusted company's sunglasses which are tested and protect your eyes from UV rays for sure.Refrigerator repair Aliso Viejo

    ReplyDelete
  25. On the off chance that the monetary expenses of the appliance are beyond what you can manage, Be certain to pose inquiries with respect to a layaway or regularly scheduled installment plan.washer repair oceanside

    ReplyDelete
  26. Have them do the repairs under the defensive front of your guarantee. Likewise, you should ensure you are appropriately repaid for all charges in the wake of having your appliance repaired.Refrigerator repair Aliso Viejo

    ReplyDelete
  27. Commercial appliances differ from residential appliances in a few key ways, and when they break down you need a technician on site fast. My Thermador Oven is Not Heating

    ReplyDelete
  28. One of the significant reasons why home appliances all of a sudden quit working is on the grounds that they haven't been stopped onRefrigerator repair Laguna Niguel

    ReplyDelete
  29. thanks for this usefull article, waiting for this article like this again. wine cellar repair

    ReplyDelete
  30. Appliances for the kitchen can range from refrigerators to hand blenders and various other useful items. It all depends on the utility of the items in the house.KitchenAid Appliance Repair in Orange County

    ReplyDelete
  31. When your website or blog goes live for the first time, it is exciting. That is until you realize no one but you and your. Top Rated Refrigerator Repair in Riverside

    ReplyDelete
  32. Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained! Maintaining Your Sub-Zero Under-counter Refrigerator

    ReplyDelete
  33. You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming. Call for Appliance Repairs Los Angeles CA

    ReplyDelete
  34. I finally found great post here.I will get back here. I just added your blog to my bookmark sites. thanks.Quality posts is the crucial to invite the visitors to visit the web page, that's what this web page is providing. Viking Range Repair In Santa Barbara

    ReplyDelete
  35. You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming. Bosch, Miele, Maytag, Viking DRYER REPAIR in Oceanside, California

    ReplyDelete
  36. They were likewise named combo washer dryer. This blend decreased the general expense and furthermore the size that was involved by washer and dryer when utilized as individual machines. Washer repair in Orange County

    ReplyDelete
  37. Remember that the total cost of your appliance includes not only the purchase price, but the cost of maintaining, operating and repairing it. You must weigh the last three against the initial price before you make a decision to buy the product. This way you are sure to spend your money wisely.Zonnepanelen installateur

    ReplyDelete
  38. Migrating your business can be an upsetting encounter, there are for the most part loads of staff individuals who all have their own individual possessions which should be moved and the entire procedure should be finished as fast as conceivable so as to diminish any personal time for the organization.ASAP refrigerator repair in Orange County

    ReplyDelete
  39. Having your dishwasher up and running again will be more energy efficient and cut down on water usage, Ice Maker Repair U-Line, True, Viking, Sub-Zero in San Diego

    ReplyDelete
  40. Make certain to completely peruse the guarantee to be certain beyond a shadow of a doubt you have all the data you should document the case. Ice Maker Repair U-Line, True, Viking, Sub-Zero in San Diego

    ReplyDelete
  41. You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming. SubZero, Viking Refrigerator Repair in Thousand Oaks

    ReplyDelete
  42. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. Viking Ice Maker Repair Near Me

    ReplyDelete
  43. While you may imagine that putting off dishwasher repairs and washing your dishes by hand will spare you a touch of cash,Washer repair in Orange County

    ReplyDelete
  44. I got what you mean , thanks for posting .Woh I am happy to find this website through google. COMMERCIAL APPLIANCE REPAIR in VENTURA

    ReplyDelete
  45. I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much. Sub Zero Appliance Repair Service in Los Angeles

    ReplyDelete
  46. Therefore, I buy an appliance that has worked well for others. Buying a familiar time-tested appliance saves you time and money since you will enjoy operational efficiency and longer equipment life.Car Vacuum

    ReplyDelete
  47. If more people that write articles really concerned themselves with writing great content like you, more readers would be interested in their writings. Thank you for caring about your content. COMMERCIAL APPLIANCE REPAIR

    ReplyDelete
  48. Have them do the fixes under the defensive front of your guarantee. Likewise, you should ensure you are appropriately repaid for all charges in the wake of having your appliance fixed.
    Viking Stove Repair in Anaheim

    ReplyDelete
  49. As I said I helped in my Mama and Gramma's kitchen. They taught me their wonderful recipes, methods and techniques, lots which they learned from their very own Mammas and Grammas. best puttu maker online in India

    ReplyDelete
  50. The two general ways to deal with meeting EPA smoke emanation limits are reactant and non-synergist burning. The two methodologies have demonstrated generally compelling, however there are execution contrasts. Viking Stove Repair in Anaheim

    ReplyDelete
  51. You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming. Same Day Appliance Repair

    ReplyDelete
  52. it was a wonderful chance to visit this kind of site and I am happy to know. thank you so much for giving us a chance to have this opportunity.. This is the exact information I am been searching for, Thanks for sharing the required infos with the clear update and required points.







    Dot Net Training in Chennai | Dot Net Training in anna nagar | Dot Net Training in omr | Dot Net Training in porur | Dot Net Training in tambaram | Dot Net Training in velachery






    ReplyDelete
  53. Nice! you are sharing such helpful and easy to understandable blog. i have no words for say i just say thanks because it is helpful for me.







    Dot Net Training in Chennai | Dot Net Training in anna nagar | Dot Net Training in omr | Dot Net Training in porur | Dot Net Training in tambaram | Dot Net Training in velachery






    ReplyDelete
  54. Nice blog was really feeling good to read it. Thanks for this information.
    Pet Shaver

    ReplyDelete
  55. I recently found many useful information in your website especially this blog page. Among the lots of comments on your articles. Thanks for sharing. Appliance Repair

    ReplyDelete
  56. As any experienced teacher knows, students often make the same mistakes. After about a year of exams, I was simply pasting most of my replies. machine learning and artificial intelligence courses in hyderabad

    ReplyDelete
  57. I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page!I recently came across your article and have been reading along. I want to express my admiration of your writing skill and ability to make readers read from the beginning to the end. I would like to read newer posts and to share my thoughts with you.

    Data Science Training In Chennai

    Data Science Online Training In Chennai

    Data Science Training In Bangalore

    Data Science Training In Hyderabad

    Data Science Training In Coimbatore

    Data Science Training

    Data Science Online Training

    ReplyDelete
  58. It is important to keep in mind that sometimes the problem with the appliance is a major one and cannot be repaired at home. If you find that Dryer Repair the issue with your appliance is too complicated for you to handle or if something goes wrong while doing the repair work on the appliance then seek professional help immediately.

    ReplyDelete
  59. You simply need to put the warmth of microwave on "high". Ensure that you will permit it to remain inside for in any event 25 seconds. Electric egg boiler in India

    ReplyDelete
  60. Very nice blogs!!! i have to learning for lot of information for this sites…Sharing for wonderful information.Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing, data scientist course in hyderabad with placement

    ReplyDelete
  61. Thanks a lot very much for the high quality and results-oriented help. I won’t think twice to endorse your blog post to anybody who wants and needs support about this area. data science training in Hyderabad

    ReplyDelete
  62. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. data scientist courses

    ReplyDelete
  63. This article we hope, has been able to provide some clarity on data science and its training. data science course in india

    ReplyDelete
  64. The point of this article is first to disperse any fantasies that you may of found out about solar energy, and furthermore to eliminate any clean from the smooth deals discussion of the organization expectation on selling you their item.Zonnepanelen installateur

    ReplyDelete
  65. Thanks for posting the best information and the blog is very good.ai courses in kolkata

    ReplyDelete
  66. Thanks for posting the best information and the blog is very good.machine learning course in kolkata

    ReplyDelete
  67. I am genuinely thankful to the holder of this web page who has shared this wonderful paragraph at at this place data analytics course in kanpur

    ReplyDelete
  68. This comment has been removed by the author.

    ReplyDelete