Using the vSphere Certificate Manager Utility

The vSphere Certificate Manager Utility is a command-line utility that allows for most certificate management tasks to be performed interactively by the administrator. The utility prompts for which task to perform, for any additional information, and then automatically stops and starts services, ultimately replacing the certificates.

Regenerating a new VMCA root certificate and replacing all certificates

Regenerating a new VMCA root certificate and replacing all certificates is useful in the event that the certificates have expired or compromised and new certificates need to be issued to the different vSphere components.

To begin:

  1. Console to the PSC virtual machine (in this case, it is an embedded deployment, meaning that the vCenter Server virtual machine is also the PSC virtual machine).
  2. Enable and launch BASH. To launch the Certificate Manager Utility enter /usr/lib/vmware-vmca/bin/certificate-manager (for a Windows vCenter Server, this is located at C:Program FilesVMwarevCenter Servervmcadcertificate-manager) and press Enter.
  3. Now that the Certificate Manager Utility has launched, select 4. Regenerate a new VMCA Root Certificate and replace all certificates by pressing 4 and then Enter. (Optionally, option 8. Reset all Certificates may also be chosen.)

    Regenerating a new VMCA root certificate and replacing all certificates
  4. Enter the SSO administrator ([email protected]) password (this is defined during installation).
  5. Press Y to reconfigure the certool.cfg file.
  6. Enter the values as prompted:
    • Enter proper value for 'Country' [Previous value: US]:
    • Enter proper value for 'Name' [Previous value: Acme]:
    • Enter proper value for 'Organization' [Previous value: AcmeOrg]:
    • Enter proper value for 'OrgUnit' [Previous value: AcmeOrg Engineering]:
    • Enter proper value for 'State' [Previous value: California]:
    • Enter proper value for 'Locality' [Previous value: Palo Alto]:
    • Enter proper value for 'IPAddress' [optional]:
    • Enter proper value for 'Email' [Previous value: [email protected]]:
    • Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name (FQDN), For Example : example.domain.com]:

      Regenerating a new VMCA root certificate and replacing all certificates

  7. As shown in the following screeenshot, type Y to confirm the request in order to proceed.

    Regenerating a new VMCA root certificate and replacing all certificates
  8. This will take several minutes to complete.

The completion of this task will result in a replacement of the VMCA root certificate with a new certificate and newly issued replacement certificates for each of the solution users.

Configuring VMCA as a subordinate CA

This section will cover configuring the VMCA as a subordinate certificate authority. The procedure entails the VMCA importing a root signing certificate from a trusted enterprise root CA, therefore making the VMCA a subordinate CA to the enterprise root CA.

To begin this process:

  1. Console to the PSC virtual machine (in this case, it is an embedded deployment, meaning that the vCenter Server virtual machine is also the PSC virtual machine).
  2. Enable and launch BASH. To launch the Certificate Manager Utility enter /usr/lib/vmware-vmca/bin/certificate-manager (for a Windows vCenter Server, this is located at C:Program FilesVMwarevCenter Servervmcadcertificate-manager) and press Enter.
    Configuring VMCA as a subordinate CA
  3. Now that the Certificate Manager Utility has launched, select 2. Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates by pressing 2 and then Enter.

    Configuring VMCA as a subordinate CA
  4. Enter the password for the SSO account ([email protected]).

    Configuring VMCA as a subordinate CA

  5. Press 1 to select 1. Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate. This will generate the private key (the .key file) and the certificate signing request ( the .csr file). The .csr file is needed for the certificate authority to grant a certificate.

    Configuring VMCA as a subordinate CA

  6. You will be prompted to enter an Output directory path. The example uses /cert/ (a custom-made directory for this specific purpose).

    Configuring VMCA as a subordinate CA

  7. Once finished, it will say Done running command, as demonstrated in the previous screenshot. Minimize, but do not close, this session as it will be used again later.
  8. Open a similar tool, WinSCP, connect to the PSC (in this case, the embedded vCenter Server appliance), and navigate to the directory that was used for the output of the .csr and .key files. Copy the .csr file to a directory on your desktop. Leave the .key file as it will be needed later on.

    Configuring VMCA as a subordinate CA
  9. Next, open up a web browser. Go to https://<CA FQDN>/certsrv and click on the Request a certificate link.

    Configuring VMCA as a subordinate CA
  10. Select Or, submit an advanced certificate request.

    Configuring VMCA as a subordinate CA
  11. This brings up the Submit a Certificate Request or Renewal Request form. The next few steps will describe filling this form out.

    Configuring VMCA as a subordinate CA
  12. To start, open up the .csr file using Notepad or a similar application. Copy the contents of the .csr file. The contents of a .csr file are demonstrated in the following screenshot:

    Configuring VMCA as a subordinate CA
  13. Paste the contents of the .csr file into the Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7) section. Under the Certificate Template section, select the dropdown and choose the Subordinate Certification Authority option. No attributes should be added. Click on the Submit button when finished.

    Configuring VMCA as a subordinate CA
  14. The certificate authority will issue a certificate that is available for download. Ensure that you select Base 64 encoded and click on Download certificate.

    Configuring VMCA as a subordinate CA
  15. The next part is a little bit tricky; you need to concatenate the certificate that was just generated and downloaded with the certificate authority's root CA into a single .cer file. First, copy the contents of the certificate that was just downloaded and then follow it with the root CA certificate contents. Save this file as root_signing_chain.cer or something similar, just ensure that .cer is the file extension. An example of this is demonstrated in the following screenshot:

    Configuring VMCA as a subordinate CA
  16. Switch back to the Certificate Manager Utility window where we left off in step 7. Press 1 to choose the 1. Continue to importing Custom certification(s) and key(s) for VMCA Root Signing certificate option and hit Enter.
    Configuring VMCA as a subordinate CA
  17. Enter the path for the .cer and .key files. Enter Y to replace the certificates.

    Configuring VMCA as a subordinate CA
  18. The following screenshot demonstrates the required values for the certool.cfg file:

    Configuring VMCA as a subordinate CA
  19. It will take several minutes for the services to restart.
  20. To validate that the SSL certificate installation has completed, open a web browser and go to https://<PSC FQDN>/websso/. From here, open the certificate properties for the site by clicking on the lock icon at the top of the navigation bar.
  21. Once the Certificate dialog pops up, select the Certificate Path tab. Verify that all enterprise CAs are listed. If only a single entry is on the list, this means that the VMCA subordinate CA is not trusted. The following screenshot shows the certificate chain:

    Configuring VMCA as a subordinate CA

Replacing all certificates with custom certificates

It may be required by security policy to use CA (other than VMCA) signed certificates for the vSphere components. The Certificate Manager Utility can be used to replace the solution user certificates.

To get started:

  1. Console to the PSC virtual machine (in this case, it is an embedded deployment, meaning that the vCenter Server virtual machine is also the PSC virtual machine).
  2. Enable and launch BASH. To launch the Certificate Manager Utility enter /usr/lib/vmware-vmca/bin/certificate-manager (for a Windows vCenter Server, this is located at C:Program FilesVMwarevCenter Servervmcadcertificate-manager) and press Enter.
  3. Now that the Certificate Manager Utility has launched, select 5. Replace Solution user certificates Custom Certificate by pressing 5 and then Enter.
    Replacing all certificates with custom certificates
  4. Enter the SSO administrator ([email protected]) password. Select 1. Generate Certificate Signing Request(s) and Key(s) for Solution User Certificates by pressing 1 and pressing Enter.
    Replacing all certificates with custom certificates
  5. Provide an output directory to place the certificate signing requests and keys. The example uses a custom-made directory /cert/.
  6. Once the certificate signing requests and keys have been copied to the output directory, the tool should specify Done running command.

    Replacing all certificates with custom certificates
  7. Once the keys are exported, minimize (but don't close) the Certificate Manager Utility as it will be used again later.
  8. Use a utility similar to WinSCP to copy the certificate signing requests and keys to a desktop that can access the certificate authority.
  9. The certificate signing requests should be used to request a certificate. In this example, Microsoft Active Directory Certificate Services is used to generate certificates (open up a web browser and go to https://<CA FQDN>/certsrv). To begin, select Or, submit an advanced certificate request.

    Replacing all certificates with custom certificates
  10. Next, select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

    Replacing all certificates with custom certificates
  11. At this point, open the first .csr file. In the following example, machine.csr was opened in Notepad. Select all and copy the contents of this file as it will be used in the certificate request.

    Replacing all certificates with custom certificates
  12. Paste the contents of the .csr file into the section labeled Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7). Leave all attributes as default.
  13. Click on the Submit button.

    Replacing all certificates with custom certificates
  14. Select Base 64 encoded and then the Download certificate hyperlink. You will be prompted to save the certificate; save it as the solution username using the .cer extension.

    Replacing all certificates with custom certificates
  15. Repeat steps 9-14 for all solution users (machine, vpxd, vpxd-extension, and vsphere-webclient).
  16. Once this process is completely finished, use a tool similar to WinSCP to copy these .cer files into a directory accessible by the PSC.
  17. Return to the minimized Certificate Manager Utility.
  18. Picking up, select 1. Continue to importing Custom certificate(s) and key(s) for Solution User Certificates by pressing 1 and then Enter.
    Replacing all certificates with custom certificates
  19. Provide the path to each solution user certificate and key. The utility will prompt for:
    • Please provide valid custom certificate for solution user store: machine
    • File: /tmp/ssl/machine.cer
    • Please provide valid custom key for solution user store: machine
    • File: /tmp/ssl/machine.key
    • Please provide valid custom certificate for solution user store: vpxd
    • File: /tmp/ssl/vpxd.cer
    • Please provide valid custom key for solution user store: vpxd
    • File: /tmp/ssl/vpxd.key
    • Please provide valid custom certificate for solution user store: vpxd-extension
    • File: /tmp/ssl/vpxd-extension.cer
    • Please provide valid custom key for solution user store: vpxd-extension
    • File: /tmp/ssl/vpxd-extension.key
    • Please provide valid custom certificate for solution user store: vsphere-webclient
    • File: /tmp/ssl/vsphere-webclient.cer
    • Please provide valid custom key for solution user store: vsphere-webclient
    • File: /tmp/ssl/vsphere-webclient.key
    • Please provide the signing certificate of the Solution User Certificates
    • File: /tmp/ssl/Root64.cer
  20. This process will take several minutes to finish once all of the directories have been input.

    Replacing all certificates with custom certificates

Once this has finished, the ESX agent manager must be updated.

Note

For more information see VMware KB 2112577 at http://bit.ly/2cN8SXS.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.143.214.230