SSL certificate replacement of vCenter Server 5.0 & components.
General Info:
SSL files which will be used in the process:
Download & install Open SSL - http://slproweb.com/products/Win32OpenSSL.html
Download and install Microsoft Visual C++ 2008 - http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=15336
Certificates can be obtained using two methods
Default certificates using Open SSL - Self Signed
Custom certificates using signing authority like VeriSign or Microsoft CA
Generating KEY & CSR using Open SSL
Run as administrator when opening the command prompt
Browse to C:\openssl\bin
Edit openssl.cfg file
under [ CA_Default ]: dir = .
under [ req ] change: default_bits = 2048
under [ req ] change: default_keyfile = rui.key
Open command prompt in administrator mode
cd C:\openssl\bin
Run below two commands
openssl genrsa 2048 > rui.key
openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg
The two files rui.csr & rui.key will be generated in same C:\openssl\bin which needs to be copied (Dont 'cut' just copy)to a new folder in C:/certs
To generate a Self Signed signed certificate
Open command prompt in administrator mode
cd C:\openssl\bin
Run the command:
openssl req -x509 -sha256 -newkey rsa:2048 -keyout rui.key -config openssl.cfg -out rui.crt -days 3650 -nodes
rui.crt will be generated in same C:\openssl\bin which needs to be copied to C:/certs
To generate a Custom CA signed certificate
You can send RUI.CSR file to third party Certificate authority who will create a certificate for you.
Some of the vendors who issue certificates are:
To generate a Microsoft CA signed certificate
Note: Make sure the Microsoft CA is configured to create vCenter server certificate - http://sslvc101.blogspot.in/p/blog-page.html
login to http://localhost/certsrv where Microsoft CA is installed
Click the Request a certificate link.
Click advanced certificate request.
Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
Open the certificate request file we created & placed in C:\certs (rui.csr) in a plain text editor and paste the text from the Begin to the End request into the Saved Request box:
Note: Do not copy the actual -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----. Only copy the text in between these lines. You may see = (equal) signs near the Begin and End lines (for example, ==-----END). In this case, you must copy the = (equal) signs.
Select the Certificate Template as 'VMware SSL' template.
Click Submit to submit the request.
Click Base 64 encoded on the Certificate issued screen.
Click the Download Certificate link.
Select 'Save As' > rui.crt
Creating rui.pfx file
Take the rui.crt file & put it in the c:\openssl\bin folder
Run command:
openssl.exe pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
Note: Do not change anything in the above command specially 'testpassowrd'
rui.pfx will be generated in same C:\openssl\bin which needs to be copied to C:/certs
Applying the certificate
Note: Take a snapshot or backup of the vCenter machine
Note: Put the DRS to Manual so that VMs do not migrate during the process
Backup the certificates for the VMware VirtualCenter Server services and Inventory Service. By default, the certificates are located at:
Windows 2008 – C:\programdata\VMware\VMware VirtualCenter\SSL
Windows 2003 – C:\ Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL
Windows 2008 and 2003
C:\Program Files\VMware\Infrastructure\Inventory Service\ssl
C:\Program Files\VMware\Infrastructure\vSphereWebClient\DMServer\config\ssl
Replace rui.crt, rui.key, rui.pfx files in above folders
Go to https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 on the vCenter Server and load the certificates for the configuration by using the Managed Object Browser.
Click reloadSslCertificate.
Click Invoke Method. If successful the window will show a message saying Method Invocation Result: void.
In CMD type go to c:\Program Files\VMware\Infrastructure\VirtualCenter Server\
Type > vpxd.exe -p
Start the VMware VirtualCenter Server service
ESXi hosts would need to re-connect manually due to change in VC certificate
http://www.vmware.com/files/pdf/techpaper/replacing-vCenter-Server-5-ESXi-Certificates.pdf
General Info:
SSL files which will be used in the process:
- .CRT - The actual certificate
- .CSR - Certificate Signing Request, this is required to generate the actual certificate
- .PFX - Personal Info Exchange. It is used to exchange public and private key in single file
- .KEY - This is a PEM formatted file containing just the private-key of a specific certificate
Download & install Open SSL - http://slproweb.com/products/Win32OpenSSL.html
Download and install Microsoft Visual C++ 2008 - http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=15336
Certificates can be obtained using two methods
Default certificates using Open SSL - Self Signed
Custom certificates using signing authority like VeriSign or Microsoft CA
Generating KEY & CSR using Open SSL
Run as administrator when opening the command prompt
Browse to C:\openssl\bin
Edit openssl.cfg file
under [ CA_Default ]: dir = .
under [ req ] change: default_bits = 2048
under [ req ] change: default_keyfile = rui.key
Open command prompt in administrator mode
cd C:\openssl\bin
Run below two commands
openssl genrsa 2048 > rui.key
openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg
The two files rui.csr & rui.key will be generated in same C:\openssl\bin which needs to be copied (Dont 'cut' just copy)to a new folder in C:/certs
To generate a Self Signed signed certificate
Open command prompt in administrator mode
cd C:\openssl\bin
Run the command:
openssl req -x509 -sha256 -newkey rsa:2048 -keyout rui.key -config openssl.cfg -out rui.crt -days 3650 -nodes
rui.crt will be generated in same C:\openssl\bin which needs to be copied to C:/certs
To generate a Custom CA signed certificate
You can send RUI.CSR file to third party Certificate authority who will create a certificate for you.
Some of the vendors who issue certificates are:
- Symantec (VeriSign)
- Comodo SSL
- GlobalSign
- Go Daddy
- DigiCert
To generate a Microsoft CA signed certificate
Note: Make sure the Microsoft CA is configured to create vCenter server certificate - http://sslvc101.blogspot.in/p/blog-page.html
login to http://localhost/certsrv where Microsoft CA is installed
Click the Request a certificate link.
Click advanced certificate request.
Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
Open the certificate request file we created & placed in C:\certs (rui.csr) in a plain text editor and paste the text from the Begin to the End request into the Saved Request box:
Note: Do not copy the actual -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----. Only copy the text in between these lines. You may see = (equal) signs near the Begin and End lines (for example, ==-----END). In this case, you must copy the = (equal) signs.
Select the Certificate Template as 'VMware SSL' template.
Click Submit to submit the request.
Click Base 64 encoded on the Certificate issued screen.
Click the Download Certificate link.
Select 'Save As' > rui.crt
Creating rui.pfx file
Take the rui.crt file & put it in the c:\openssl\bin folder
Run command:
openssl.exe pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
Note: Do not change anything in the above command specially 'testpassowrd'
rui.pfx will be generated in same C:\openssl\bin which needs to be copied to C:/certs
Applying the certificate
Note: Take a snapshot or backup of the vCenter machine
Note: Put the DRS to Manual so that VMs do not migrate during the process
Backup the certificates for the VMware VirtualCenter Server services and Inventory Service. By default, the certificates are located at:
Windows 2008 – C:\programdata\VMware\VMware VirtualCenter\SSL
Windows 2003 – C:\ Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL
Windows 2008 and 2003
C:\Program Files\VMware\Infrastructure\Inventory Service\ssl
C:\Program Files\VMware\Infrastructure\vSphereWebClient\DMServer\config\ssl
Replace rui.crt, rui.key, rui.pfx files in above folders
Go to https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 on the vCenter Server and load the certificates for the configuration by using the Managed Object Browser.
Click reloadSslCertificate.
Click Invoke Method. If successful the window will show a message saying Method Invocation Result: void.
In CMD type go to c:\Program Files\VMware\Infrastructure\VirtualCenter Server\
Type > vpxd.exe -p
Start the VMware VirtualCenter Server service
ESXi hosts would need to re-connect manually due to change in VC certificate
http://www.vmware.com/files/pdf/techpaper/replacing-vCenter-Server-5-ESXi-Certificates.pdf
tempat nyari SSL murah ya di IDwebhost.com Cuman disini kamu bisa menemukan paket terbaik untuk hosting webkamu.
ReplyDeleteShobhit. each one of your article is worth reading.Very helpful. For the basic workflow about SSL certificate, people can follow a website mysslonline
ReplyDelete