SSL certificate replacement of vCenter Server 4.0 & components.
General Info:
SSL files which will be used in the process:
Download & install latest Open SSL - http://www.openssl.org/source/
Download and install Microsoft Visual C++ 2008 - http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=15336
Edit openssl.cfg file
Browse to c:\openssl\bin
under [ CA_Default ]: dir = .
under [ req ] change: default_bits = 1024
under [ req ] change: default_keyfile = rui.key
Certificates can be obtained using two methods
Default certificates using Open SSL - Self Signed
Custom certificates using signing authority like VeriSign or Microsoft CA
Generating Default certificate using Open SSL
Run as administrator when opening the command prompt
cd c:\openssl\bin
openssl genrsa 1024 > rui.key
openssl.exe req -new -x509 -days 3650 -sha1 -nodes -key rui.key -out rui.crt -config openssl.cfg
To generate a Microsoft CA signed certificate
Run as administrator when opening the command prompt
cd c:\openssl\bin
openssl genrsa 1024 > rui.key
openssl req -new -nodes -out rui.csr -config openssl.cfg
You can now provide this RUI.CSR file to third party Certificate authority who will create a certificate for you.
Otherwise you can use in-house Microsoft CA like this:
Note: Make sure the Microsoft CA is configured to create vCenter server certificate
login to http://localhost/certsrv where Microsoft CA is installed
Click the Request a certificate link.
Click advanced certificate request.
Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
Open the certificate request in a plain text editor and paste the text from the Begin to the End request into the Saved Request box:
Note: Do not copy the actual -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----. Only copy the text in between these lines. You may see = (equal) signs near the Begin and End lines (for example, ==-----END). In this case, you must copy the = (equal) signs.
Select the Certificate Template as 'VMware SSL' template.
Click Submit to submit the request.
Click Base 64 encoded on the Certificate issued screen.
Click the Download Certificate link.
Select 'Save As' > rui.crt
Creating rui.pfx file
Take the rui.crt file & put it in the c:\openssl\bin folder
openssl.exe pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
Applying the certificate
Stop the VMware VirtualCenter Server service.
Note: Put the DRS to Manual so that VMs do not migrate during the process
Create a backup of this folder:
2003 - C:\(Documents and Settings)ProgramData\(AllUsers)\(Application Data)\VMware\VMware VirtualCenter\SSL
2008 - C:\Programdata\VMware\VMware VirtualCenter\SSL
Replace rui.crt, rui.key, rui.pfx files in this folder with the new files.
In CMD type go to c:\Program Files\VMware\Infrastructure\VirtualCenter Server\
Type > vpxd.exe -p
Start the VMware VirtualCenter Server service
ESXi hosts would need to re-connect manually due to change in vCenter certificate
General Info:
SSL files which will be used in the process:
- .CRT - The actual certificate
- .CSR - Certificate Signing Request, this is required to generate the actual certificate
- .PFX - Personal Format Exchange. It is used to exchange public and private key in single file
- .KEY - This is a PEM formatted file containing just the private-key of a specific certificate
Download & install latest Open SSL - http://www.openssl.org/source/
Download and install Microsoft Visual C++ 2008 - http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=15336
Edit openssl.cfg file
Browse to c:\openssl\bin
under [ CA_Default ]: dir = .
under [ req ] change: default_bits = 1024
under [ req ] change: default_keyfile = rui.key
Certificates can be obtained using two methods
Default certificates using Open SSL - Self Signed
Custom certificates using signing authority like VeriSign or Microsoft CA
Generating Default certificate using Open SSL
Run as administrator when opening the command prompt
cd c:\openssl\bin
openssl genrsa 1024 > rui.key
openssl.exe req -new -x509 -days 3650 -sha1 -nodes -key rui.key -out rui.crt -config openssl.cfg
To generate a Microsoft CA signed certificate
Run as administrator when opening the command prompt
cd c:\openssl\bin
openssl genrsa 1024 > rui.key
openssl req -new -nodes -out rui.csr -config openssl.cfg
You can now provide this RUI.CSR file to third party Certificate authority who will create a certificate for you.
Otherwise you can use in-house Microsoft CA like this:
Note: Make sure the Microsoft CA is configured to create vCenter server certificate
login to http://localhost/certsrv where Microsoft CA is installed
Click the Request a certificate link.
Click advanced certificate request.
Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
Open the certificate request in a plain text editor and paste the text from the Begin to the End request into the Saved Request box:
Note: Do not copy the actual -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----. Only copy the text in between these lines. You may see = (equal) signs near the Begin and End lines (for example, ==-----END). In this case, you must copy the = (equal) signs.
Select the Certificate Template as 'VMware SSL' template.
Click Submit to submit the request.
Click Base 64 encoded on the Certificate issued screen.
Click the Download Certificate link.
Select 'Save As' > rui.crt
Creating rui.pfx file
Take the rui.crt file & put it in the c:\openssl\bin folder
openssl.exe pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
Applying the certificate
Stop the VMware VirtualCenter Server service.
Note: Put the DRS to Manual so that VMs do not migrate during the process
Create a backup of this folder:
2003 - C:\(Documents and Settings)ProgramData\(AllUsers)\(Application Data)\VMware\VMware VirtualCenter\SSL
2008 - C:\Programdata\VMware\VMware VirtualCenter\SSL
Replace rui.crt, rui.key, rui.pfx files in this folder with the new files.
In CMD type go to c:\Program Files\VMware\Infrastructure\VirtualCenter Server\
Type > vpxd.exe -p
Start the VMware VirtualCenter Server service
ESXi hosts would need to re-connect manually due to change in vCenter certificate
No comments:
Post a Comment