PreStaging SSL Certificates in vSphere 5.x. The quickest and easiest way to implement Custom certificates.

 

PreStaging SSL Certificates

 
After endless troubleshooting sessions and implementing of CA certificates in customer environments I have decided to share what I feel is the easiest and most efficient way to implement custom certificates in vSphere 5.x.

The method I am writing about is called Pre-Staging where you essentially take your CA certificates, place them in the correct service folder, and then install/reinstall the component. During installation, the installer recognizes pre existing certificates and the CA certificate that you staged will be used to install, register, and trust service(s) appropriately.

This will work for Inventory Service, vCenter Server Service, Web Client, and the Log Browser service. This does not work with SSO certificates as they are overridden during install; you will have to use the automation tool to install SSO certificates first which I will go over in this post as well.

If you already have your certificates ready, please skip to step 4.

 
Step 1. Install the SSL automation tool using the link below (For reference see kb.vmware.com/kb/2057340).

 
Step 2. Generate Certificates for use with the automation tool (For reference see kb.vmware.com/kb/2044696)

  • Right click on the Environment.bat file and select “Edit” with notepad
  • Fill out the following section from the environment.bat file changing the bolded values.

rem ############################################################################
rem The following parameters will be used to generate a CSR.
rem Information about the server for which the CSR will be created:
rem Fully Qualified Domain Name (FQDN)
set gen_cert_server_fqdn=vc1.vcloud.local
rem IP Address
set gen_cert_server_ip=192.168.1.10
rem short name
set gen_cert_server_short_name=vc

rem Country, State, City
set gen_cert_country=US
set gen_cert_state=Colorado
set gen_cert_locality_name=Broomfield
rem Name of the organization, Company Name
set gen_cert_organization_name=VMware
rem OU – this will be the DN of the certificate which should be unique.
set gen_cert_organizational_unit_name=LEAVE BLANK
rem variable key length. This property will not be online modifiable(through interactive mode). If you
rem need key length(more than 2K) it can be configured only from this property here.
rem Values smaller than 2048 are not supported.
set gen_cert_key_length=2048
rem end of CSR variables #############################################################################

  • Save the environment.bat file.
  • Run the “ssl-updater.bat” file from the automation tool directory with an Elevated command prompt, select 2 to “Generate Certificate Signing Requests”

Generate Requests

  • Select the service that you would like to a generate certificate request and rui.key. I will show Single-Sign On as an example.

Generate Requests 2

  • Generate certificate requests for the remaining services; you will now have a csr_openssl.cfg, rui.csr, and rui.key for the services.

requestsdone

 
Step 3. Sign your SSO Certificate request (.csr)
You will then need to have your CSR signed, either with your internal Microsoft CA, or with a third party CA. For more information, please see the following KBs.

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x – http://kb.vmware.com/kb/2062108
Creating certificate requests and certificates for vCenter Server 5.5 components (See section titled “Obtaining the certificate) http://kb.vmware.com/kb/2061934

 
Step 4. Implement SSO certificate with the SSL Automation tool
First, you will need to create the chain.pem file for the SSO certificate. The chain.pem file is a combination of the rui.crt, intermediate certs (if you have them), and the root certificate. If you don’t already have your root64 or intermediate certificates, please see http://kb.vmware.com/kb/2061934 and go through steps 14 through 21 under the section “Obtaining the certificate.” Otherwise you can proceed below.

  • Create a new file called chain.pem (ensure it has a .pem extension and not .txt) for the SSO service.
  • Open the SSO rui.crt file in Notepad and copy the contents of the file into the chain.pem file for that service.
  • Open any intermediates you have and copy and paste them under the rui.crt secion of the chain.pem file.
  • Open your root64.cer file and copy and paste the contents at the bottom of the chain.pem file.

An example of the chain.pem contents are below. Note these are not actual certificates, these are truncated. You will want to ensure there is no space at the begging, the end, or in between certificates.

cert

  • Save the chain.pem file in C:\ssl-certificate-updater-tool-1308332\requests\vCenterSSO-vc1

You are now ready to implement the SSO certificate with the SSL Automation tool.

  • Run the ssl-updater.bat file as Administrator and Select option 3, then 1.
  • Input the necessary values as shown below.

SSO certificate

Note: I did not run the tool in my lab but a successful should show an Exit status of 0.

 
Step 5. Create the rui.pfx file for the Invetory Service, vCenter Server Service, Web Client Service, and Log Browser.
 
Note: Do not change the password from “testpassword”
 
Note: If intermediate certificates are used, you will need to substitute Root64.cer with a chain.cer file which can be created by running the following command.
 

copy interm64.cer+Root64.cer chain.cer
  • Launch a command prompt and navigate to the OpenSSL directory. By default, this is C:\OpenSSL-Win32\bin. If you had inventory service already installed you can use OpenSSL from C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe.

Note: you may need to change the directories in bold below.

  • Inventory service:
    openssl pkcs12 -export -in c:\certs\InventoryService\rui.crt -inkey c:\certs\InventoryService\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\InventoryService\rui.pfx
  • vCenter Server:
    openssl pkcs12 -export -in c:\certs\vcenter\rui.crt -inkey c:\certs\vcenter\rui-orig.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\vcenter\rui.pfx
  • vSphere Web Client:
    openssl pkcs12 -export -in c:\certs\webclient\rui.crt -inkey c:\certs\webclient\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\webclient\rui.pfx
  • Log Browser:
    openssl pkcs12 -export -in c:\certs\LogBrowser\rui.crt -inkey c:\certs\LogBrowser\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\LogBrowser\rui.pfx

 
You should now have a rui.crt, rui.key, and rui.pfx for Invetory Service, vCenter Server, vSphere Web Client and the Log Browser.

I am only showing the Inventory service below, but each service should have it’s own rui.crt, rui.key, and rui.pfx.

files

 
Step 6. Create the following directories. (If Inventory Service, vCenter, and Web Client are already installed, uninstall them, then create the following directories if they don’t already exist)
 
Note: If you have other files in these directories from prior installations, you can backup and delete the contents.

  • C:\ProgramData\VMware\VMware VirtualCenter\SSL
  • C:\ProgramData\VMware\Infrastructure\Inventory Service\ssl
  • C:\ProgramData\VMware\vSphere Web Client\ssl
  • C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf

 
Step 7. Place the rui.crt, rui.key, and rui.pfx file for each service in their corresponding folder above.
I have done vCenter as an example below.

staged

 
Step 8. Install (Or reinstall) Inventory Service, vCenter Server, and then the Web Client.
Finished
 
That’s it! The installer will recognize the certificates already in the folders and use them during install to register and trust the services appropriately! This is also a great technique if you were working through the automation tool and were getting errors during the certificate replacement!

Posted by:

Sean Whitney

4 Comments

  1. Kurt Renner -  June 5, 2015 - 10:57 am 139

    Nice post.
    Under step 6 where you give the locations for the certificate information, is the path always on the C: drive, or would the path change to the drive letter where the software is going to be installed (ie: D:\ProgramData and D:\Program Files)?

    Reply
    • Sean Whitney -  June 5, 2015 - 11:05 am 140

      Hi Kurt,

      Thanks! The path will change for the program files if you install on different drives. the C:\ProgramData should be remain the same.

      Thanks,
      Sean

      Reply
  2. Brad -  October 29, 2015 - 10:29 am 313

    Maybe this is obvious but I’m guessing that SSO needs to be installed normally before running ssl-updater.bat in step 4?

    Reply
    • Sean Whitney -  October 29, 2015 - 12:32 pm 314

      Hi Brad,

      Yes, that is correct,

      Thanks,
      Sean

      Reply

Reply Cancel

Your email address will not be published. Required fields are marked (required):

Back to Top