[How to] Replace self-signed certificates on VCSA 5.5

Introduction

When you think you know it all when it comes to vSphere, you meet Mr. SSL… For many he may be seen as though opponent but once you get to know him much better he’s not that terryfing.

Here’s the default Mr. SSL, the one we don’t particulary like but many of us got used to him ūüôĀ

Ingredients

  • 1 piece of VCSA 5.5, I deployed¬†mine using OVA:

VMware-vCenter-Server-Appliance-5.5.0.30500-4180648_OVF10.ova

  • trusted PKI

Preparations

Typically, we need to replace 4 services’ certificates:

  • vCenter SSO
  • Inventory Service
  • Log Browser (if you’re using vCenter Server Appliance 5.5 Update 3e, this feature is not supported)
  • Auto Deploy

Let’s create a folder structure where each name corresponds to given service:

  • /certs/
    • vCenterSSO
    • InventoryService
    • LogBrowser
    • AutoDeploy

Then let’s use the following request file as a template and slighly modify the content per service:

[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
input_password =testpassword
output_password = testpassword

[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcva55, IP: 10.0.0.10, IP:ServerIPv6Address, DNS: vcva55.vmware.com

[ req_distinguished_name ]
countryName = US
stateOrProvinceName = NY
localityName = New York
0.organizationName = VMware
organizationalUnitName = vCenterApplianceUniqueServer
commonName = vcva55.vmware.com

  • vCenter SSO

Let’s adjust the template a bit to reference our environment (and save it as openssl_vpxd.cfg in /certs/vCenterSSO):

[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
input_password = testpassword
output_password = testpassword

[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcsa55, DNS:vcsa55.home.basista.pro

[ req_distinguished_name ]
countryName = DE
stateOrProvinceName = Hessen
localityName = Frankfurt
0.organizationName = home BASISTA.PRO
organizationalUnitName = VMware vCenter Service Certificate
commonName = vcsa55.home.basista.pro

  • vCenter¬†Inventory Service

Let’s adjust the template a bit to reference our environment (and save it as openssl_inventoryservice.cfg in /certs/InventoryService):

[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
input_password = testpassword
output_password = testpassword

[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcsa55, DNS:vcsa55.home.basista.pro

[ req_distinguished_name ]
countryName = DE
stateOrProvinceName = Hessen
localityName = Frankfurt
0.organizationName = home BASISTA.PRO
organizationalUnitName = VMware Inventory Service Certificate
commonName = vcsa55.home.basista.pro

  • vCenter¬†Log Browser

Let’s adjust the template a bit to reference our environment (and save it as openssl_logbrowser.cfg in /certs/LogBrowser):

[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
input_password = testpassword
output_password = testpassword

[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcsa55, DNS:vcsa55.home.basista.pro

[ req_distinguished_name ]
countryName = DE
stateOrProvinceName = Hessen
localityName = Frankfurt
0.organizationName = home BASISTA.PRO
organizationalUnitName = VMware LogBrowser Service Certificate
commonName = vcsa55.home.basista.pro

  • vCenter¬†Auto Deploy

Let’s adjust the template a bit to reference our environment (and save it as openssl_autodeploy.cfg in /certs/AutoDeploy):

[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
input_password = testpassword
output_password = testpassword

[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcsa55, DNS:vcsa55.home.basista.pro

[ req_distinguished_name ]
countryName = DE
stateOrProvinceName = Hessen
localityName = Frankfurt
0.organizationName = home BASISTA.PRO
organizationalUnitName = VMware vSphere Autodeploy Service Certificate
commonName = vcsa55.home.basista.pro

openSSL

Now you’d need to download and install openSSL, I’ll be using openssl-1.0.2k-x64_86-win64. Let’s doublecheck folder structure and execute commands to prepare CSRs:

C:\CERTS
‚Ēú‚ĒÄ‚ĒÄ‚ĒÄAutoDeploy
‚Ēú‚ĒÄ‚ĒÄ‚ĒÄInventoryService
‚Ēú‚ĒÄ‚ĒÄ‚ĒÄLogBrowser
‚ĒĒ‚ĒÄ‚ĒÄ‚ĒÄvCenterSSO
  • vCenterSSO
C:\openssl-1.0.2k-x64_86-win64\openssl req -new -nodes -out c:\certs\vCenterSSO\rui_vpxd.csr -keyout c:\certs\vCenterSSO\rui_vpxd.key -config c:\certs\vCenterSSO\openssl_vpxd.cfg
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Generating a 2048 bit RSA private key
....................................................+++
................................................................................
..............+++
writing new private key to 'c:\certs\vCenterSSO\rui_vpxd.key'
-----

  • InventoryService
C:\openssl-1.0.2k-x64_86-win64\openssl req -new -nodes -out c:\certs\InventoryService\rui_inventoryservice.csr -keyout c:\certs\InventoryService\rui_inventoryservice.key -config c:\certs\InventoryService\openssl_inventoryservice.cfg
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Generating a 2048 bit RSA private key
.......................+++
................................................................................
................................+++
writing new private key to 'c:\certs\InventoryService\rui_inventoryservice.key'
-----

  • LogBrowser
C:\openssl-1.0.2k-x64_86-win64\openssl req -new -nodes -out c:\certs\LogBrowser\rui_logbrowser.csr -keyout c:\certs\LogBrowser\rui_logbrowser.key -config c:\certs\LogBrowser\openssl_logbrowser.cfg
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Generating a 2048 bit RSA private key
......................................................+++
........................................+++
writing new private key to 'c:\certs\LogBrowser\rui_logbrowser.key'
-----

  • AutoDeploy
C:\openssl-1.0.2k-x64_86-win64\openssl req -new -sha256 -nodes -out c:\certs\AutoDeploy\rui_autodeploy.csr -keyout c:\certs\AutoDeploy\rui_autodeploy.key -config c:\certs\AutoDeploy\openssl_autodeploy.cfg
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Generating a 2048 bit RSA private key
............+++
...........................+++
writing new private key to 'c:\certs\AutoDeploy\rui_autodeploy.key'
-----

So now you’ve generated csr and keys and it’s time to submit them for signing with your CA of choice.

Preparations

You should have now 4 certificates signed by your trusted CA. Make sure all files are in PEM format, meaning each file begins with:

-----BEGIN CERTIFICATE----

and ends with:

-----END CERTIFICATE----

Nothing else besides these blocks should be present. Also each of certificates should have the following Key Usages:

  • Digital Signature
  • Key Encipherment
  • Data Encipherment

Each certificate should be copied to the respective folder and named rui_service.crt. Note the service corresponds to name of the service e.g. vpxd.

Additionaly please create cachain.pem file, save it under /certs/, which will include entire CA chain, sample below:

-----BEGIN CERTIFICATE-----
Thumbprint Intermediate(n) CA Server
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Thumbprint Intermediate(2) CA Server
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Thumbprint Intermediate(1) CA Server
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Thumbprint Root CA Server
-----END CERTIFICATE-----

Installation – SSO

  • SSH over to the VCSA (you may need to allow SSH on VCSA if not enabled)
  • stop VMware VCenter Server service and Single Sign-on:
service vmware-stsd stop
service vmware-vpxd stop
  • let’s create corresponding folder structure in VCSA by running:
mkdir ssl
mkdir ssl/vpxd
mkdir ssl/inventoryservice
mkdir ssl/logbrowser
mkdir ssl/autodeploy

  • let’s copy rui_vpxd.crt, rui_vpxd.key files from c:\certs\vCenterSSO to the /ssl/vpxd directory on the vCenter Server Appliance (also copy here cachain.pem), use WinSCP or any other tool to make it happen
  • rename rui_vpxd.crt to rui.crt by running the command:
cp ssl/vpxd/rui_vpxd.crt ssl/vpxd/rui.crt
  • rename rui_vpxd.key to rui.key by running the command:
cp ssl/vpxd/rui_vpxd.key ssl/vpxd/rui.key
  • create the chain.pem file for vCenter Server service by running the commands:
cd ssl/vpxd/
cat rui.crt cachain.pem chain.pem
  • replace the SSL certs by running the command:
/usr/sbin/vpxd_servicecfg certificate change chain.pem rui.key
  • wait untill you receive response: VC_CFG_RESULT = 0, if you see any other code you may need to troubleshoot
  • navigate to /opt/vmware/etc/lighttpd/ with:
cd /opt/vmware/etc/lighttpd/
  • backup contents of the folder using:
mkdir BAK 
cp * BAK/
  • copy the certificate chain to the file ca.crt with:
cp /root/ssl/vpxd/cachain.pem /opt/vmware/etc/lighttpd/ca.crt
  • open the /opt/vmware/etc/lighttpd/lighttpd.conf file using a text editor:
vi /opt/vmware/etc/lighttpd/lighttpd.conf
  • add the line ssl.ca-file = “/opt/vmware/etc/lighttpd/ca.crt” to the lighttp.conf file (after “ssl.pemfile =”/opt/vmware/etc/lighttpd/server.pem”)
  • save changes to the file and exit
  • ensure the vCenter Single Sign-On service is started before continuing by running the command:
service vmware-stsd start

Installation –¬†Inventory Service

  • unregister the vCenter Inventory Service from vCenter Single Sign-On by running the commands (adjust FQDN as per your environment):
cd /etc/vmware-sso/register-hooks.d
./02-inventoryservice --mode uninstall --ls-server https://vcsa55.home.basista.pro:7444/lookupservice/sdk
  • copy rui_inventoryservice.crt¬†and ¬†rui_inventoryservice.key¬†from¬†c:\certs\InventoryService¬†to the¬†/ssl/inventoryservice¬†directory on the vCenter Server Appliance
  • copy cachain.pem from /ssl/vpxd to /ssl/inventoryservice
 cp /root/ssl/vpxd/cachain.pem /root/ssl/inventoryservice/
  • rename rui_inventoryservice.crt to rui.crt by running the command:
cp /root/ssl/inventoryservice/rui_inventoryservice.crt /root/ssl/inventoryservice/rui.crt
  • rename rui_inventoryservice.key to rui.key by running the command:
cp /root/ssl/inventoryservice/rui_inventoryservice.key /root/ssl/inventoryservice/rui.key
  • create the chain.pem file for vCenter Inventory Service by running the commands:
cd /root/ssl/inventoryservice
cat rui.crt cachain.pem chain.pem
  • create the *.pfx file by running the command:
openssl pkcs12 -export -out rui.pfx -in chain.pem -inkey rui.key -name rui -passout pass:testpassword
  • copy the rui.key, rui.crt, and rui.pfx files to the /usr/lib/vmware-vpx/inventoryservice/ssl directory:
cp rui.key /usr/lib/vmware-vpx/inventoryservice/ssl
cp rui.crt /usr/lib/vmware-vpx/inventoryservice/ssl
cp rui.pfx /usr/lib/vmware-vpx/inventoryservice/ssl
  • change the permissions on these files by running these commands:
cd /usr/lib/vmware-vpx/inventoryservice/ssl/
chmod 400 rui.key rui.pfx
chmod 644 rui.crt
  • run these commands to register the vCenter Inventory Service back to vCenter Single Sign-On (mind different credentials and FQDN):
cd /etc/vmware-sso/register-hooks.d
./02-inventoryservice --mode install --ls-server https://vcsa55.home.basista.pro:7444/lookupservice/sdk --user [email protected] --password vmware
  • to re-register the vCenter Inventory Service to vCenter Server the next time the service starts, run this command:
rm /var/vmware/vpxd/inventoryservice_registered
  • run these commands to restart and register the service:
service vmware-inventoryservice stop
service vmware-vpxd stop
service vmware-inventoryservice start
service vmware-vpxd start

Installation –¬†Log Browser

Since I’m using¬†vCenter Server Appliance 5.5 Update 3e, this paragraph will be revisited once I’ll upgrade to the newer version. I’m skipping it for the moment.

Installation –¬†Auto deploy

  • ¬†copy the¬†rui_autodeploy.crt and¬†rui_autodeploy.key¬†from¬†c:\certs\AutoDeploy¬†to the /root/ssl/autodeploy¬†directory on the vCenter Server Appliance
  • copy the rui_autodeploy.crt and rui_autodeploy.key to the /etc/vmware-rbd/ssl/ directory:
cp /root/ssl/autodeploy/rui_autodeploy.crt /etc/vmware-rbd/ssl/waiter.crt
cp /root/ssl/autodeploy/rui_autodeploy.key /etc/vmware-rbd/ssl/waiter.key
  • change the permissions and ownership on the waiter files by running these commands:
cd /etc/vmware-rbd/ssl/
chmod 644 waiter.crt
chmod 400 waiter.key
chown deploy:deploy waiter.crt waiter.key
  • re-register the service to the vCenter Server with the commands (autodeploy_registered file may not exist):
service vmware-rbd-watchdog stop
rm /var/vmware/vpxd/autodeploy_registered
service vmware-vpxd restart

Finalization

  • reboot vCenter Server Appliance
  • review the new certficate, note the green padlock
2017-05-18T20:40:19+00:00