Installing signed SSL/TLS certificates for vCenter Server Appliance 5.5 (VCSA)

I recently upgraded to VMware vCenter v5.5 U2 and switched from Windows to the vCenter Server Appliance 5.5 (VCSA). Here are the best resources for replacing the self-signed VCSA certificates with ones signed by an internal Microsoft Certificate Authority server.

Assumptions

  • You installed the Linux vCenter Server Appliance 5.5 (VCSA)
  • All services except vCenter Update Manager are installed on your VCSA
  • You have an internal domain (example.local, but could be anotherexample.com)
  • You have a Windows Server 2008 R2 server (or greater) with the Active Directory Certificate Services role installed and configured

Official Documentation

For Windows-based VMware vCenter 5.5 installations, VMware offers the SSL Certificate Automation Tool 5.5. Unfortunately, “The SSL Certificate Automation Tool is available only to machines running Windows operating systems.”

Those who chose to use the vCenter Server Appliance 5.5 (VCSA) must follow KB “Configuring Certificate Authority (CA) signed certificates for vCenter Server Appliance 5.5 (2057223)” to install CA-signed certificates.

Notice that there are more than 75 steps in that KB article. If you leverage scripts written by Derek Seaman and Paul Grevink, you’ll be able to simplify this process.

Step 1: Follow Seaman’s instructions on creating a Certificate Template

Visit “vSphere 5.5 Install Pt. 6: Certificate Template” to create a VMware-specific certificate template on your Microsoft Active Directory Certificate Services server. I named my Certificate Template VMware-55U2-SSL and configured it exactly as Seaman documented.

Step 2: Follow Seaman’s vSphere 5.5 Install Pt. 8: Online SSL Minting

Visit “vSphere 5.5 Install Pt. 8: Online SSL Minting” to download Seaman’s Toolkit Script (Toolkit-55.ps1). You’ll use these script and OpenSSL to create all of your signed certificates. I performed all of this work on my Windows 8.1 laptop while connected to the domain.

These are the values that I used in the script that Seaman provided. Modify to meet your environment.

  • $Cert_Dir = “C:\Scripts\SSL-Toolkit\certs”
  • $openssldir = “C:\OpenSSL-Win32”
  • $Country=”US”
  • $State=”IN”
  • $City=”Noblesville”
  • $org=”My Company Name”
  • $rootCA = “mycertserver.example.local”
  • $CADownload = “http”
  • $ISSUING_CA = “mycertserver.example.local\CERT01”
  • $Template = “CertificateTemplate:VMware-55U2-SSL”

Run the script and select Option “8: Mint VCSA SSL certs with an online Microsoft CA.” In my case all vCenter servers are running on the VCSA (myvcsa.example.local) except for vCenter Update Manager (myvcum.example.local). I answer the scripts questions like so and get the following results.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
PS C:\Scripts\SSL-Toolkit> .\Toolkit-55.ps1
 
Welcome to the vCenter 5.5 Toolkit
Derek Seaman, VCDX #125, derekseaman.com
vSphere 5.5 how-to series: vexpert.me\Derek55
Use at your own risk; no warranty implied or stated
 
Windows vCenter only:
 
1. Mint vCenter SSL certs with an online Microsoft CA
2. Create vCenter CSRs for an offline or non-Microsoft CA
3. Process manually downloaded certificates or resume a pending online request
4. Create vCenter Certificate Automation Batch file
5. Create vCenter and VUM SQL database file
6. Create vCenter DSN
7. Create VUM DSN
 
Linux vCenter Server Appliance (VCSA) only:
 
8. Mint VCSA SSL certs with an online Microsoft CA
9. Resume a pending online Microsoft CA request
10. Create VCSA CSRs for an offline or non-Microsoft CA
 
ESXi Hosts
 
11. Mint ESXi SSL certificate with an online Microsoft CA
12. Create ESXi CSRs for an offline or non-Microsoft CA
13. Install manually downloaded certificates or resume a pending online request
 
14. Quit
Please enter an option 1 to 14: 8
 
Is the vCenter FQDN mylaptop.example.local ?
Press ENTER to accept or input a new vCenter FQDN: myvcsa.example.local
Enter vCenter IP or press ENTER to leave it out of the SSL cert:
 
Is the vCenter Inventory service FQDN mylaptop.example.local ?
Press ENTER to accept or input a new vCenter Inventory service FQDN: myvcsa.example.local
 
Is the vCenter SSO FQDN mylaptop.example.local ?
Press ENTER to accept or input a new vCenter SSO FQDN: myvcsa.example.local
 
Is the vCenter Update Manager FQDN mylaptop.example.local ?
Press ENTER to accept or input a new vCenter Update Manager FQDN: myvcum.example.local
 
Is the vCenter Web Client FQDN mylaptop.example.local ?
Press ENTER to accept or input a new vCenter Web Client FQDN: myvcsa.example.local
 
Is the vCenter Log Browser FQDN mylaptop.example.local ?
Press ENTER to accept or input a new vCenter Log Browser FQDN: myvcsa.example.local
 
Is the vCenter Orchestrator FQDN mylaptop.example.local ?
Press ENTER to accept or input a new vCenter Orchestator FQDN: myvcsa.example.local
 
Is the AutoDeploy FQDN mylaptop.example.local ?
Press ENTER to accept or input a new AutoDeploy FQDN: myvcsa.example.local
 
Is the Dump Collector FQDN mylaptop.example.local ?
Press ENTER to accept or input a new Dump Collector FQDN: myvcsa.example.local
 
Is the Syslog FQDN mylaptop.example.local ?
Press ENTER to accept or input a new Syslog FQDN: myvcsa.example.local
 
Is the Authentication Proxy FQDN mylaptop.example.local ?
Press ENTER to accept or input a new Authentication Proxy FQDN: myvcsa.example.local
Downloading root certificate from mycertserver.example.local ...
Root CA download successful.
 
    Directory: C:\Scripts\SSL-Toolkit\certs
 
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----          6/2/2015  10:34 AM            VMware vCenter Service Certificate
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
...........+++
..................+++
writing new private key to 'C:\Scripts\SSL-Toolkit\certs\VMware vCenter Service Certificate\rui-orig.key'
-----
writing RSA key
d----          6/2/2015  10:34 AM            VMware Inventory Service Certificate
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
....................................................................................................................................+++
..............................+++
writing new private key to 'C:\Scripts\SSL-Toolkit\certs\VMware Inventory Service Certificate\rui-orig.key'
-----
writing RSA key
d----          6/2/2015  10:34 AM            VMware LDAP Service Certificate
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
.............................................................................+++
.................................................................+++
writing new private key to 'C:\Scripts\SSL-Toolkit\certs\VMware LDAP Service Certificate\rui-orig.key'
-----
writing RSA key
d----          6/2/2015  10:34 AM            VMware vCenter VAMI Certificate
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
......+++
........................................+++
writing new private key to 'C:\Scripts\SSL-Toolkit\certs\VMware vCenter VAMI Certificate\rui-orig.key'
-----
writing RSA key
d----          6/2/2015  10:34 AM            vCenter Web Client Service Certificate
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
........+++
..........................................................................................................................................................................................................+++
writing new private key to 'C:\Scripts\SSL-Toolkit\certs\vCenter Web Client Service Certificate\rui-orig.key'
-----
writing RSA key
d----          6/2/2015  10:34 AM            VMware Logbrowser Service Certificate
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
..................................................................................................................................+++
............+++
writing new private key to 'C:\Scripts\SSL-Toolkit\certs\VMware Logbrowser Service Certificate\rui-orig.key'
-----
writing RSA key
d----          6/2/2015  10:34 AM            VMware vSphere Autodeploy Service Certificate
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
..................................................+++
.................+++
writing new private key to 'C:\Scripts\SSL-Toolkit\certs\VMware vSphere Autodeploy Service Certificate\rui-orig.key'
-----
writing RSA key
Submitting certificate request for VMware vCenter Service Certificate
Submitting certificate request for VMware Inventory Service Certificate
Submitting certificate request for VMware LDAP Service Certificate
Submitting certificate request for VMware vCenter VAMI Certificate
Submitting certificate request for vCenter Web Client Service Certificate
Submitting certificate request for VMware Logbrowser Service Certificate
Submitting certificate request for VMware vSphere Autodeploy Service Certificate

After running the script, the following folders and files were created for me. Awesome!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
PS C:\Scripts\SSL-Toolkit\certs> Get-ChildItem -Recurse
 
    Directory: C:\Scripts\SSL-Toolkit\certs
 
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----          6/2/2015  10:34 AM            vCenter Web Client Service Certificate
d----          6/2/2015  10:34 AM            VMware Inventory Service Certificate
d----          6/2/2015  10:34 AM            VMware LDAP Service Certificate
d----          6/2/2015  10:34 AM            VMware Logbrowser Service Certificate
d----          6/2/2015  10:34 AM            VMware vCenter Service Certificate
d----          6/2/2015  10:34 AM            VMware vCenter VAMI Certificate
d----          6/2/2015  10:34 AM            VMware vSphere Autodeploy Service Certificate
-a---          6/2/2015  10:34 AM       1996 root64.cer
 
    Directory: C:\Scripts\SSL-Toolkit\certs\vCenter Web Client Service Certificate
 
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          6/2/2015  10:34 AM       2544 rui.crt
-a---          6/2/2015  10:34 AM       1679 rui.key
-a---          6/2/2015  10:34 AM       5774 rui.rsp
-a---          6/2/2015  10:34 AM        665 vCenter Web Client Service Certificate.cfg
-a---          6/2/2015  10:34 AM       1245 vCenter Web Client Service Certificate.csr
 
    Directory: C:\Scripts\SSL-Toolkit\certs\VMware Inventory Service Certificate
 
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          6/2/2015  10:34 AM       2544 rui.crt
-a---          6/2/2015  10:34 AM       1675 rui.key
-a---          6/2/2015  10:34 AM       5770 rui.rsp
-a---          6/2/2015  10:34 AM        663 VMware Inventory Service Certificate.cfg
-a---          6/2/2015  10:34 AM       1245 VMware Inventory Service Certificate.csr
 
    Directory: C:\Scripts\SSL-Toolkit\certs\VMware LDAP Service Certificate
 
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          6/2/2015  10:34 AM       2536 rui.crt
-a---          6/2/2015  10:34 AM       1679 rui.key
-a---          6/2/2015  10:34 AM       5766 rui.rsp
-a---          6/2/2015  10:34 AM        658 VMware LDAP Service Certificate.cfg
-a---          6/2/2015  10:34 AM       1236 VMware LDAP Service Certificate.csr
 
    Directory: C:\Scripts\SSL-Toolkit\certs\VMware Logbrowser Service Certificate
 
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          6/2/2015  10:34 AM       2544 rui.crt
-a---          6/2/2015  10:34 AM       1675 rui.key
-a---          6/2/2015  10:34 AM       5774 rui.rsp
-a---          6/2/2015  10:34 AM        664 VMware Logbrowser Service Certificate.cfg
-a---          6/2/2015  10:34 AM       1245 VMware Logbrowser Service Certificate.csr
 
    Directory: C:\Scripts\SSL-Toolkit\certs\VMware vCenter Service Certificate
 
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          6/2/2015  10:34 AM       2540 rui.crt
-a---          6/2/2015  10:34 AM       1679 rui.key
-a---          6/2/2015  10:34 AM       5770 rui.rsp
-a---          6/2/2015  10:34 AM        661 VMware vCenter Service Certificate.cfg
-a---          6/2/2015  10:34 AM       1240 VMware vCenter Service Certificate.csr
 
    Directory: C:\Scripts\SSL-Toolkit\certs\VMware vCenter VAMI Certificate
 
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          6/2/2015  10:34 AM       2556 rui.crt
-a---          6/2/2015  10:34 AM       1675 rui.key
-a---          6/2/2015  10:34 AM       5786 rui.rsp
-a---          6/2/2015  10:34 AM        673 VMware vCenter VAMI Certificate.cfg
-a---          6/2/2015  10:34 AM       1261 VMware vCenter VAMI Certificate.csr
 
    Directory: C:\Scripts\SSL-Toolkit\certs\VMware vSphere Autodeploy Service Certificate
 
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          6/2/2015  10:34 AM       2556 rui.crt
-a---          6/2/2015  10:34 AM       1675 rui.key
-a---          6/2/2015  10:34 AM       5782 rui.rsp
-a---          6/2/2015  10:34 AM        672 VMware vSphere Autodeploy Service Certificate.cfg
-a---          6/2/2015  10:34 AM       1257 VMware vSphere Autodeploy Service Certificate.csr

Step 3: Prepare to install these certs to your VCSA

Snapshot

Shutdown and backup/snapshot your VCSA. This is an error-prone process, so make it easy on yourself to revert back and try again.

Rename Folders

To simplify things in Linux, I used these PowerShell commands to rename my folders to be lowercase and without spaces.

1
2
3
4
5
6
7
Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\vCenter Web Client Service Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\webclient"
Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\VMware Inventory Service Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\inventoryservice"
Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\VMware LDAP Service Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\ldap"
Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\VMware Logbrowser Service Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\logbrowser"
Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\VMware vCenter Service Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\vpxd"
Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\VMware vCenter VAMI Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\vami"
Rename-Item -path "C:\Scripts\SSL-Toolkit\certs\VMware vSphere Autodeploy Service Certificate" -newName "C:\Scripts\SSL-Toolkit\certs\autodeploy"

Retrieve your Certificate Server’s certificate chain

  • Navigate to the home page of the certificate server (e.g. http://mycertserver.example.local/certsrv/) and click Download a CA certificate, certificate chain or CRL.
  • Click the Base 64 option.
  • Click the Download CA Certificate chain link.
  • Save the certificate chain as cachain.p7b in the “C:\Scripts\SSL-Toolkit\certs\” directory.

Copy certs folder to VCSA

Use WinSCP to copy the C:\Scripts\SSL-Toolkit\certs (including subfolders) to the vCenter Server appliance. I placed /certs on the root.

Convert P7B to PEM

Use Putty to log into the vCenter Server Appliance as root. Following KB 2057223, from the vCenter Server Appliance, run these commands to convert the cachain.p7b file to chain.pem:

  • cd ssl/vpxd/
  • openssl pkcs7 -print_certs -in cachain.p7b -out cachain.pem

Open the cachain.pem file with VI editor, removing any text before the first —–BEGIN CERTIFICATE—– and after —–END CERTIFICATE—–.

For me, I had to delete these two lines at the top (subject=/DC=local/DC=example/CN=mycertserver AND issuer=/DC=local/DC=example/CN=mycertserver), and a few empty lines at the bottom.

Step 4: Modify Grevink’s certificate installation script

  • Open NotePad++
  • Navigate to NotePad++ > Settings > Preferences > New Document > Format
  • Change the New Document format to “Unix/OSX”, then Close preferences
  • Open a new blank document in NotePad++
  • Using a browser, visit “Implementing CA signed SSL certificates with vSphere 5.x – Part 3 – vCenter Server Appliance
  • Copy and paste Grevink’s vcsa_certs.sh script to your new, blank, and Unix formatted document
  • Provide values to the scripts variables and save as “C:\Scripts\SSL-Toolkit\certs\vcsa_certs.sh”

I used these values:

  • SOURCE=”/certs”
  • SERVER_DOMAIN=”myvcsa.example.local”
  • SSO=”vpxd”
  • InventoryService=”inventoryservice”
  • Logbrowser=”logbrowser”
  • AutoDeploy=”autodeploy”

Step 5: Execute Grevink’s certificate installation script

  • Use WinSCP to copy the script from Windows > C:\Scripts\SSL-Toolkit\certs\vcsa_certs.sh to VCSA > /certs/vcsa_certs.sh
  • Use Putty on the VCSA to adjust the file permission so that you can run the script: chmod 744 vcsa_certs.sh
  • Use Putty to run the script: ./vcsa_certs.sh

When the script is done it will prompt you to reboot your vCenter Server Appliance. After reboot, your VCSA will have CA-signed certs.

Thank you Seaman and Grevink for making this process much easier.

2 Comments


  1. I found this to be very helpful. Thank you!

    Here are the only suggestions I can offer. 1) The values in Modify Grevink’s certificate for the variables SOURCE and SERVER_DOMAIN are not to be enclosed in quotes.

    2) The instructions to “Convert P7B to PEM” did not work for me. I found that I could not change into the ssl/vpxd directory. Rather, I ran the command in the /certs directory on the appliance. Additionally, I needed to open up the permissions to make it readable for execution.

    3) This line: Rename-Item -path “C:\Scripts\SSL-Toolkit\certs\VMware Inventory Service Certificate” -newName “C:\Scripts\SSL-Toolkit\certs\inventoryservice”

    creates an all lowercase name for InventoryService, but the Grevink script expects CamelCase style directory name (InventoryService). Same was true for LogBrowser/logbrowser.

    Other than that, perfect!

    Many thanks!

Comments are closed.