Author: Craig

We have received a number of requests to replace the Default Certificates on vCenter 5/VUM/vCOPS to prevent ‘man in the middle attacks’.  Due to this I thought it would be a good idea to go through the process myself manually (not using the vCenter SSL Automation Tool) so that I understood the gotchas and caveats.

I wanted to document the process as a number of articles, whitepapers and blog posts helped me to replace the default certificates for vCenter 5, VUM, vCOPS & Horizon View.

Resources Used

• Replacing Default vCenter Server 5.0 and ESXi Certificates – VMware Whitepaper
• vSphere 5 Certificates – Julian Wood Blog WoodItWork.com
• The Trouble with CA SSL Certificates in vCenter 5 – Michael Webster Blog LongWhiteClouds.com

I started with the official VMware Guide and quickly found this lacking especially when it comes to OpenSSL, this is when both Julian’s and Michael’s blog posts where invaluable in my road to replacing the default certificates.

Prerequisite

To start on the path of replacing your Default Certificates, you will need the following in place:

Internal Certificate Authority

This should have the Certification Authority and Certificate Authority Web Enrollment services installed, mine is Active Directory integrated so that the my Internal Certificate Authority is automatically trusted by any domain members.

Load your Internal CA and go to Certificate Templates > Manage and create a copy of the Web Server Certificate with the following details:

• Windows Server 2008 Enterprise Certificate
• Minimum Key Size 2048
• Allow Private Key To Be Exported

• Create an Active Directory Security Group for your vCenter Servers and add these to the Security Tab and give them Read, Write and Enroll Permissions

Close the Certificate Template Console and Right Click > Certificate Templates > New > Certificate Template to Issue > Select your Certificate and it should appear in the Certificate Templates.

Mines called Horizon View

Web Enrollment

From any server which is on your domain, but NOT your Internal Certificate Authority go to http://CANAME/certsrv

Perform a ‘Request A Certificate’ > Advanced Certificate Request > Create and s ubmit a request to this CA if you receive the error message ‘In order to complete the certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication’.

Then go to Internet Options > Security > Trusted Sites > Sites and add deselect ‘Require server verification (https:) for all sites in this zone) and add your Internal CA

Next click on Custom Level and Enable ‘Initialize and script ActiveX controls not marked as safe for scripting’

Double check that your Web Enrollment now works correctly.

OpenSSL

I’m a Windows guy and therefore I needed to use a version of OpenSSL that worked in my Windows environment.

Download and install Win32 OpenSSL v1.0.1.e select the appropriate version if you on a x86 or x64 system.  During the installation select ‘The Windows System Directory’

Drop into CMD and CD into C:OpenSSL-Win32bin and run the following command:

set OPENSSL_CONF=C:OpenSSL-Win32binopenssl.cfg

Backups

Perhaps the most important thing is to have  a backup of your vCenter server and any related servers before you do any more work.  I can’t state how critical this is, as the chances are something is going to go wrong!

Step 1 – vCenter 5

Use Windows Explorer and navigate to C:OpenSSL-Win32bin and make a backup of openssl.cfg

Now openssl.cfg using Wordpad and find [ req ] and insert these two lines directly underneath

req_extensions = v3_req
subjectAltName = DNS:VMF-VC01.vmfocus.com, DNS:VMF-VC01

Next change the default_bits to 2048

default_bits = 2048

After this change the input_password and output_password to ‘testpassword’

# input_password = testpassword
# output_password = testpassword

It should look like this

[ req ]
req_extensions = v3_req
subjectAltName = DNS:VMF-VC01.vmfocus.com, DNS:10.3.2.203
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = testpassword
# output_password = testpassword

Drop into CMD and CD into C:OpenSSL-Win32bin and run the following command:

openssl req -new -nodes -out rui.csr -keyout rui.key

Complete the details presented

In the C:OpenSSL-Win32bin folder you will now have a rui.csr file

Open rui.csr using Notepad > Select All > Copy

Fire up Internet Explorer and got to http://InternalCA/certsrv and Select > Request Certificate > Advanced Certificate Request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a bae-64-encoded PKCS #file

In the space Base-64 encoded paste the contents of the rui.crt then change the Certificate Template to the one you published earlier

Hit Submit and then Select ‘Base 64 encoded’ and Download certificate

Rename the certificate to rui.crt and drop it into the C:OpenSSL-Win32bin folder.  You should now have three files called:

1. rui.crt
2. rui.csr
3. rui.key

Before going any further check your certificate by double clicking rui.crt and make sure it has the correct Subject Alternative Names

Back into CMD and CD into C:OpenSSL-Win32bin and launch the following command:

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

In the C:OpenSSL-Win32bin folder we now have four files:

1. rui.crt
2. rui.csr
3. rui.key
4. rui.pfx

Select rui.crt, rui.key and rui.pfx and copy these to your vCenter 5 Server

Jump onto your vCenter 5 Server and go to C:ProgramDataVMwareVMware VirtualCenter make a copy of the SSL folder

Paste the rui.crt, rui.key and rui.pfx into the SSL folder and overwrite the existing certificates.

Fire up Internet Explorer and go to http://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 (you might need to enable Compatibility Mode on Internet Explorer)

Enter credentials that have Administrator rights on vCenter

Select ‘reloadSlCertificate’ then Invoke Method

If all goes well, you should see the item displayed ‘Method Invocation Result: void’

Restart VMware VirtualCenter Management Webservices and browse to https://vCenter and you should see a trusted Certificate installed!

Step 2 – vCenter 5 Inventory Service

Navigate to C:Program FilesVMwareInfrastructureInventory Service and make a copy of the SSL folder

Paste the rui.crt, rui.key and rui.pfx into the SSL folder and overwrite the existing certificates.

Restart the vCenter Inventory Service

Step 3 – vSphere Update Manager

Navigate to C:Program Files (x86)VMwareInfrastructureUpdate Manager and make a copy of the SSL folder

Paste the rui.crt, rui.key and rui.pfx into the SSL folder and overwrite the existing certificates.

Go to C:Program Files (x86)VMwareInfrastructureUpdate Manager and launch VMwareUpdateManagerUtility.exe

Enter your vCenter Server credentials then Select SSL Certificate > Tick ‘Followed and verified the steps’ > Apply

Restart the vSphere Update Manager Service

I recommend restarting your vCenter Server now, after this we get to the acid test which is does it work?

I’m sure it does!

Step 4 – Horizon View

Because we replaced the vCenter 5 certificates, we need to restart our Horizon View services.  Once done log into Horizon View Administrator and check your system health, fingers crossed we get Green Boxes.

Step 5 – vCenter Operations Manager

Because we replaced the vCenter 5 certificates, vCOPS will have lost connectivity.  To address, login to vCenter Operations Manager Administration > Registration > vCenter Server Registration > Update > Enter Credentials & Accept Certificate

Once done you should see the the Connection Status as Connected