Implementing CA signed SSL certificates with vSphere 5.x – Part 3 – vCenter Server Appliance

In the previous post, we highlighted the default template needed, in case of an Organizational CA, and ended with the creation of the certificates needed for the vCenter Server components.

According to our compass KB “Implementing CA signed SSL certificates with vSphere 5.x (2034833)”, the next step is to replace the vCenter Single Sign-On certificate and it points us to KB “Configuring CA signed SSL certificates for vCenter Single Sign-On in vSphere 5.5 (2058519)”.

Unfortunately, we are in trouble now, as KB 2034833 refers to the Windows vCenter Server components, with no reference to the vCenter Server Appliance. We will return to this KB later, for the vSphere Update Manager.

Luckily, KB “Configuring Certificate Authority (CA) signed certificates for vCenter Server Appliance 5.5 (2057223)” is available for the vCenter Server Appliance. In fact this KB contains all steps for setting up OpenSSL, generating certificate requests, getting and implementing certificates.

The Script

In fact, we have reached the section “Installation and configuration of the certificates for all the components”. This 40 step long section contains a lot of commands. To overcome the differences and make the installation process easier, I have created a script which can be found in this post. Copy and paste the content in a notepad and save as vcsa_certs.sh.

Before proceeding, take precautions, like backing up the existing rui.crt, rui.key and rui.pfx files, creating a snapshot and so on.

The script has the following features:

  • You can adjust the names of the folders, in case you need.
    SSL-03-01
    Figure 1
  • After replacing the SSL certs for the vCenter Server (step 11), the script will test and stop if the result VC_CFG_RESULT does not equal 0.

Running the script

Now proceed as follows.

  • On the system where you have created the certificate requests, place the script vcsa_certs.sh in the C:\Certs folder.
  • Assumed that you have permission to access the vCenter Server appliance, copy the entire C:\Certs folder (including subfolders) to the vCenter Server appliance. You are free to choose a suitable location, like /tmp or /root. You can use WinSCP for this task.
    SSL-03-02
    Figure 2
  • Connect to the vCenter Server Appliance through SSH (PuTTY) as user root.
  • Assumed we copied C:\Certs to /root/Certs, we first need to convert the p7b file to cachain.pem, followed by some kind of housekeeping.
    # cd /root/Certs
    #
    openssl pkcs7 -print_certs -in cachain.p7b -out cachain.pem
  • We need to remove any text before the first “—–BEGIN CERTIFICATE—–” and after “—–END CERTIFICATE—–“.
    If you are not familiar with the notorious vi editor, head over to “Editing files on an ESX host using vi or nano (1020302)”.
    To open the file:
    # vi cachain.pem
    In this example:
    SSL-03-03
    Figure 3
  • To delete the first two lines, save the file and exit vi
    move to the first line,
    type:  2dd
    type:  :wq
  • We need to adjust the file permission to run the script:
    # chmod 744 vcsa_certs.sh
  • To run the script:
    # ./vcsa_certs.sh
  • The script will ask for the password of the account administrator@vsphere.local
    SSL-03-04
    Figure 4
  • The script will display its progress (starts with #) and output on the screen.
  • If everything goes well, the script will end, asking for a reboot.

After a reboot of the vCenter Server Appliance, go to the login page of the Web Client and check for the new certificate.

SSL-03-05
Figure 5 – Old certificate

SSL-03-06
Figure 6 – New Certificate

As always, I thank you for reading. After a short break, we will continue with the remaining components.

This is the third post in a series about implementing CA signed SSL certificates in a vSphere 5.x environment.

Part 1 – Introduction.

Part 2 – Obtaining Certificates.

 

 

#!/bin/bash

# vcsa_certs.sh
#
# script based on VMware KB Configuring Certificate Authority # (CA) signed certificates for vCenter Server Appliance 5.5
# (2057223)

# Version       : 1.0
# Date          : 22-02-2015
# Author        : Paul Grevink
# Changed       : First version

### UID Check ###

if [ ! $UID = 0 ];then
      echo "To run this script, you need to be root!"
      exit 0
fi

### Declaration of Variables ###

SOURCE=`pwd`
SERVER_DOMAIN=`hostname`

# Variables for subfolders
SSO="SSO"
InventoryService="InventoryService"
Logbrowser="Logbrowser"
AutoDeploy="AutoDeploy"

SETGRE="echo -en \\033[1;32m"
SETRED="echo -en \\033[1;31m"
SETYEL="echo -en \\033[1;33m"
SETNOR="echo -en \\033[1;39m" 

### START ####

# cachain.pem available?

FILE="cachain.pem"
if ! [ -s $SOURCE/$FILE ]
then
    echo "File $FILE is not available."
    exit 0
fi

# Scripts needs password for account sso administrator

# Assume we use administrator@vsphere.local
SSO_ADMINISTRATOR="administrator@vsphere.local"

echo   "Enter Password for account $SSO_ADMINISTRATOR : "
read SSO_ADMINISTRATOR_PASSWORD

# Start with vCenter Server and SSO
echo "# Start with vCenter Server and SSO"

service vmware-stsd stop
service vmware-vpxd stop

cp $SOURCE/cachain.pem $SOURCE/$SSO
cd $SOURCE/$SSO

# Create the chain.pem file for vCenter Server service by running the commands:
echo "# Create the chain.pem file for vCenter Server service."
cat rui.crt cachain.pem > chain.pem

# Replace the SSL certs by running the command:
echo "# Replace the SSL certs."
/usr/sbin/vpxd_servicecfg certificate change chain.pem rui.key

if [ ! $? = 0 ];then
      echo "VC_CFG_RESULT <> 0."
         $SETRED
	 echo "Investigate, see KB 2057248"
      exit 0
fi

# Ensure the vCenter Single Sign-On service is started before continuing by running the command:
echo "# Ensure the vCenter Single Sign-On service is started before continuing."
service vmware-stsd start

#Unregister the vCenter Inventory Service from vCenter Single Sign-On by running the commands:
echo "#Unregister the vCenter Inventory Service from vCenter Single Sign-On."
cd /etc/vmware-sso/register-hooks.d/

./02-inventoryservice --mode uninstall --ls-server https://$SERVER_DOMAIN:7444/lookupservice/sdk

cp $SOURCE/cachain.pem $SOURCE/$InventoryService

cd $SOURCE/$InventoryService

cat rui.crt cachain.pem > chain.pem

# Create the *.pfx file by running the command:
echo "# Create the *.pfx file."
openssl pkcs12 -export -out rui.pfx -in chain.pem -inkey rui.key -name rui -passout pass:testpassword

#Copy the rui.key, rui.crt, and rui.pfx files to the /usr/lib/vmware-vpx/inventoryservice/ssl directory:
echo "#Copy the rui.key, rui.crt, and rui.pfx files to the /usr/lib/vmware-vpx/inventoryservice/ssl directory:"
cp rui.key /usr/lib/vmware-vpx/inventoryservice/ssl/
cp rui.crt /usr/lib/vmware-vpx/inventoryservice/ssl/
cp rui.pfx /usr/lib/vmware-vpx/inventoryservice/ssl/

# change permissions
cd /usr/lib/vmware-vpx/inventoryservice/ssl/
chmod 400 rui.key rui.pfx
chmod 644 rui.crt

# Run these commands to register the vCenter Inventory Service back to vCenter Single Sign-On:
echo "# Run these commands to register the vCenter Inventory Service back to vCenter Single Sign-On."
cd /etc/vmware-sso/register-hooks.d/

./02-inventoryservice --mode install --ls-server https://$SERVER_DOMAIN:7444/lookupservice/sdk --user $SSO_ADMINISTRATOR --password $SSO_ADMINISTRATOR_PASSWORD

# To re-register the vCenter Inventory Service to vCenter Server the next time the service starts, run this command:
echo "# To re-register the vCenter Inventory Service to vCenter Server the next time the service starts."
rm /var/vmware/vpxd/inventoryservice_registered 

service vmware-inventoryservice stop
service vmware-vpxd stop
service vmware-inventoryservice start
service vmware-vpxd start

# Unregister the VMware Log Browser service from vCenter Single Sign-On by running the commands:
echo "# Unregister the VMware Log Browser service from vCenter Single Sign-On."
cd /etc/vmware-sso/register-hooks.d/

./09-vmware-logbrowser --mode uninstall --ls-server https://$SERVER_DOMAIN:7444/lookupservice/sdk

cp $SOURCE/cachain.pem $SOURCE/$Logbrowser
cd $SOURCE/$Logbrowser

cat rui.crt cachain.pem > chain.pem

# Create the *.pfx file by running this command:
echo "# Create the *.pfx file."
openssl pkcs12 -export -in chain.pem -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

# Copy rui.key, rui.crt, and rui.pfx files to the /usr/lib/vmware-logbrowser/conf directory:
echo  "# Copy rui.key, rui.crt, and rui.pfx files to the /usr/lib/vmware-logbrowser/conf directory:"
cp rui.key /usr/lib/vmware-logbrowser/conf
cp rui.crt /usr/lib/vmware-logbrowser/conf
cp rui.pfx /usr/lib/vmware-logbrowser/conf

# Change the permissions on the files by running these commands:
echo "# Change the permissions on the files by running these commands:"
cd /usr/lib/vmware-logbrowser/conf
chmod 400 rui.key rui.pfx
chmod 644 rui.crt

# Run these commands to re-register the VMware Log Browser service to vCenter Single Sign-On:
echo "# Run these commands to re-register the VMware Log Browser service to vCenter Single Sign-On:"
cd /etc/vmware-sso/register-hooks.d/

./09-vmware-logbrowser --mode install --ls-server https://$SERVER_DOMAIN:7444/lookupservice/sdk --user $SSO_ADMINISTRATOR --password $SSO_ADMINISTRATOR_PASSWORD

# When complete, restart the Log Browser service by running the commands:
echo  "# When complete, restart the Log Browser service."
service vmware-logbrowser stop
service vmware-logbrowser start

# AutoDeploy
# Copy the rui_autodeploy.crt and rui_autodeploy.key to the /etc/vmware-vpx/ssl/ directory:
echo "# AutoDeploy"
echo "# Copy the rui_autodeploy.crt and rui_autodeploy.key to the /etc/vmware-vpx/ssl/ directory."

cp $SOURCE/$AutoDeploy/rui.crt /etc/vmware-rbd/ssl/waiter.crt
cp $SOURCE/$AutoDeploy/rui.key /etc/vmware-rbd/ssl/waiter.key

#Change the permissions and ownership on the waiter files by running these commands:
echo  "#Change the permissions and ownership on the waiter files."
cd /etc/vmware-rbd/ssl/

chmod 644 waiter.crt
chmod 400 waiter.key
chown deploy:deploy waiter.crt waiter.key 

# Re-register the service to the vCenter Server with the commands:
echo "# Re-register the service to the vCenter Server."
service vmware-rbd-watchdog stop
rm /var/vmware/vpxd/autodeploy_registered
service vmware-rbd-watchdog start

echo ""
echo ""
$SETYEL
echo "Finished, it's now time to reboot the appliance"
echo "Enter the command # reboot "

# EOF
Advertisements

One Response to Implementing CA signed SSL certificates with vSphere 5.x – Part 3 – vCenter Server Appliance

  1. […] the previous post, we discussed the replacement of SSL certificates in the vCenter Server Appliance. Following our […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: