VMware SSL automation tool
VMware has released a tool to make it easier to handle the installation of the certificates for the vCenter components. Before this tool it was a lot of work to install and configure certificates for vCenter SSO, Inventory, UpdateManager, Logbrowers and many more.
This blog will guide you through the process of setting up the requirements to install the certificates with the new tool.
This blog will describe the steps to use the automation tool only with use of knowledge found in the blog mentioned above for creation of the files you need. So the credits for the process up to the tool are for Derek Seaman.
Setup the files
First step is to set up all the files you will need to request the certificate.
I’ve created a Cert folder in C:OpenSSL and created a folder for each service that needs a certificate.
Next I created a .CFG file in each folder with the following contents. The highlighted text is the one you need to customize according to your needs.
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: ServerShortName, IP: ServerIPAddress, DNS: server.domain.com
[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = City
0.organizationName = Company Name
organizationalUnitName = Service
commonName = server.domain.com
So for every service you are creating a certificate for you need to create a file like this in it’s own folder.
The service name is the name of the service you are assigning a certificate for, fill in the name like its listed below;
- SSO = vCenterSSO
- Inventory Service = vCenterInventoryService
- vCenter = vCenterServer
- Web Client = vCenterWebClient
- Log Browser = vCenterLogBrowser
- Update Manager = VMwareUpdateManager
So now we have the files created, now we need to download the root certificate for your internal CA.
Lucky I just setup the internal CA yesterday so let’s make use of it.
Make sure you select the Base 64 format and click on the “Download CA Certificate chain”.
This will download a P7B file, double click this file to enter the next window.
Right click on the certificate chain and choose export.
The following wizard appears, follow it.
Make sure you select Base-64 encoded.
Save the file in the root of the Cert folder you created earlier
Now we have the cert file and the config files, the next files needed are the KEY file and the CSR file.
The key file is created to run an openssl command from every folder in the cert folder.
C:OpenSSLbinopenssl.exe genrsa 2048 > rui.key
Next is the CSR file, run the following command from every service directory in the CERT folder.
C:OpenSSLbinopenssl.exe req -out rui.csr -key rui.key -new -config inventory.cfg
The result will be like this;
Next is the CRT file, more files, more work.
There are two road to Rome with this, I picked the Online one and not the command line one.
- Open the RUI.CSR in each folder and copy the contents to the clipboard;
- Browse to http://<YourCA>/CertSRV
- Click on “Request a Certificate”
- Click on “Advanced Certificate request”
- Click on “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
- Paste the contents of the clipboard in the first field and choose the correct VMware template.
- Click on “Submit”
- Choose Base-64 Encoded
- Click on “Download Certificate”
- Choose “Save-as” and browse to the correct cert folder.
- Save the file as CRT file.
Next is the PEM file, the PEM file is a combination of the Root certificate and the CRT file.
Use the following command to combine them into a PEM file.
copy /B rui.crt + C:OpenSSLcertsroot64.cer chain.pem
I have only one CA and no subordinates so the command is simple, if you have another setup please make sure you include all root certificates.
Run the command in every folder, the end result is that each folder has a PEM file.
Next is the PFX file, the last one before we can run the automation tool.. as you see it very automated ???
C:opensslbinopenssl pkcs12 -export -in rui.crt -inkey rui.key -certfile C:OpenSSLcertsroot64.cer -name rui -passout pass:testpassword -out rui.pfx
SSL Automation tool
Now we can start using the Automation tool, finally.
First you have to edit the SSL-Environment.bat to set the parameters. Edit the highlighted parameters.
rem # Parameters for updating the vCenter Orchestrator SSL Certificate
rem # vco_cert_chain
rem # REQUIRED. Specifies a file containing the new SSL certificate chain for
rem # vCenter Orchestrator Server and Configuration Service. See the
rem # comment at the beginning of this file for details about the chain
rem # file format.
rem # Example:
rem # vco_cert_chain=C:OpenSSLcertsorchestratorchain.pem
rem # vco_private_key
rem # REQUIRED. Specifies a file containing the new SSL private key for
rem # vCenter Orchestrator Server and Configuration Service.
rem # See the comment at the beginning of this file
rem # for details about the private key file format.
rem # Example:
rem # vco_private_key=C:OpenSSLcertsorchestratorrui.key
Some other paramaters have to be set
rem # * HA_Failover : indicates a secondary (failover) node of a HA cluster. Only
rem # select this option if you have configured a load-balancer with SSL
rem # termination. If you have installed in HA mode but still haven’t configured
rem # a load balancer, or if you are using load-balancer without SSL termination,
rem # then answer Single.
rem # The following parameters are optional and only have effect if sso_node_type is HA_<any>.
rem # sso_admin_is_behind_lb
rem # OPTIONAL. Specifies whether the Single Sign-On Administration Service is also
rem # served from the load-balancers. Answer yes or no. If no answer is provided,
rem # the default value is “no”.
rem # N.B. that the Single Sign-On Security Token Service and Single Sign-On Group
rem # Check Service are always presumed to be served by the load-balancer in HA mode.
rem # sso_lb_certificate
rem # OPTIONAL. Specifies a file containing the authority (self-signed) certificate
rem # of the load-balancer. This parameter lets you fix the Lookup Service
rem # records in cases where the load-balancer SSL configuration had been updated.
rem # If no value is provided, the Lookup Service records for the load-balanced
rem # Single Sign-On services are left untouched.
rem # sso_lb_hostname
rem # OPTIONAL. Specifies the load-balancer address (IP or fully-qualified host name).
rem # This parameter lets you fix the Lookup Service records in cases where
rem # the load-balancer address had changed. If no value is provided, the Lookup
rem # Service records for the load-balanced Single Sign-On services are left untouched.
The last parameters are the user accounts. Fill in the sso admin user account and the account to access vCenter.
rem vc_username in the common section should be filled in
rem Common parameters
rem # vc_username
rem # REQUIRED (when specified by a section). Specifies the account
rem # name to use to log in to vCenter Server.
rem # Example:
rem # vc_username=administrator
set vc_username=<DomainDomain admin>
When all of the parameters are set you can run ssl-environment.bat to set the parameters.
There will be no output for this file, it will be finished directly.
Next you need to run ssl-updater.bat.
When you have all files in place (make sure you do) and you have your SSO admin password close by together with a domain admin account you can start updating. If one of those is not close by find them for you will need them too often.
I first clicked “2” to update SSO. After clicking “2” I got the next menu offering me two options. when you go through the whole proces the secondary screen range from 2 to 8 options you need to execute. Follow them one by one.
So here I chose “1” to update the SSO certificate
It will ask you for the locations of the chain and the key, details that are set already so no worry here, just hit enter. It will also ask you for the SSO Admin password so keep it close.
After a while an lengthy output is shown, the last lines say it’s positive. So we go on to the next one.
After the action is completed you return to the main menu and click the next option.
Inventory and so on…
The next one was the inventory service, as you can see there are more tasks to complete.
First a trust needs to be updated and some services are restarted.
After all tasks are done continue to the next, until all tasks are completed.
At the end of this lengthy job your certificates are updated… it’s a hell of a job, take your time and follow the steps. Hope this blog will help you understand the new SSL Automation tool from VMware.
Credits go to www.derekseaman.com
(Sam Geown) for great posts about this subject. I used info from their blogs for completing my task at that customer.
All screenshots however in this blog are original ones, as are the steps taken I used their blogs for a reference partly because when I had to do this task the VMware knowledge base was down the whole morning.