vCenter and SSL is always a pain. Simple thing as replacing default self-signed SSL certificates with CA signed has in official VMWare KB2057223 40(!!!) steps.
There are many blog posts and automation scripts about this procedure and often they contains much more steps. They, like official VMware KB, are generating and signing certificate for each individual vcenter component. From vmware KB:
This means that four different certificates are required for each vCenter Server Appliance:
•vCenter Server / vCenter Single Sign-On (SSO)
•vCenter Inventory Service
•VMware Log Browser
Hell why? They ARE NOT required! You don’t need seperate ssl certificate for each compoment and vCenter is happy and working with one – common ssl certicate.
To generare ssl certificate for vcenter follow this simple steps on vcenter appliance:
1. We will be working in root home directory, so
2. Generate certificate request (csr) with customized openssl.conf, create it:
[ req ] default_md = sha512 default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req input_password = testpassword output_password = testpassword [ v3_req ] basicConstraints = CA:false keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vcenter01, IP:10.0.0.1, DNS:vcenter01.company.local (change this) [ req_distinguished_name ] countryName = SK (change this) stateOrProvinceName = Slovakia (change this) localityName = Bratislava (change this) 0.organizationName = Example, spol. s r.o. (change this) organizationalUnitName = VMware vCenter Service Certificate commonName = vcenter01.company.local (change this)
3. Now generate certificate request (csr) file:
openssl req -new -nodes -out rui_service.csr -keyout rui_service.key -config openssl.conf
Now you need to sign this request.
4. If you are using Microsoft Active Directory based CA, sign certificate and download it in base64 encoded format with full chain. Save it as rui_service.p7b. If you are using different CA, use it to sign you csr. Next command is for conversion p7b file, obtained from MS AD CA.
openssl pkcs7 -print_certs -in rui_service.p7b -out rui_service.crt
This seems to be stupid, but using file editor delete junk between first —–BEGIN CERTIFICATE—– and after —–END CERTIFICATE—– in rui_service.crt. Now you rui_service.crt contains certificate with full trush path.
5. Check – In this step your file rui_service.crt should contain multiple certificates (full trust path). This means vcenter server certificate is first, intermediate certificate(s) if any, and CA certificate at the end. If your CA provides you just certificate in crt file, intermediate certificate and CA certificates in seperate files, just copy&pate them in corret order to the end of rui_service.crt. It should look like this example.
6. Generate pfx file (yes, password must be testpassword)
openssl pkcs12 -export -out rui.pfx -in rui_service.crt -inkey rui_service.key -name rui -passout pass:testpassword
Now you have all required certificates!
7. Replace certifices with new one. You need to know vcenter Single Sign On (SSO) Admin password.
This script will replace certificates and restart services. It is good idea to take snapshot before running it:
SSO_PASSWORD="password here" service vmware-stsd stop service vmware-vpxd stop /usr/sbin/vpxd_servicecfg certificate change rui_service.crt rui_service.key service vmware-stsd start service vmware-vpxd start cd /usr/lib/vmware-vpx/inventoryservice/ssl cp /root/rui_service.crt rui.crt cp /root/rui_service.key rui.key cp /root/rui.pfx rui.pfx chmod 400 rui.key rui.pfx chmod 644 rui.crt cd /etc/vmware-sso/register-hooks.d ./02-inventoryservice --mode uninstall --ls-server https://$(hostname):7444/lookupservice/sdk ./02-inventoryservice --mode install --ls-server https://$(hostname):7444/lookupservice/sdk --user "email@example.com" --password "$SSO_PASSWORD" rm /var/vmware/vpxd/inventoryservice_registered service vmware-inventoryservice stop service vmware-vpxd stop service vmware-inventoryservice start service vmware-vpxd start service vsphere-client restart cd /usr/lib/vmware-logbrowser/conf cp /root/rui_service.crt rui.crt cp /root/rui_service.key rui.key cp /root/rui.pfx rui.pfx cd /etc/vmware-sso/register-hooks.d ./09-vmware-logbrowser --mode uninstall --ls-server https://$(hostname):7444/lookupservice/sdk ./09-vmware-logbrowser --mode install --ls-server https://$(hostname):7444/lookupservice/sdk --user "firstname.lastname@example.org" --password "$SSO_PASSWORD"
8. Done in 8 steps and 15 minutes!