Implementing Microsoft CA-issued SSL for vCOps
After deploying the vCSA with SSL certs, I decided it was time to finally fix up all the other services that are running on self-signed certs. Next up, vRealize Operations Manager AKA vCenter Operations (vCOps). Although there is a KB Article for this, it is pretty limited.
For this guide I assume that OpenSSL is installed in C:\OpenSSL_Win64 - update to the relevant path for your environment. I have followed the folder structure from Configuring Certificate Authority (CA) signed certificates for vCenter Server Appliance 5.5 (2057223), using c:\certs as the base.
Required: Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment (2015387). Recommended: Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108). This will allow you to specify multiple alternate names (e.g. IP, shortname, and FQDN)
Generate the certificate request:
We start off by generating the Certificate signing request (CSR).
- Create a directory C:\Certs\vCOps
- Change to the openSSL directory and generate the CSR:
cd C:\OpenSSL-Win64\bin openssl req -new -nodes -out c:\certs\vCOps\rui_vcops.csr -keyout c:\certs\vCOps\rui_vcops.key -config c:\certs\vCOps\openssl_vcops.cfg
Submit the request to the CA
- Log in to the Microsoft CA certificate authority web interface. By default, it is: http://servername/CertSrv/
- Click the Request a certificate link.
- Click advanced certificate request.
- Click the “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file” link.
- Open the certificate request (rui_vcops.csr, as generated above ) in a plain text editor and copy and paste everything from
-----BEGIN CERTIFICATE REQUEST-----to
-----END CERTIFICATE REQUEST-----
- Select the Certificate Template as your VMware SSL Cert template
- Click Submit to submit the request.
- Click Base 64 encoded on the Certificate issued screen.
- Click the Download Certificate link.
- Save the certificate as rui_vcops.crt, in the c:\certs\vCOps folder. Note: By default, Microsoft CA certificates are generated with the .cer format. Either use Save As or change it to .crt before continuing with this procedure.
- Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
- Click the Base 64 option.
- Click the Download CA Certificate chain link.
- Save the certificate chain as cachain.p7b in the c:\certs\ directory.
Generate the certificate file
We should now have all the parts required to generate the certificate, run the following to complete:
c:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -in certnew.crt -inkey rui_vcops.key -out vcops.p12
c:\OpenSSL-Win64\bin\openssl.exe pkcs12 -in vcops.p12 -nodes -out vcops.pem
There is one final step since we are using a Microsoft CA- we must add the root certificates (and any intermediate certs) to the .pem file before we upload to vCops.
- Convert the file from a p7b to pem:
c:\OpenSSL-Win64\bin\openssl pkcs7 -print_certs -in cachain.p7b -out cachain.pem
- A text editor, remove any text before the first
-----BEGIN CERTIFICATE-----and after
-----END CERTIFICATE-----. Note: This assumes there are no intermediate certificates in the Certificate Authority. If you are using two or more levels in the Certificate Authorities, remove any text in between the
-----END CERTIFICATE-----of the intermediate thumbprint and
-----BEGIN CERTIFICATE-----of the Root CA thumbprint. Before editing, review the chain.pem file to ensure all intermediates and the Root CA server thumbprints are present. If the file does not contain the authority certificate, obtain it from the Certification Authority and append it manually.This should result in a concatenated file similar to the model below:
-----BEGIN CERTIFICATE----- <<Thumbprint Intermediate(n) CA Server>> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <<Thumbprint Intermediate(2) CA Server>> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <<Thumbprint Intermediate(1) CA Server>> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <<Thumbprint Root CA Server -----END CERTIFICATE-----
- Copy the result of above into the vcops.pem file. You should have multiple certificate sections, and one Pirvate key section.
Upload the Certificate
Login to vCOps and upload the final .pem file in the SSL tab. If all goes well, you should get a nice green message saying the process was successful.
Update vCOps to use hostname rather than IP
By default, vCOps registers with the IP of the UI VM with vCenter. This will cause a certificate warning, despite the cert we generated having the IP listed as an alternate name. The fix is to make vCOps register with the DNS name, and then update all vCenter registrations.