Sie sind auf Seite 1von 36

Replacing Default vCenter 5.

1 and ESXi Certificates


vCenter Server 5.1.0 ESXi 5.1.0

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.

EN-000980-04

Replacing Default vCenter 5.1 and ESXi Certificates

You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com

Copyright 20092013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

VMware, Inc.

Contents

About vCenter and ESXi Certificates

vCenter and ESXi SSL Certificate Requirements 5 Managing ESXi and vCenter Server SSL Certificates 6 Obtain and Configure Certificate Authorities Signed SSL Certificates 6 Update the Certificate Trust Store for vCenter Server Components 33 Troubleshooting vCenter Server Certificates 34

VMware, Inc.

Replacing Default vCenter 5.1 and ESXi Certificates

VMware, Inc.

About vCenter and ESXi Certificates

vSphere encrypts session information using standard digital certificates. Using the default certificates that vSphere creates might not comply with the security policy of your organization. If you require a certificate from a trusted certificate authority, you can replace the default certificate. Certificate checking is enabled by default and SSL certificates are used to encrypt network traffic. However, ESXi and vCenter Server use automatically generated certificates that are created as part of the installation process and stored on the server system. These certificates are unique and make it possible to begin using the server, but they are not verifiable and are not signed by a trusted, well-known certificate authority (CA). These default certificates are vulnerable to possible man-in-the-middle attacks. To receive the full benefit of certificate checking, especially if you intend to use encrypted remote connections externally, install new certificates that are signed by a valid internal certificate authority or public key infrastructure (PKI) service. Alternatively, purchase a certificate from a trusted commercial security authority. For information about encryption and securing your vSphere environment, see the vSphere Security documentation.

Intended Audience
This information is for anyone who wants to manage SSL certificates for vCenter components. The information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and datacenter operations. This chapter includes the following topics:
n n n n n

vCenter and ESXi SSL Certificate Requirements, on page 5 Managing ESXi and vCenter Server SSL Certificates, on page 6 Obtain and Configure Certificate Authorities Signed SSL Certificates, on page 6 Update the Certificate Trust Store for vCenter Server Components, on page 33 Troubleshooting vCenter Server Certificates, on page 34

vCenter and ESXi SSL Certificate Requirements


VMware products use standard X.509 version 3 (X.509v3) certificates to encrypt session information sent over Secure Socket Layer (SSL) protocol connections between components. For example, communications between a vCenter Server system and each ESXi host that it manages are encrypted. Some features, such as vSphere Fault Tolerance, require the certificate verification provided by SSL. The client verifies the authenticity of the certificate presented during the SSL handshake phase, before encryption, which protects against man-in-the-middle attacks.

VMware, Inc.

Replacing Default vCenter 5.1 and ESXi Certificates

Each vCenter Server system component , shown in the following list, must have a unique certificate.
n n n n n n

vCenter Inventory Service vCenter Single Sign-On vCenter Update Manager vCenter Server vSphere Web Client vCenter Log Browser

When you replace default vCenter and ESXi certificates, the certificates you obtain for your servers must be signed and conform to the Privacy Enhanced Mail (PEM) key format. PEM is a key format that stores data in a Base-64 encoded Distinguished Encoding Rules (DER) format. The key used to sign certificates must be a standard RSA key with an encryption length that ranges from 1024 to 2048 bits (the recommended length). Certificates signed by a commercial certificate authority, such as Entrust or VeriSign, are pre-trusted on the Windows operating system. However, if you replace a certificate with one signed by your own local root CA, or if you plan to continue using a default certificate, you must pre-trust the certificate by importing it into the local certificate store for each vSphere Client instance. You must pre-trust all certificates that are signed by your own local root CA, unless you pre-trust the parent certificate, the root CAs own certificate. You must also pre-trust any valid default certificates that you will continue to use on vCenter Server.

Managing ESXi and vCenter Server SSL Certificates


Certificate Authority (CA) assigned SSL certificates for vSphere are required within many organizations to maintain proper security for regulatory requirements. Prerequisites Each vCenter Server component requires a unique certificate. Before you begin creating, installing, and replacing SSL certificates, be sure that your vSphere environment meets the following criteria.
n n n

vSphere 5.1.0a or later All components for which you are managing certificates are installed OpenSSL 0.9.8 (required) The tasks in this document assume that you installed OpenSSL in the default directory (C:\OpenSSLWin32). If you installed OpenSSL in a different directory, adjust the paths as needed.

Obtain and Configure Certificate Authorities Signed SSL Certificates


Obtain and configure SSL certificates and certificate requests needed to get CA-signed SSL certificates. NOTE For better security, private keys should not leave the system for which they are created. Because a private key should not leave the system for which it was created, the following are best practices when creating and obtaining certificates and generating requests.
n

When you create OpenSSL configuration files, create them on the same system as the component whose certificate you are changing. This should be the same system on which the current certificate is located. When you generate certificate requests, generate them on the same system on which the corresponding component is located.

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

When you get an SSL certificate, download the returned certificate from a CA (and its root) directly to the system on which the corresponding component resides (certificate + private key).

Procedure 1 Create the OpenSSL Configuration Files on page 7 Each of the six vCenter components requires a unique certificate. On the component for which you generate the certificates, create a folder in which you can store the certificates. 2 Get the SSL Certificate on page 15 After the certificate request is created, send the request to the certificate authority to generate the actual certificate. The authority returns a certificate and, if appropriate, a copy of the authority's root certificate. 3 Create the PFX Files on page 16 The rui.pfx file is a concatenation of the systems certificate (rui.crt) and private key (rui.key), exported in the PFX format. The file is copied to the subdirectory on the vCenter Server system. 4 5 Create the JKS File on page 17 After the PFX files are created you can create the Java Keystore file (JKS) for use with the configuration. Replacing Default vCenter and ESXi Certificates on page 18 Replacing default SSL certificates for vCenter Server and ESXi with CA signed SSL certificates helps ensure security.

Create the OpenSSL Configuration Files


Each of the six vCenter components requires a unique certificate. On the component for which you generate the certificates, create a folder in which you can store the certificates. NOTE Each SSL Certificate needs a unique Distinguished Name (DN). The following examples use the OrganizationalUnitName (OU) field to achieve this uniqueness, based on a configuration where all components are installed on the same server. If the services are on separate servers, they have a unique DN by default. For improved security, create the configuation files and generate the keys on the machine running the service. Prerequisites
n n n

You have a vSphere 5.1 environment. The environment has been pre-installed for all components for which you will be installing certificates. OpenSSL 0.9.8 has been installed in the default directory (C:\OpenSSL-Win32). If it has been installed elsewhere, substitute the alternate location appropriately.

Procedure 1 2 3 4 5 6 Create the OpenSSL Configuration File for the Inventory Service on page 8 Create the OpenSSL Configuration File for vCenter Single Sign-On on page 9 Create the OpenSSL Configuration File for vCenter Server on page 10 Create the OpenSSL Configuration File for the vSphere Web Client on page 11 Create the OpenSSL Configuration File for the VMware Log Browser on page 12 Create the OpenSSL Configuration File for vSphere Update Manager on page 13

VMware, Inc.

Replacing Default vCenter 5.1 and ESXi Certificates

Create the OpenSSL Configuration File for the Inventory Service


Procedure 1 2 On the machine running the Inventory Service, create a file in C:\certs named inventoryservice.cfg. Add the required information to the configuration file. Change the information in italics to match your environment.
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth,clientAuth subjectAltName = DNS: server.domain.com, DNS: ServerShortName, IP: ServerIPAddress [ req_distinguished_name ] countryName = Country stateOrProvinceName = State localityName = City 0.organizationName = Company Name organizationalUnitName = vCenterInventoryService commonName = server.domain.com

What to do next Generate the Certificate Request. Generate Certificate Request for Inventory Service After you have configured OpenSSL, generate a certificate request. Procedure 1 Open a command prompt on the machine running the Inventory Service and navigate to the OpenSSL directory. By default, this directory is in C:\OpenSSL-Win32\bin. 2 Run the following command to create the Inventory Service certificate request and export the private key.
openssl req -new -nodes -out c:\certs\rui.csr -keyout c:\certs\rui-orig.key -config c:\certs\inventoryservice.cfg

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

Convert the key to be in the proper RSA format for the Inventory Service.
openssl rsa -in c:\certs\rui-orig.key -out c:\certs\rui.key

The configuration subdirectory contains rui.csr, and rui.key.

Create the OpenSSL Configuration File for vCenter Single Sign-On


Procedure 1 2 On the machine running Single Sign-On, create a file in C:\certs named sso.cfg. Add the required information to the configuration file. Change the information in italics to match your environment.
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS: server.domain.com, DNS: ServerShortName, IP: ServerIPAddress [ req_distinguished_name ] countryName = Country stateOrProvinceName = State localityName = City 0.organizationName = Company Name organizationalUnitName = vCenterSSO commonName = server.domain.com

What to do next Generate the certificate request. Generate Certificate Requests for Single Sign-On After you have configured OpenSSL, generate a certificate request for Single Sign-On. Procedure 1 On the machine running Single Sign-On open a command prompt and navigate to the OpenSSL directory. By default, this directory is in C:\OpenSSL-Win32\bin.

VMware, Inc.

Replacing Default vCenter 5.1 and ESXi Certificates

Run the following command to create the Single Sign-On certificate request and export the private key.
openssl req -new -nodes -out c:\certs\rui.csr -keyout c:\certs\rui-orig.key -config c:\certs\sso\sso.cfg

Convert the key to be in the proper RSA format for the Inventory Service.
openssl rsa -in c:\certs\InventoryService\rui-orig.key -out c:\certs\InventoryService\rui.key openssl rsa -in c:\certs\rui-orig.key -out c:\certs\rui.key

Each certificates directory for Single Sign-On contains rui.csr, and rui.key.

Create the OpenSSL Configuration File for vCenter Server


Procedure 1 2 On the machine running vCenter Server, create a file in C:\certs named vcenter.cfg. Add the required information to the configuration file. Change the information in italics to match your environment.
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS: server.domain.com, DNS: ServerShortName, IP: ServerIPAddress [ req_distinguished_name ] countryName = Country stateOrProvinceName = State localityName = City 0.organizationName = Company Name organizationalUnitName = vCenterServer commonName = server.domain.com

What to do next Generate the certificate request.

10

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

Generate Certificate Requests for vCenter Server After you have configured OpenSSL, generate a certificate request for vCenter Server. Procedure 1 On the machine running vCenter Server, open a command prompt and navigate to the OpenSSL directory. By default, this directory is in C:\OpenSSL-Win32\bin. 2 Run the following command to create the vCenter Server certificate request and export the private key.
openssl req -new -nodes -out c:\certs\rui.csr -keyout c:\certs\rui-orig.key -config c:\certsvcenter.cfg

Convert the key to be in the proper RSA format for the Inventory Service.
openssl rsa -in c:\certs\rui-orig.key -out c:\certs\rui.key

Each vCenter Server certificate directory contains rui.csr, and rui.key.

Create the OpenSSL Configuration File for the vSphere Web Client
Procedure 1 2 On the machine running the vSphere Web Client, create a file in C:\certs called webclient.cfg. Add the required information to the configuration file. Change the information in italics to match your environment.
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS: server.domain.com, DNS: ServerShortName, IP: ServerIPAddress [ req_distinguished_name ] countryName = Country stateOrProvinceName = State localityName = City 0.organizationName = Company Name organizationalUnitName = vCenterWebClient commonName = server.domain.com

What to do next Create the certificate request.

VMware, Inc.

11

Replacing Default vCenter 5.1 and ESXi Certificates

Generate Certificate Requests for the vSphere Web Client After you have configured OpenSSL, generate a certificate request for the vSphere Web Client Procedure 1 On the machine running the vSphere Web Client, open a command prompt and navigate to the OpenSSL directory. By default, this directory is in C:\OpenSSL-Win32\bin. 2 Run the following command to create the vSphere Web Client certificate request and export the private key.
openssl req -new -nodes -out c:\certs\rui.csr -keyout c:\certs\rui-orig.key -config c:\certs\webclient.cfg

Convert the key to be in the proper RSA format for the vSphere Web Client.
openssl rsa -in c:\certs\rui-orig.key -out c:\certs\rui.key

The certs directory for the vSphere Web Client contains rui.csr, and rui.key.

Create the OpenSSL Configuration File for the VMware Log Browser
Procedure 1 2 On the machine running the VMware Log Browser, create a file in C:\certs named LogBrowser.cfg. Add the required information to the configuration file. Change the information in italics to match your environment.
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS: server.domain.com, DNS: ServerShortName, IP: ServerIPAddress [ req_distinguished_name ] countryName = Country stateOrProvinceName = State localityName = City 0.organizationName = Company Name organizationalUnitName = vCenterLogBrowser commonName = server.domain.com

12

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

What to do next Generate the certificate request. Generate Certificate Requests for the Log Browser After you have configured OpenSSL, generate a certificate request for the Log Browser Procedure 1 On the machine running the log broswer, open a command prompt and navigate to the OpenSSL directory. By default, this directory is in C:\OpenSSL-Win32\bin. 2 Run the following command to create the Log Browser certificate request and export the private key.
openssl req -new -nodes -out c:\certs\rui.csr -keyout c:\certs\rui-orig.key -config c:\certs\LogBrowser\logbrowser.cfg

Convert the key to be in the proper RSA format for the Inventory Service.
openssl rsa -in c:\certs\rui-orig.key -out c:\certs\rui.key

The log browser certs directory contains rui.csr, and rui.key.

Create the OpenSSL Configuration File for vSphere Update Manager


Procedure 1 2 On the machine running vSphere Update Manager, create a file in C:\certs named UpdateManager.cfg. Add the required information to the configuration file. Change the information in italics to match your environment.
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS: server.domain.com, DNS: ServerShortName, IP: ServerIPAddress [ req_distinguished_name ] countryName = Country stateOrProvinceName = State localityName = City 0.organizationName = Company Name organizationalUnitName = VMwareUpdateManager commonName = server.domain.com

VMware, Inc.

13

Replacing Default vCenter 5.1 and ESXi Certificates

What to do next Generate the certificate requests. Generate Certificate Requests After you have configured OpenSSL, generate a certificate request for each component. Prerequisites
n n n n

Verify that you created and configured the required OpenSSL configuration files. You have a vSphere 5.1 environment. The environment has been pre-installed for all components for which you will be installing certificates. OpenSSL v1.0.1c (or later) package has been installed in the default directory (C:\OpenSSL-Win32). If it has been installed elsewhere, substitute the alternate location appropriately.

Procedure 1 Open a command prompt and navigate to the OpenSSL directory. By default, this directory is in C:\OpenSSL-Win32\bin. 2 Run the following command to create the Inventory Service certificate request and export the private key.
openssl req -new -nodes -out c:\certs\InventoryService\rui.csr -keyout c:\certs\InventoryService\rui-orig.key -config c:\certs\InventoryService\inventoryservice.cfg

Convert the key to be in the proper RSA format for the Inventory Service.
openssl rsa -in c:\certs\InventoryService\rui-orig.key -out c:\certs\InventoryService\rui.key

Run the following commands to create the vCenter Single Sign-On certificate request, export the private key, and convert the key to RSA format.
openssl req -new -nodes -out c:\certs\sso\rui.csr -keyout c:\certs\sso\rui-orig.key -config c:\certs\sso\sso.cfg openssl rsa -in c:\certs\sso\rui-orig.key -out c:\certs\sso\rui.key

Run the following commands to create the vCenter Server certificate request, export the private key, and convert the key to RSA format.
openssl req -new -nodes -out c:\certs\vCenter\rui.csr -keyout c:\certs\vCenter\rui-orig.key config c:\certs\vCenter\vcenter.cfg openssl rsa -in c:\certs\vCenter\rui-orig.key -out c:\certs\vCenter\rui.key

Run the following commands to create the vSphere Web Client certificate request, export the private key, and convert the key to RSA format.
openssl req -new -nodes -out c:\certs\WebClient\rui.csr -keyout c:\certs\WebClient\ruiorig.key -config c:\certs\WebClient \webclient.cfg openssl rsa -in c:\certs\WebClient\rui-orig.key -out c:\certs\WebClient\rui.key

14

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

Run the following commands to create the vSphere Log Browser certificate request, export the private key, and convert the key to RSA format.
openssl req -new -nodes -out c:\certs\LogBrowser\rui.csr -keyout c:\certs\LogBrowser\ruiorig.key -config c:\certs\LogBrowser\logbrowser.cfg openssl rsa -in c:\certs\LogBrowser\rui-orig.key -out c:\certs\LogBrowser\rui.key

Run the following commands to create the vSphere Update Manager certificate request, export the private key, and convert the key to RSA format .
openssl req -new -nodes -out c:\certs\UpdateManager \rui.csr -keyout c:\certs\UpdateManager\rui-orig.key -config c:\certs\UpdateManager\updatemanager.cfg openssl rsa -in c:\certs\UpdateManager\rui-orig.key -out c:\certs\UpdateManager\rui.key

Each configuration subdirectory contains rui.csr, and rui.key. What to do next Get the certificate from the signing Certificate Authority.

Get the SSL Certificate


After the certificate request is created, send the request to the certificate authority to generate the actual certificate. The authority returns a certificate and, if appropriate, a copy of the authority's root certificate. Prerequisites You must have a certificate request in each system where a component resides, and the correct certificate request in the system for the component in the system. For example, in a system that contains both vCenter Single Sign-On and a vCenter Server, you should have a certificate request for vCenter Single Sign-On on the machine where Single Sign-On is located, and a separate certificate request for the vCenter Server on the machine on which vCenter Server resides. Procedure
u

If you use a commercial Certificate Authority, generate the request to send to the Certificate Authority. a b c Send the rui.csr file to the appropriate certificate authority. After the authority sends your generated certificate, install the root certificate onto the vCenter Server. Repeat these steps for each certificate request that you generated.

If you use Microsoft CA (2003 or later), create the request. NOTE Based on the requirements of the key, ensure that the WebServer Template has been copied to allow for encryption of user data. Select Certificate Manager > Extensions > Key Usage > Allow encryption of user data to generate the request. a b c Browse to your Microsoft Certificate Authority Web site, and select Request a Certificate. Select Advanced Certificate Request and select Submit a certificate request using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. Open the rui.csr file with a text editor, copy the contents of the file (including the beginning and ending tags), and paste the contents of the rui.csr file into the Saved Request area.

VMware, Inc.

15

Replacing Default vCenter 5.1 and ESXi Certificates

Select the Certificate Template as the Web Server template and click Submit. The Web Server template includes Subject Alternative Names (required for vCenter Server, optional for ESXi). You might have to modify the template to include this parameter.

e f g h i j k l m n o

Select Download Certificate and save the certificate as rui.crt in the appropriate c:\certs\service folder. Repeat steps a. through e. for each certificate request that you generated. Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL. Select the Base 64 option, and select Download CA Certificate chain. Save the certificate chain as cachain.p7b. in the c:\certs folder on the system where it will be used to change from the existing SSL certificate. Double-click the cachain.p7b file, and navigate to C:\certs\cachain.p7b\Certificates . Right-click on the certificate listed, and select All Actions > Export, and click Next. Select Base-64 encoded X.509 (.CER), and click Next. Save the export at C:\certs\Root64.cer and click Next. Click Finish. Double-click the rui.crt file and validate that the proper alternative names and subjects are in each certificate.

When complete, the certificates are generated and you have the rui.key and rui.crt for each service and the Root64.cer root certificate. What to do next Create the PFX for each component.

Create the PFX Files


The rui.pfx file is a concatenation of the systems certificate (rui.crt) and private key (rui.key), exported in the PFX format. The file is copied to the subdirectory on the vCenter Server system. Personal Information Exchange Format (PFX) enables transfer of certificates and their private keys from one computer to another or to removable media. The Microsoft Windows CryptoAPI uses the PFX format, also known as PKCS #12. Procedure 1 On the system where you generated the certificate-signing request (by default this is C:\OpenSSLWin32\bin), type the following command to create the rui.pfx file for the Inventory service.
openssl pkcs12 -export -in c:\certs\InventoryService\rui.crt -inkey c:\certs\InventoryService\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\InventoryService\rui.pfx

IMPORTANT You must use the password testpassword. 2 On the machine running Single Sign-On, type the following command to create the rui.pfx file.
openssl pkcs12 -export -in c:\certs\rui.crt -inkey c:\certs\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\rui.pfx

16

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

On the machine running vCenter Server, type the following command to create the rui.pfx file.
openssl pkcs12 -export -in c:\certs\rui.crt -inkey c:\certs\rui-orig.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\rui.pfx

On the machine running the vSphere Web Client, type the following command to create the rui.pfx file.
openssl pkcs12 -export -in c:\certs\rui.crt -inkey c:\certs\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\rui.pfx

On the machine running the Log Browser, type the following command to create the rui.pfx file.
openssl pkcs12 -export -in c:\certs\rui.crt -inkey c:\certs\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\rui.pfx

On the machine running vSphere Update Manager, type the following command to create the rui.pfx file.
openssl pkcs12 -export -in c:\certs\rui.crt -inkey c:\certs\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\rui.pfx

Verify that a base 64-encoded string or characters are displayed with information about the PFX file. To test the encoding, type openssl pkcs12 -in c:\certs\service\rui.pfx -info. NOTE When prompted use testpassword for both the password and passphrase. If the PFX file is not valid, you cannot proceed with the certificate replacement process. A valid PFX file is required.

What to do next Create the JKS files.

Create the JKS File


After the PFX files are created you can create the Java Keystore file (JKS) for use with the configuration. Procedure 1 2 3 Open a command prompt on the system with Single Sign-On installed. Navigate to the the C:\Program Files\VMware\Infrastructure\jre\bin\ directory. Run the following command to create root-trust.jks.
keytool -v -importkeystore -srckeystore C:\certs\rui.pfx -srcstoretype pkcs12 -srcstorepass testpassword -srcalias rui -destkeystore C:\certs\root-trust.jks -deststoretype JKS deststorepass testpassword -destkeypass testpassword

After it has been created, the JKS file needs to have the root certificate added to it with the alias root-ca. To add the root certificate, type the following command.
keytool -v -importcert -keystore C:\certs\sso\root-trust.jks -deststoretype JKS -storepass testpassword -keypass testpassword -file c:\certs\Root64.cer -alias root-ca

When prompted to trust this certificate, type yes. You should now see the message Certificate was added to the keystore.

VMware, Inc.

17

Replacing Default vCenter 5.1 and ESXi Certificates

Any intermediate certificates in the certificate chain must be added to the JKS file by typing the following command for each Intermediate CA Certificate.
keytool -v -importcert -noprompt -trustcacerts -keystore C:\certs\root-trust.jks deststoretype JKS -storepass testpassword -keypass testpassword -file C:\certs\intercacert.cer -alias intermediate-hash.0

where intercacert is the certificate for the intermediate CA and hash is the hash generated by openssl command openssl x509 -subject_hash -noout -in c:\certs\intercacert.cer 7 Verify that the certificates have been imported successfully by typing the following command.
keytool -list -v -keystore c:\certs\root-trust.jks.

Copy c:\certs\root-trust.jks to c:\certs\server-identity.jks.

You now have all of the files required to implement custom SSL certificates. Copy the c:\certs folder to the vCenter Server if all services are running on a single server. Otherwise, copy the respective certificates to the appropriate servers. What to do next
n n

On the system where you generated the certificate-signing request, back up the existing default certificates. In a safe location, back up the newly created certificate files.

Replacing Default vCenter and ESXi Certificates


Replacing default SSL certificates for vCenter Server and ESXi with CA signed SSL certificates helps ensure security. To help you protect your vCenter Server and ESXi installation, you can replace default certificates with certificates signed by a certificate authority.

Replace Default vCenter Server SSL Certificates


When you install vCenter components such as vCenter Single Sign-On and the vSphere Web Client, the installer generates SSL certificates for each service by default. vCenter Single Sign-On uses the certificates for SSL handshakes and to authenticate solution users. The default certificates are not signed by a commercial certificate authority (CA). vCenter services that interact with vCenter Single Sign-On and the Lookup Service include the Inventory Service, vCenter Server, and the vSphere Web Client. Each of these services has an identity which is used to create x509 certificates. Procedure 1 2 Replace vCenter Single Sign-On Certificates on page 19 You can replace the SSL certificates for vCenter Single Sign-On and the Lookup Service. Replace Inventory Service SSL Certificates on page 22 The Inventory Service is installed with vCenter Single Sign-On and stores vCenter Server application and inventory data. The Inventory Service lets you search and access inventory objects across the vCenter Server systems that are registered with the Lookup Service. You can replace the SSL certificate for the Inventory Service. 3 Replace vCenter Server SSL Certificates on page 23 Replace default certificates with those signed by an internal certificate authority or public key infrastructure (PKI) service. Alternatively, purchase a certificate from a trusted commercial security authority.

18

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

Replace the vSphere Web Client and Log Browser SSL Certificate on page 25 You can replace or update the vSphere Web Client and Log Browser SSL certificates. Replace both certificates at the same time.

Update SSL Certificates for vCenter Single Sign On Server Behind a Load Balancer on page 26 When a deployment of vCenter Single Sign-On server systems is located behind a load balancer, it is not necessary to update the Lookup Service entries for the Security Token Service (STS), SSO Admin, and Group Check services. You need only toupdate the SSL certificate of a vCenter Single Sign-On system behind that load balancer.

Replacing SSL Certificates on vCenter Server Appliance on page 27 So far, this task describes of replacing CA signed SSL certificates on a vCenter Server. The task is quite different for replacing SSL certificates on a vCenter Server Appliance.

Replace VMware vSphere Update Manager Certificates on page 27 You can replace vSphere Update Manager certificates.

Replace vCenter Single Sign-On Certificates You can replace the SSL certificates for vCenter Single Sign-On and the Lookup Service. The vCenter Single Sign-On installer also deploys the VMware Lookup Service on the host. The Lookup Service enables different components of vSphere to find one another in a secure way. When you install vSphere components after vCenter Single Sign-On, you must provide the Lookup Service URL. The Inventory Service and the vCenter Server installers ask for the Lookup Service URL and then contact the Lookup Service to find vCenter Single Sign-On. After installation, the Inventory Service and vCenter Server are registered in Lookup Service so other vSphere components, like the vSphere Web Client, can find them. Prerequisites
n n

Verify that you have administrator privileges on the vCenter Single Sign-On system. Verify that the Windows Environmental variable JAVA_HOME is set to JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre If you have not already done so, obtain the certificate files (including the certificate, private key, and keystore). See the following procedures:
n n n n

Edit the OpenSSL Configuration File Create and Submit Certificate-Signing Requests Create the PFX Files, on page 16 Create the JKS File, on page 17

The root certificate (root64.cer) has been imported into the local computer trust store.

Procedure 1 2 If necessary, copy the certificate files (rui.crt, rui.key, rui.pfx, root-trust.jks and serveridentity.jks) to the system where vCenter Single Sign-On is installed. Open a terminal window on the system where Single Sign-On is installed, and run the following command to list all service entries from the Lookup Service.
SSO install directory\ssolscli\ssolscli.cmd listServices Lookup Service URL

where the lookup service URL is Lookup Service URL is https://SSOserver.domain.com: 7444/lookupservice/sdk. 3 Locate the following services: Group Check, SSO Admin, and Security Token Service (STS). You can identify the service by looking at the type field.

VMware, Inc.

19

Replacing Default vCenter 5.1 and ESXi Certificates

Service Group Check SSO Admin Security Token Service (STS)

Type urn:sso:groupcheck urn:sso:admin urn:sso:sts

Use a text editor to create a properties file for each of service. The following examples show what each file should look like.
sts.properties file [service] friendlyName=STS for Single Sign-On version=1.0 ownerId= type=urn:sso:sts description=The Security Token Service of the Single Sign-On server. [endpoint0] uri=https://SSOserver.domain.com:7444/ims/STSService ssl=C:\ProgramData\VMware\SSOCERTS\Root64.cer protocol=wsTrust gc.properties file [service] friendlyName=The group check interface of the Single Sign-On server version=1.0 ownerId= type=urn:sso:groupcheck description=The group check interface of the Single Sign-On server [endpoint0] uri=https://SSOserver.domain.com:7444/sso-adminserver/sdk ssl=C:\ProgramData\VMware\SSOCERTS\Root64.cer protocol=vmomi admin.properties file [service] friendlyName=The administrative interface of the Single Sign-On server version=1.0 ownerId= type=urn:sso:admin description=The administrative interface of the Single Sign-On server [endpoint0] uri=https://SSOServer.domain.com:7444/sso-adminserver/sdk ssl=C:\ProgramData\VMware\SSOCERTS\Root64.cer protocol=vmomi

Locate the serviceId for each service, and use a text editor to create a separate service ID file for each service. The service ID is located in the serviceId field of the service listing. For example, the service ID file (serviceid_sts) takes the following form.
{D46D4BFD-CC5B-4AE7-87DC-5CD63A97B194}:7

20

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

The file cannot contain any other data. 6 7 Stop the Single Sign-On server. Update Single Sign-On with the new keystore using the following command, where --keystore-file is the path to the JKS file:
SSO install directory\utils\ssocli configure-riat -a configure-ssl --keystore-file C:\ProgramData\VMware\SSOCERTS\root-trust.jks --keystore-password testpassword

NOTE Ensure that the JAVA_HOME variable is still set to JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre 8 9 When you are prompted, type the master password that was configured during the installation of vCenter Single Sign-On. Start the Single Sign-On server service from the Services applet. To validate that the certificate is correct, open a browser and navigate to https://ssoserver.domain.com: 7444/sso-admin-server/sdk. 10 For each service, run the following command.
SSO install directory\utils\ssolscli updateService -d Lookup Service URL -u sso administrator -p sso administrator password -si serviceid_file -ip service.properties

11

Log in to the vCenter Single Sign-On Server. In this example, the files are located in C:\certs.

12

Copy the root certificate from the certification authority to the VMware SSL directory. For example, copy the C:\certs\Root64.cer file to C:\ProgramData\VMware\SSL\. This certificate is the root certificate for the certification authority which is being used.

13 14

Rename the current ca_certificates.crt to ca_certificates.bak, and then rename Root64.cer to


ca_certificates.crt.

Type the following command to compute the hash.


openssl x509 -subject_hash -noout -in c:\certs\Root64.cer

The valid hash is returned. 15 Create a file named hash.0 using the hash returned in the previous step. The content of the file should contain the certificate in which hash is used for the name of the file. IMPORTANT The hash must be created with OpenSSL v0.9.8, as this is the version which vCenter uses. If created with another version the hash might not be correct. 16 Repeat this task for other intermediary Certificate Authorities. If there are intermediate certificate authorities, there will be a file for each intermediate authority with the content of the intermediate certificate in the file. If you are using intermediate certificate authorities, you also need to append each certificate authority to the ca_certificates.crt file. To do this run the following command:
more intermediateCA.cer >> ca_certificates.crt

where intermediateCA is the certificate for the intermediate CA. Repeat this step for each intermediate CA that is in the certificate chain. 17 18 Navigate to the SSO Install directory\security. Backup root-trust.jks and server-identity.jks.

VMware, Inc.

21

Replacing Default vCenter 5.1 and ESXi Certificates

19 20 21 22 23 24 25 26

Copy the new root-trust.jks and server-identity.jks. If you have been following the example in this document, these will be located in C:\ProgramData\VMware\SSOCERTS. Log into the vSphere Web Client as admin@system-domain. Navigate to Administration > Sign-On and Discovery > Configuration, and click the STS Certificate tab. Click Edit. Click Browse and navigate to the SSO Security Directory. Select root-trust.jks. When prompted, enter testpassword as the password and click OK. The rui key chain appears in the interface. Select rui and click OK. When prompted for the password, enter testpassword. Another chain is added, and the certificate is available in the GUI. NOTE If you encounter the error message An error ocurred while updating server configuration, this may indicate that the certificate chain was not fully exported. For more information, see step 20 in Getting the certificate section in Creating certificate requests and certificates for vCenter Server 5.1 components (KB 2037432), which outlines steps to export and concatenate multiple certificates. Alternatively, to add it to the GUI, you can add the JKS file by running the following command line command.
ssocli.cmd configure-riat -a configure-sts --keystore-file C:\Program Files\VMware\Infrastructure\SSOServer\Security\root-trust.jks --keystore-type JKS --keystorepassword testpassword -u admin -p master password

27

Restart the vCenter Single Sign-On server.

The SSL certificate for vCenter Single Sign-On (including the Security Token Service, the SSO Admin service, Group Check, and the Lookup Service) is updated. NOTE If you replace the signing certificates of your Single Sign-On server and the signing chain is signed by different root certificate than the signing chain that you replaced, you must update the trust to this Single SignOn server in all vCenter Servers that point to it and restart them. What to do next Install the customer SSL certificates for the Inventory Service. Replace Inventory Service SSL Certificates The Inventory Service is installed with vCenter Single Sign-On and stores vCenter Server application and inventory data. The Inventory Service lets you search and access inventory objects across the vCenter Server systems that are registered with the Lookup Service. You can replace the SSL certificate for the Inventory Service. Prerequisites Obtain certificate files (including the certificate, private key, and keystore) as described in the following procedures:
n n n n

Edit the OpenSSL Configuration File Create and Submit Certificate-Signing Requests for vCenter Server Create the PFX file Create the JKS file

22

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

Procedure 1 2 Log in to the Inventory Service server as an administrator. If you have not imported it, double-click the c:\certs\Root64.cer file, and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This action ensures that the certificate server is trusted. 3 From a command prompt located at the Inventory Service\scripts directory (by default, this is located at C:\Program Files\VMware\Infrastructure\Inventory Service\scripts), unregister the Inventory Service from vCenter Single Sign-On. Type unregister-sso.bat Lookup_Service_URL SSO_administrator_user SSO_administrator_password Where the Lookup Service URL is https://cssoserver.domain.com:7444/lookupservice/sdk/. Change the port if needed. 4 5 Stop the vCenter Inventory Service. Copy the new certificate files to the system where there Inventory Service is installed. Previous examples used c:\certs to store the new certificates. The certificates directory is typically
C:\ProgramData\VMware\Infrastructure\Inventory Service\ssl

6 7

Start the vCenter Inventory Service. Validate the register-sso.bat file. a b Change to the Inventory Service scripts directory. Open the register-sso.bat file and validate that the following line in the file is correct.
set COMMAND="%PATH_ROOT%/sso/regTool.cmd" registerSolution --ls-url %1 --username "%2" -password "%3" --install-props "%PATH_ROOT%/conf/sso.ini"

this line should be


set COMMAND="%PATH_ROOT%/sso/regTool.cmd" registerSolution --ls-url %1 --username "%2" -password "%3" --install-props "%PATH_ROOT%/conf/sso.ini" --role read

In the vCenter 5.1 GA release, the --role read parameter was not included and will cause the command to fail. 8 Register vSphere Inventory Service to vCenter Single Sign-On by running the following command.
register-sso.bat Lookup_Service_URL SSO_administrator user SSO_administrator_password

Replace vCenter Server SSL Certificates Replace default certificates with those signed by an internal certificate authority or public key infrastructure (PKI) service. Alternatively, purchase a certificate from a trusted commercial security authority. When you replace default server certificates in a production environment, deploy new certificates in stages, rather than all at the same time. Make sure that you understand the process as it applies to your environment before you replace certificates. Prerequisites
n n

You requested and received the CA signed certificates from the signing authority. You stored the new CA signed certificates in c:/certs.

Procedure 1 Log in to vCenter Server as an administrator.

VMware, Inc.

23

Replacing Default vCenter 5.1 and ESXi Certificates

2 3

If you have not already imported the root certificate, double click on the c:\certs\Root64.cer file. Select Trusted Root Certificate Authorities > Local Computer > Windows certificate store, and import the certificate from the list of certificates. This action ensures that the certificate server is trusted.

Back up the existing certificates and copy the new certificate, private key, and keystore files (for example, rui.crt, rui.key, and rui.pfx) to the system where vCenter Server is installed. The certificates typically are located in the following directory.
Operating System Windows Server 2008 Windows Server 2003 Directory C:\ProgramData\VMware\VMware VirtualCenter\ssl C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\ssl

If you follow the example, the newly created certificate is in c:\certs\vCenter. 5 Open rui.crt in a text editor, and validate that the first line of the file begins with -----BEGIN
CERTIFICATE-----.

Remove any text that is in front of this text. Extra text will cause validation failure. 6 Use the Managed Object Browser to load the certificates. a Go to https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 on the vCenter Server. If you are prompted with a certificate warning, click Continue. b c Enter a vCenter Server administrator user name and password, and click reloadSslCertificate. Click Invoke Method. You see the message Method Invocation Result: void. d 7 8 Close both windows.

From a command prompt on vCenter Server, navigate to the isregtool directory (by default, C:\Program
Files\VMware\Infrastructure\VirtualCenter Server\isregtool).

Register the vCenter Server to the Inventory Service by typing the following command.
register-is.bat vCenter Server URL Inventory Service URL SSO Lookup Service URL

The return code of 0 0 indicates that the vCenter Server was registered. 9 Navigate to the vCenter Server directory (by default, this is C:\Program
Files\VMware\Infrastructure\VirtualCenter Server\), and type the following command. vpxd -p

To encrypt the password with the new certificate, type the password of the vCenter Server database user when prompted. 10 Restart the following services.
n n

From the service control manager (services.msc), restart VMware VirtualCenter Server service Restart the VMware vSphere Profile Driven Storage Service.

After the initial restart of the services, wait for five minutes. If the VMware vSphere Profile Driven Storage service stops during this time, restart it. vCenter Server replaces the certificate.

24

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

What to do next Replace the vSphere Web Client and Log Browser SSL Certificates. Replace the vSphere Web Client and Log Browser SSL Certificate You can replace or update the vSphere Web Client and Log Browser SSL certificates. Replace both certificates at the same time. Prerequisites
n n

You have a vSphere 5.1 environment All certificates and corresponding files are generated

Procedure 1 Log in to the vSphere Web Client server as an administrator. NOTE If you are using a Self-Signed Certificate from OpenSSL, you import the certificate when logging in to vCenter Server for the first time. 2 If you have not imported it, double-click on the Root64.cer file (located in c:\certs\ in these examples) and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. Log in to the vSphere Web Client server as an administrator. From the service control manager (services.msc), stop the following services.
n n

3 4

VMware vSphere Web Client service VMware Log Browser service

Open a command prompt. and go to the Web Client\scripts directory. The default directory is C:\Program Files\VMware\Infrastructure\vSphere Web Client\scripts.

Back up the existing certificates and copy the new certificate, private key, and keystore files (for example, rui.crt, rui.key, and rui.pfx) to the system where the vSphere Web Client and Log Broware are installed. a Back up and replace the current certificates for the vSphere Web Client.
Operating System Windows Server 2008 Windows Server 2003 Directory C:\ProgramData\VMware\vSphere Web Client\ssl C:\Documents and Settings\All Users\Application Data\VMware\vSphere Web Client\ssl

Back up and replace the current certificates for the Log Browser. By default, the certificates are located in C:\Program
Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf. In the example, the new

certificates are located in c:\certs\logbrowser 7 If you have not done so, set the JAVA_HOME environment variable by opening a command prompt and typing the following.
set JAVA_HOME=c:\Program Files\VMware\Infrastructure\JRE

From the SsoRegTool directory (by default C:\Program Files\VMware\Infrastructure\vSphere Web Client\SsoRegTool\), unregister the vSphere Web Client from Single Sign-On by running the following command.
regTool.cmd unregisterService -si "Installation Directory\vSphereWebClient\serviceId" -d https://SSOServer.domain.com:7444/lookupservice/sdk -u admin@System-Domain -p password

VMware, Inc.

25

Replacing Default vCenter 5.1 and ESXi Certificates

Register the vSphere Web Client back to vCenter Single Sign-On by typing the following commands.
Operating System Windows 2008 Command regTool.cmd registerService --cert " C:\ProgramData\VMware\vSphere Web Client\ssl" --ls-url https://SSOServer.domain.com:7444/lookupservice/sdk -username admin@System-Domain --password password --dir "Installation Directory\vSphereWebClient\SsoRegTool\sso_conf" --ip "*.*" --serviceId-file "Installation Directory\vSphereWebClient\serviceId" regTool.cmd registerService --cert "C:\Documents and Settings\All Users\Application Data\VMware\vSphere Web Client\ssl" --ls-url https:// SSOServer.domain.com: 7444/lookupservice/sdk --username admin@System-Domain -password password --dir "Installation Directory\vSphereWebClient\SsoRegTool\sso_conf" --ip "*.*" --serviceId-file "Installation Directory\vSphereWebClient\serviceId"

Windows 2003

10

From Installation Directory\vSphereWebClient\, open the serviceId file, and remove the two service ID lines from the now-replaced certificate. The file should contain only the two new service IDs.

11

From the service control manager, start the VMware Web Client service and the vSphere Log Browser service. This can take up to five minutes. To verify the success of this task, log in to the vSphere Web Client and check that the Inventory is accessible and that the certificate is properly installed.

12

Stop and restart the services.


n n n n n n n n n n

stop the VMware Log Browser Service. stop the VMware vSphere Web Client Service. stop the VMware vCenter Server Service. stop the VMware vCenter Inventory Service. stop the vCenter Single Sign On Service. start the vCenter Single Sign On Service. start the VMware vCenter Inventory Service. start the VMware vCenter Server Service and the VMware vCenter Management WebServices service. start the VMware vSphere Web Client Service. start the VMware Log Browser Service.

What to do next Replace the certificates ont her vSphere Update Manager. Update SSL Certificates for vCenter Single Sign On Server Behind a Load Balancer When a deployment of vCenter Single Sign-On server systems is located behind a load balancer, it is not necessary to update the Lookup Service entries for the Security Token Service (STS), SSO Admin, and Group Check services. You need only toupdate the SSL certificate of a vCenter Single Sign-On system behind that load balancer. NOTE You must include the full certificate chain.

26

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

Prerequisites Obtain certificate files (including the certificate, private key, and keystore) as described in the following procedures:
n n n n

Edit the OpenSSL Configuration File Create and Submit Certificate-Signing Requests for vCenter Server Create the PFX file Create the JKS file

Procedure 1 2 3 If they are not already there, copy the certificate files (for example, rui.crt, rui.key, and rui.pfx) to the system where vCenter Single Sign-On is installed. Stop the Single Sign-On server. Update Single Sign-On with the new keystore using the following command.
SSO installation directory\utils\ssocli configure-riat -a configure-ssl --keystore-file file --keystore-password password

Start the Single Sign-On Server.

What to do next Depending on how your load balancing software is configured, you might also be required to update the load balancer's certificate trust store to contain the new certificate. This enables trusted SSL connections between the load balancer and Single Sign-On servers. Replacing SSL Certificates on vCenter Server Appliance So far, this task describes of replacing CA signed SSL certificates on a vCenter Server. The task is quite different for replacing SSL certificates on a vCenter Server Appliance. If you replace CA signed SSL certificates on a vCenter Server Appliance, see the KB article Configuring certificates signed by a Certificate Authority (CA) for vCenter Server Appliance 5.1 (2036744). For all services that contact vCenter Single Sign-On and that are not on the same machine, update the trust stores with the new SSL certificate. These services include the vSphere Web Client and the Inventory Service. See Update the Certificate Trust Store for vCenter Server Components, on page 33. ReplaceVMware vSphere Update Manager Certificates You can replace vSphere Update Manager certificates. Prerequisites
n n n

You have a vSphere 5.1 environment. The certificates have been requested and received. You have administrator privileges on the Update Manager system.

Procedure 1 2 3 Log in to the vSphere Update Manager server as an administrator. If you have not imported it, double-click the Root64.cer file. Select Trusted Root Certificate Authorities > Local Computer, and import the certificate into the Windows certificate store. If you follow the example, this file is located in c:\certs.

VMware, Inc.

27

Replacing Default vCenter 5.1 and ESXi Certificates

Back up the existing Update Manager certificates. If you follow the example, the certificate files are located in c:\certs\Update Manager. By default, vSphere Update Manager stores its certificates in the C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL directory.

5 6 7

Copy the new certificate files (rui.crt, rui.key, and rui.pfx) into the Update Manager SSL directory. From the services control manager, (services.msc), stop the vSphere Update Manager service. Start the VMwareUpdateManagerUtility.exe application and log in. By default, it is located in C:\Program Files (x86)\VMware\Infrastructure\Update Manager. NOTE If the system becomes unresponsive and fails, and if vCenter Server is on the same system as vSphere Update Manager, use 127.0.0.1:80 as the address for vCenter Server.

8 9 10 11

In the Options pane, click SSL Certificate. In the Configuration pane, select Followed and verified the steps and click Apply. When the message Restart the VMware vSphere Update Manager service to apply the setting appears, click OK. After the operation finishes, start the VMware vSphere Update Manager service.

What to do next Verify that you can access Update Manager without receiving certificate-related warnings.

Replacing Default SSL Certificates on ESXi


VMware recommends that you replace default certificates with those signed by an internal certificate authority or public key infrastructure (PKI) service. Alternatively, purchase a certificate from a trusted commercial security authority. NOTE Use commercially signed certificates for systems that are exposed to the Internet. When you replace default server certificates in a production environment, deploy new certificates in stages, rather than all at the same time. Make sure that you understand the process as it applies to your environment before you replace certificates. ESXi Certificates: Before You Begin Ensure that your environment has the required software installed before you begin replacing default ESXi certificates.
n n

Microsoft CA (2000 or higher), with Web Server template Microsoft Visual C++ 2008 Redistributable Package (x86) installed on the system where you will generate the certificate-signing request OpenSSL 0.98r or higher installed on the system where you will generate the certificate-signing request Putty or other SSH client WinSCP or other SFTP/SCP client vCenter Server 5.1 ESXi 5.1

n n n n n

28

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

Edit the OpenSSL Configuration File VMware products implement the OpenSSL libraries and toolkits to generate the default certificates that are created during installation process. You can use OpenSSL to create certificate-signing requests (CSRs). The default OpenSSL installation includes a configuration file, openssl.cfg, located in the OpenSSL\bin directory. Edit the configuration file with values specific to your organization. Prerequisites Download OpenSSL x86 version 0.98r or higher from http://www.openssl.org. Install OpenSSL on the system where you will generate the certificate signing request. Procedure 1 2 Navigate to the OpenSSL directory. Edit the OpenSSL configuration file (openssl.cfg) to include details appropriate for your environment.
Parameter encrypt_key keyUsage extendedKeyUsage common name (in req_distinguished_name) subjectAltName (Subject Alternative Name) Value no Must include digitalSignature and keyEncipherment. Versions prior to 5.1 must also include nonRepudiation and dataEncipherment. serverAuth, clientAuth Name of the server that will use the certificate. Required. Fully qualified domain name or host name of the vCenter Server or ESXi system. Required for vCenter Server. Optional for ESXi. You can include multiple DNS names in the Subject Alternative Name section to include the short name of the host.

Save and close the configuration file.

Example: openssl.cfg IMPORTANT The openssl.cfg file is made up of several sections. This example lists the three relevant key sections of the file. It does not reflect the entire file. You must include the entire file for use, not the example sections only. NOTE The values shown are samples only, with the exception of the input_password and output_password. It is unnecessary and not recommended for you to change the input and output password from the default (testpassword). If your organization requires that you change the default password, see Unexpected Behavior Occurs When You Change the rui.pfx Password, on page 35.
[ req ] default_bits default_keyfile distinguished_name attributes x509_extensions input_password output_password = = = = = = = 2048 privkey.pem req_distinguished_name req_attributes v3_ca testpassword testpassword

VMware, Inc.

29

Replacing Default vCenter 5.1 and ESXi Certificates

encrypt_key prompt string_mask req_extensions

= = = =

no no nombstr v3_req

[ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vc.homedns.org, DNS:vc50.homedns.org, DNS:vc50 [ req_distinguished_name ] countryName = US stateOrProvinceName = California localityName = Palo Alto 0.organizationName = VMware Inc organizationalUnitName = IT commonName = vc.homedns.org emailAddress = admin@yourdomain.com

Create and Submit Certificate-Signing Requests You must generate a certificate-signing request (CSR) for each system that requires a replacement certificate. You submit the certificate-signing request to your certificate authority to obtain a base-64 encoded certificate. See the OpenSSL documentation at http://www.openssl.org for information about OpenSSL commands and options. Prerequisites OpenSSL x86 version 0.98r or higher is installed on the system where you will create the request. The OpenSSL configuration file (openssl.cfg) has been edited to suit your environment as described in Edit the OpenSSL Configuration File. Procedure 1 At a command prompt, navigate into the OpenSSL directory. By default this is C:\OpenSSL-Win32\bin. 2 Generate the certificate signing request by running the following command on the system where you installed OpenSSL.
openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg

Use the contents of the newly created rui.csr file to create a certificate request to submit to your certificate authority. If you are using a commercial Certificate Authority, perform the following steps to generate the request. a b Send the rui.csr file to the appropriate certificate authority. After the authority sends your generated certificate, install the root certificate onto the vCenter Server before continuing.

If you are using Microsoft CA (2003 or higher), perform the following steps to create the request. a b Browse to your Microsoft Certificate Authority web site (typically http://servername/CertSrv/) and select Request a Certificate. Select Advanced Certificate Request and select Submit a certificate request using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

30

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

c d e

Open the certificate request file (rui.csr) with a text editor and copy the contents of the file (including the beginning and ending tags). Paste the contents of the rui.csr file into to the Saved Request area. Select the Web Servercertificate template and click Submit. The Web Server template should include Subject Alternative Names (required for vCenter Server, optional for ESXi). You might have to modify the template to include this parameter.

If you are using an OpenSSL Self-Signed certificate, perform the following steps. a Create the certificate using the following command.
openssl req -x509 -sha256 -newkey rsa:2048 -keyout rui.key -config openssl.cfg -out rui.crt -days 3650

b 4

Disregard steps 4 and 5 of this task.

Click Base-64 encoded and then download the certificate. Save the certificate on the desktop of the server as rui.crt.

If necessary, rename the certificate files to rui.crt and rui.key.

Install SSL Certificate Files to ESXi Copy the new certificate files onto the host to replace default SSL certificates. Procedure 1 2 3 4 5 Log in to vCenter Server and put the host in Maintenance Mode. Navigate to the console of the server. Press F2 to log in to the Direct Console User Interface (DCUI) as root. Select Troubleshooting Options, then select Enable SSH. Use WinSCP or other SFTP/SCP client to connect to the target host and change to the following directory.
/etc/vmware/ssl

6 7 8

Back up the existing default certificate files (rui.crt and rui.key). Delete the existing default certificate files (rui.crt and rui.key). Copy the newly generated certificate files (rui.crt and rui.key) to the target host SSL directory /etc/vmware/ssl. To avoid special characters ( ^M) appearing in the certificate file, you must use Text Mode or ASCII Mode to transfer the files.

9 10 11 12

Type less rui.crt to validate that there are no extra characters such as ^M at the end of each line. Log in to the target host Direct Console User Interface (DCUI) as root. Select Troubleshooting Options > Restart Management Agents, and, when prompted, press F11. After the management agents are restarted, log out of the Direct Console User Interface and take the host out of maintenance mode.

Newly generated SSL certificates are loaded onto the ESXi host and default certificates have been replaced.

VMware, Inc.

31

Replacing Default vCenter 5.1 and ESXi Certificates

Replace vCenter Server Heartbeat Certificates


If you have a problem with the current certificate, or if your corporate security policy requires doing so, you can replace default vCenter ServerHeartbeat certificates. Prerequisites
n n

Install OpenSSL on the system where you will replace the certificate. Obtain the certificate files rui.crt, rui.key, and rui.pfx. See the following topics:
n n n

Edit the OpenSSL Configuration File Create and Submit Certificate-Signing Requests Create the PFX Files, on page 16

Procedure 1 2 Download the SSLImport.jar utility from the VMware Knowledge Base article Replacing SSL Certificates for vCenter Server Heartbeat 6.x (KB 2013041). On the system where you will replace the Heartbeat certificate, copy the certificate (rui.crt), private key (rui.key), and the SSLImport.jar file to the JRE bin directory, which is typically in the following location.
C:\Program Files\VMware\VMware vCenter Server Heartbeat\R2\jre\bin

Convert the private key (rui.key) and the certificate (rui.crt) from PEM format to DER format using OpenSSL. a To convert the private key, run the following command.
openssl pkcs8 -topk8 -nocrypt -in rui.key -inform PEM -out key.der -outform DER

To convert the certificate, run the following command.


openssl x509 -in rui.crt -inform PEM -out cert.der -outform DER

Use the following command to run the SSLImport utility.


java -jar SSLImport.jar key.der cert.der

A new keystore is created (NFKeyStore.jks) and the keystore alias (keyAlias) appears with the keystore password (keyPassword), as shown in the following example.
> New keystore created: NFKeyStore.jks > Keystore-alias: keyAlias > Keystore-password: keyPassword

Set the password for the keystore file (NFKeyStore.jks).


keytool -keyclone -alias "keyAlias" -dest "nfhb_private_certificate" -keypass keyPassword -new new password -keystore NFKeyStore.jks -storepass keyPassword keytool -storepasswd -new new password -keystore NFKeyStore.jks -storepass keyPassword keytool -delete -alias keyAlias -keystore NFKeyStore.jks -storepass new password

Run the following command to stop the Heartbeat Web service.


net stop nfwebsvc

32

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

Back up the Heartbeat SSL directory, which is typically in the following location.
C:\Program Files\VMware\VMware vCenter Server Heartbeat\tomcat\ssl

Move the NFKeyStore.jks file, key.der, and cert.der into the Heartbeat SSL directory.
C:\Program Files\VMware\VMware vCenter Server Heartbeat\SSL

Open the following file in a text editor.


C:\Program Files\VMware\VMware vCenter Server Heartbeat\tomcat\apachetomcat-6.0.32\conf\server.xml

10

Locate the following section and enter the keystore password as the value of the keystorePass parameter.
<Connector port="9561" protocol="HTTP/1.1" SSLEnabled="true" ... keystoreFile="../sslNFKeyStore.jks" keystorePass="new password" keyAlias="nfhb_private_certificate"/>

11

Run the following command to start the Heartbeat web service.


net start nfwebsvc

The service starts and the system befins sending hearbeats.

Update the Certificate Trust Store for vCenter Server Components


Before you can install the certificate for vCenter Server components, you must have a trust store for the CA signed certificates, including the root and intermediary certification authorities. A trust store is a directory of trusted X.509 certificates. NOTE If you are running vCenter Server in a virtual machine, take a snapshot before starting this process to ensure that you can revert to it if necessary. Delete the snapshot after the process is complete. Prerequisites
n n n

Verify that trusted certificates are kept in separate files, with one certificate for each file. Verify that certificates are in X.509 PEM format. Verify that certificates have names in the form hash.0 or have symbolic links to the files using that form. hash is the hashed certificate subject name. See the OpenSSL documentation for the x.509 utility.

Certificates are either self-signed CA root certificates or intermediate certificates whose chain is included in the root certificate.

Procedure 1 Log in to the vCenter Single Sign-On Server. In this example, the files are located in C:\certs. 2 Copy the root certificate from the certification authority to the VMware SSL directory. For example, copy the C:\certs\Root64.cer file to C:\ProgramData\VMware\SSL\. This certificate is the root certificate for the certification authority which is being used. 3 Rename the current ca_certificates.crt to ca_certificates.bak, and then rename Root64.cer to
ca_certificates.crt.

VMware, Inc.

33

Replacing Default vCenter 5.1 and ESXi Certificates

Type the following command to compute the hash.


openssl x509 -subject_hash -noout -in c:\certs\Root64.cer

The valid hash is returned. 5 Create a file named hash.0 using the hash returned in the previous step. The content of the file should contain the certificate in which hash is used for the name of the file. IMPORTANT The hash must be created with OpenSSL v0.9.8, as this is the version which vCenter uses. If created with another version the hash might not be correct. 6 Repeat this task for other intermediary Certificate Authorities. If there are intermediate certificate authorities, there will be a file for each intermediate authority with the content of the intermediate certificate in the file. If you are using intermediate certificate authorities, you also need to append each certificate authority to the ca_certificates.crt file. To do this run the following command:
more intermediateCA.cer >> ca_certificates.crt

where intermediateCA is the certificate for the intermediate CA. Repeat this step for each intermediate CA that is in the certificate chain. The certificates are updated in the trust store.

Troubleshooting vCenter Server Certificates


These topics describe some of the issues you might encounter when you work with vCenter and ESXi certificates.

New vCenter Server Certificate Does Not Appear to Load


After you replace default vCenter Server certificates, the new certificates might not appear to load. Problem When you install new vCenter Server certificates, you might not see the new certificate. Cause Existing open connections to vCenter Server are not forcibly closed and might still use the old certificate. Solution To force all connections to use the new certificate, use one of the following methods.
n n

Restart the network stack or network interfaces on the server. Restart the vCenter Server service.

vCenter Server Cannot Connect to Managed Hosts


After you replace default vCenter Server certificates and restart the system, vCenter Server might not be able to connect to managed hosts. Problem vCenter Server cannot connect to managed hosts after server certificates are replaced and the system is restarted. Solution Log into the host as the root user and reconnect the host to vCenter Server.

34

VMware, Inc.

Chapter 1 About vCenter and ESXi Certificates

vCenter Server Cannot Connect to the Database


After you replace default vCenter Server certificates, you might be unable to connect to the vCenter Server database. Problem vCenter Server is unable to connect to the vCenter Server database after you replace default vCenter Server certificates, and management web services do not start. Cause The database password must be updated in its encrypted form. Solution Update the database password by running the following command: vpxd -P pwd.

Cannot Configure vSphere HA When Using Custom SSL Certificates


After you install custom SSL certificates, attempts to enable vSphere High Availability (HA) fail. Problem When you attempt to enable vSphere HA on a host with custom SSL certificates installed, the following error message appears: vSphere HA cannot be configured on this host because its SSL thumbprint has not
been verified.

Cause When you add a host to vCenter Server, and vCenter Server already trusts the host's SSL certificate, VPX_HOST.EXPECTED_SSL_THUMBPRINT is not populated in the vCenter Server database. vSphere HA obtains the host's SSL thumbprint from this field in the database. Without the thumbprint, you cannot enable vSphere HA. Solution 1 2 3 4 In the vSphere Client, disconnect the host that has custom SSL certificates installed. Reconnect the host to vCenter Server. Accept the host's SSL certificate. Enable vSphere HA on the host.

Unexpected Behavior Occurs When You Change the rui.pfx Password


The default password for the PFX file rui.pfx is testpassword. If you change this password, you must also change the default keystorePass parameter in the Tomcat configuration file. Problem Unexpected behavior might occur if the rui.pfx password does not match the keystorePass parameter. For example, you receive the error message Unable to connect to the remote server when you attempt to enable the vCenter Server Service Status plug-in or Tomcat is not listening on TCP port 8443 as expected. Cause The default password for PFX files is testpassword. It is not necessary or recommended to change this password. However, if your organization requires that you change the default password, you must update the corresponding Tomcat the configuration file.

VMware, Inc.

35

Replacing Default vCenter 5.1 and ESXi Certificates

Solution 1 2 Stop all vCenter Server services. Browse to the Tomcat configuration files and open server.xml in a text editor. The default location is Program Files\VMware\Infrastructure\tomcat\conf\server.xml. 3 4 Locate the line containing the following text: Connector port="8443" Update the keystorePass parameter to match the rui.pfx certificate password. You cannot leave this parameter empty. The default is testpassword. 5 Restart all vCenter Server services.

SSL Certificate Update Errors with Single Sign-On


When you are updating an SSL certificate for vSphere components, the update might fail. Problem During an SSL certificate update, vCenter Server fails to start or you are unable to log in to vCenter Server. Cause After changing the vCenter Single Sign-On SSL certificate, the new system did not add the certificate to the vCenter trust store. The certificate is not valid for this update. Solution
n n

If you are unable to log in to vCenter Server after the SSL certificate update, restart vCenter Server. Verify that you are not attempting to update with the same SSL certificate that resides on another vCenter Server system pointing to the same vCenter Single Sign-On server. SSL certificates must be unique. Generate a new certificate with a unique distinguished name (DN) and repeat the update process. Verify that the X.509 SSL certificate is valid and not corrupt or expired. Provide a valid SSL certificate if needed. If vCenter Server cannot read the certificate, it might be corrupt. Verify that the SSL certificate key/certificate pair match. If they do not match, provide a valid key/certificate pair. If the error SSL Exception: Verification parameters (certificate signature failure) appears in the vCenter Server logs, add the certificate to the trust store. See Update the Certificate Trust Store for vCenter Server Components, on page 33.

36

VMware, Inc.

Das könnte Ihnen auch gefallen