Advertise here with BSA
In the last installment of the vSphere 5.5 series we installed the SSO service. Now that the Java JRE is installed (via the SSO installer), we have the tools ready to create our vCenter SSL certificates via an online Microsoft CA. If you don’t have an online Microsoft CA that can issue your VMware SSL certificates, skip this section and go to Part 9 (coming soon), where we go through the manual process.
I’m recommending you create the SSL certificates now, so that you have a variety of methods at your disposal to use these certificates. VMware’s stance is that you fully install vCenter 5.5 with self-signed certificates then use their free certificate automation tool to replace all of the certificates as the last step. That is certainly a good route to go, and I would not dissuade you from that method. Or, you could also replace certificates as you install components so each layer is trusted as you go. Either way, I recommend the VMware certificate tool even if it is a bit primitive. It is flexible enough to let you incrementally replace certificates.
In order to make life easier for installers I’ve written a “toolkit” PowerShell script to help with the SSL process. More details are below, but I would like to give credit to Chrissy LeMaire for some of the (modified) building blocks of this script. She wrote a vCenter 5.1 PowerShell SSL replacement script that was more automated than VMware’s batch script. My script does not replace VMware’s automation tool, but helps you prepare the files it needs.
Download Toolkit Here
Blog Series
SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn
vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting (Coming soon)
Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55
…and many more to come…
Derek’s Toolkit Script
The PowerShell script performs several tasks and is menu driven. It’s an all in one script, meaning it handles online/offline CAs, and will also do other install tasks like create your ODBC connectors. That functionality is not yet in there, but will be added in the coming weeks. The full feature list will change and so will the menus. But I’ll try and keep this updated as often as I can.
The CSRs are in strict accordance with VMware KB articles regarding certificate requirements, minus the IP address in the SAN field. I want to strictly color within the KB articles, so if you do use this script and then have to call up VMware support they won’t roll their eyes and have you re-do your certs because some blogger got it wrong.
The script has the following features:
Downloads and installs the proper version of OpenSSL (0.9.8.Y) if it’s not already installed
Creates 2048 bit RSA private keys in the proper format
Creates a directory for each service bundle of SSL certificates
Generates seven OpenSSL configuration files, one for each certificate, in the appropriate directory
Downloads both root and subordinate root public certificates
Submits the CSRs to the online CA and downloads the certificates
Creates the needed service PEM files for the vCenter certificate automation tool
Creates the required root/subordinate PEM files
Handles the special SSO 5.5 certificate requirements
Does NOT require PowerCLI
Assumes all vCenter components are on one server
Automatically uses the hostname of the server you run the script on for all certificates
Creates a pre-filled vCenter Certificate Automation environment script – Just run!
Works with offline CAs
Creates SSO 5.5 certificate replacement files – Only used if manual replacing certs
Download Toolkit Here
How To Use the Script
1. The PowerShell script requires a few variable modifications before you run it. In the first block of variables you need to setup the directory where you want all of the certificates to go. If OpenSSL is already installed, change the path so the script knows where the root directory is. If that directory does not exist OpenSSL will be downloaded and installed for you. Next up are the certificate properties. Change those to suite your environment.
2. The script is semi-intelligent about using only a root, or one subordinate and root. Simply comment out $SubCA with a # if you only have an online Microsoft root CA. If you have two or more subordinates, then you will need to follow VMware SSL KBs or modify my script. Sorry!
3. The next section are the details for your issuing CA and the template. The issuing CA is your online CA that will actually mint your certificates. If you only have one CA, then clearly that is what you should use. The $ISSUING_CA field can be a little tricky. The first field is the shortname (or FQDN) of your CA (e.g. d001dc01). Next up is your CA name. This can be anything, so you must open the Certificate Authority MMC on your CA to find out what it’s called. As you can see from my screenshot below my CA name is contoso-D001DC01-CA.
4. Next up is the template name. This can also be any value, but if you followed my guide then it will be called VMware-SSL. This is the Template Name not the Template display name.
5. Download my vCenter 5.5 toolkit script from the links above. Copy it to your vCenter server and run it in an elevated PowerShell window. Your account must have the required CA permissions to enroll for the VMware-SSL template. If it does not, then find a CA administrator, have them logon the vCenter server and run the script.
As you can see from the screenshot below, my VM didn’t have OpenSSL installed. So it was downloaded and installed into C:\OpenSSL silently. If OpenSSL is already installed, it will detect that fact and skip the download.
6. Since you have properly configured the script variables and have one or more online Microsoft CAs, you should select option 1. This is fully automated, and should produce no errors. If you do get errors, then you either goofed up the variables, have insufficient permissions, or my script is broke and needs fixing. If its broke, now is an excellent time to learn PowerShell. Script is provided as-is, and bugs/issues may or may not be fixed.
Below is a screenshot with a sample of the script output as it runs. A lot more has scrolled off the screen, but you get the idea. There is limited error checking, but subtle issues could fly by on the screen. Review the output for any issues.
Output Validation
1. When the script completes you should have seven directories, and either one or three certificate (.cer) files in the root of your working directory. If you have a subordinate CA then you will have three files. If you have a single CA you will only have a Root64.cer file. The two files with funny names are hash files of the root and intermediate CAs. If you only have a root CA you will see a single hash file.
2. If you take a peek inside one of the folders you will see a series of files. Each service, except SSO, will have the same set of files (except the .csr and .cfg with are uniquely named). The
chain.pem: Used for the VMware vCenter certificate automation tool
rui.crt: Public half of your SSL certificate
rui.key: Private half of your SSL certificate
rui.pfx: Combined private and public SSL keys
*.cfg: Certificate signing request file
*.csr: Certificate signing request
3. In the vCenterSSO you will see a plethora of files. Depending on how you replace your SSL certificates, you may only use some of these files. But to help you out as much as possible, all the SSO files that are tedious to create manually are created for you. If you are missing files, then something went wrong. Please match up all filenames to validate the toolkit script worked. Some files are copies of each other, but they are needed to avoid confusion and more easily follow the KBs.
*.properties: Use for manual SSO SSL replacement
*_id: Use for manual SSO SSL replacement
ca_certificates.crt: Use for manual SSO SSL replacement
root-trust.jks: Used for SSO/STS certificate validation
server-identity.jks: Same file as above with a different name (per VMware KBs)
ssoserver.p12: Same functionality as rui.pfx, but VMware changed the name and format for SSO 5.5
ssoserver.crt: Copy of chain.pem
ssoserver.key: Copy of rui.key
Summary
Assuming you have an online Microsoft CA and you were successful in running the script, you now have all of the files needed to use the VMware certificate automation tool, or go through the manual certificate replacement process. Next up is an article on how to use an offline or non-Microsoft CA. At the end of that article you will have exactly the same files as you do from this installment. Starting in Part 10 we will resume our configuration and installation of vCenter components.
The post vSphere 5.5 Install Pt. 8: Online SSL Minting appeared first on Derek Seaman's Blog.
Related Stories
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO