Search the Knowledge Base: |
Search the Knowledge Base: |
How can I replace or regenerate an SSL certificate for the management interface after I change the encryption algorithm that SSL uses (for example, to SHA1)?
Note: This article describes how to perform the procedure on ESX Server. To find the steps for GSX Server, see www.vmware.com/support/gsx25/doc/manage_secure_remote_gsx.html.
Log on to the service console as root to perform the following steps.
root@esxserver ssl # /etc/init.d/httpd.vmware stop
root@esxserver ssl # cd /etc/vmware-mui/ssl
root@esxserver ssl # touch index.txt root@esxserver ssl # echo $(date '+%Y%m%d%H%M') > serialNote: The initial serial number can be any unique value.
root@esxserver ssl # vi openssl.cnf [ ca ] default_ca = VMware_Inc [ VMware_Inc ] dir = /etc/vmware-mui/ssl certificate = $dir/cacert.crt new_certs_dir = $dir/certs private_key = $dir/cacert.key database = $dir/index.txt serial = $dir/serial default_bits = 1024 default_crl_days = 30 default_days = 365 default_md = sha1 encrypt_key = no prompt = no x509_extensions = ca_extensions policy = VMware_Inc_policy [ ca_extensions ] basicConstraints = CA:false [ VMware_Inc_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional [ req ] default_bits = 1024 private_key = /etc/vmware-mui/ssl/mui.key default_md = sha1 distinguished_name = VMware x509_extensions = v3_ca string_mask = nombstr encrypt_key = no prompt = no [ VMware ] countryName = US stateOrProvinceName = California localityName = Palo Alto organizationName = VMware organizationalUnitName = VMware Management Interface commonName = esxserver emailAddress = ssl-certificates@vmware.com [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:trueNote: Modify all entries so they are specific to your environment.
root@esxserver ssl # export OPENSSL_CONF=/etc/vmware-mui/ssl/openssl.cnf
root@esxserver ssl # openssl req -x509 -newkey rsa -out cacert.crt -keyout cacert.key Using configuration from /etc/vmware-mui/ssl/openssl.cnf Generating a 1024 bit RSA private key ..++++++ .++++++ writing new private key to 'cacert.key' -----
root@esxserver ssl # openssl x509 -in cacert.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
...root@esxserver ssl # openssl req -newkey rsa:1024 -keyout mui.key -out request.crt Using configuration from /etc/vmware-mui/ssl/openssl.cnf Generating a 1024 bit RSA private key .............++++++ ......++++++ writing new private key to 'mui.key' -----
root@esxserver ssl # openssl req -in request.crt -text -noout
Using configuration from /etc/vmware-mui/ssl/openssl.cnf
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=California, L=Palo Alto, O=VMware, OU=VMware
Management Interface, CN=esxserver/Email=ssl-certificates@vmware.com
...root@esxserver ssl # openssl ca -in request.crt -out mui.crt -notext Using configuration from /etc/vmware-mui/ssl/openssl.cnf Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'California' localityName :PRINTABLE:'Palo Alto' organizationName :PRINTABLE:'VMware' organizationalUnitName:PRINTABLE:'VMware Management Interface' commonName :PRINTABLE:'esxserver' emailAddress :IA5STRING:'ssl-certificates@vmware.com' Certificate is to be certified until Aug 30 22:13:14 2006 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
root@esxserver # /etc/init.d/httpd.vmware start