Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Configuring certificates signed by a Certificate Authority (CA) for vCenter Server Appliance 5.1 (2036744)

Purpose

This article guides you through the configuration of certificates signed by a Certificate Authority (CA) for the vCenter Server Appliance 5.1. This process addresses common issues during certificate implementation, including configuration steps and pointers to avoid misconfiguration.

Resolution

Managing CA signed certificates for the vCenter Server appliance is a complex task. In many organizations it is required to maintain proper security for regulatory requirements.
These workflows are required for successful implementation:

These steps must be followed to ensure successful implementation of a custom certificate for vCenter Server Appliance.
Before attempting these steps, ensure that:

These are the requirements for the certificates that the vCenter Server Appliance uses:

  • Key Length – The key length currently must be a maximum of 2048 bytes from key file (PEM encoded).
  • Key File Format – Only PKCS1 is supported by all components. Make sure the base64 encoded key is in PKCS1 format. You may get RSA private keys in PKCS8 format when using some OpenSSL commands, the signal of PKCS8 key is:

    ----- BEGIN PRIVATE KEY

    For PKCS1, it is:

    ----- BEGIN RSA PRIVATE KEY

    Open the key file to correct it. If it is in PKCS8 format, run this command to convert it to PKCS1:

    openssl rsa -in pk8.key -out pk1.key

  • Cert File Format – Only some components support the PEM format of cert file. Make sure your cert file can be loaded by all components. Remove everything before the -----BEGIN CERTIFICATE to ensure that this is the first line of the file.
  • Certificate content – The commonName field in the Subject must be the hostname. subjectAltname must include the hostname and IP address of the host.
  • Elliptic Curve Keys – These are not currently supported.


Generating the certificate requests

For each component of the vCenter Server Appliance, you must have a custom certificate that has an appropriate organizational unit name encoded within the certificate. This means that seven different certificates are required for each vCenter Server appliance:
  • vCenter Server / Single Sign On (SSO)
  • vSphere Inventory Service
  • vSphere Web Client
  • Open LDAP
  • VMware Appliance Management Interface (VAMI)
  • vSphere Log Browser
  • vSphere Auto Deploy
To simplify the process, this article provides the steps to create different openssl.cfg files for each component.
This article uses /ssl/service to store all of the files before the certificates are installed.

To generate the appropriate configuration files:
  1. Open a text editor on the system where OpenSSL is installed.
  2. Paste this text into the file, replacing the information in red where appropriate:

    [ req ]

    default_md = sha512
    default_bits = 2048
    default_keyfile = rui.key
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req
    input_password = testpassword
    output_password = testpassword

    [v3_req ]

    basicConstraints = CA:false
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName = DNS:server, IP:ServerIPAddress,DNS:server.domain.com

    [ req_distinguished_name ]

    countryName = country
    stateOrProvinceName = state
    localityName = city
    0.organizationName = Organization Name
    organizationalUnitName = Vmware vCenter Service Certificate
    commonName = server.domain.com

  3. Save the file as openssl_vpxd.cfg, but do not close it.
  4. To create the inventory service configuration file, modify the organizationalUnitName to Vmware Inventory Service Certificate and save the file as openssl_inventoryservice.cfg.
  5. To create the vSphere Web Client configuration file, modify the organizationalUnitName to Vmware vCenter Web Client Service Certificate and save the file as openssl_webclient.cfg.
  6. To create the Open LDAP configuration file, modify the organizationalUnitName to Vmware LDAP Service Certificate and save the file as openssl_slapd.cfg.
  7. To create the VAMI configuration file, modify the organizationalUnitName to Vmware vCenter VAMI Certificate and save the file as openssl_vami.cfg.
  8. To create the vSphere Web Client configuration file, modify the organizationalUnitName to Vmware Logbrowser Service Certificate and save the file as openssl_logbrowser.cfg.
  9. To create the vSphere AutoDeploy configuration file, modify the organizationalUnitName to Vmware vCenter autodeploy Service Certificate and save the file as openssl_autodeploy.cfg.
When complete, there are seven different configuration files each with a different organizationalUnitName. Next, generate the certificate request and corresponding key for each of the certificates.

To generate a certificate request:
  1. Launch a command prompt and navigate into the OpenSSL directory as previously configured in the Configuring OpenSSL article.
    By default, the OpenSSL directory is located at:

    C:\OpenSSL-Win32\bin

  2. Run this command, replacing service with the appropriate file:

    openssl req -new -nodes -out rui_service.csr -keyout rui_service.key -config openssl_service.cfg

    For example, to generate the vCenter SSO certificate, run:

    openssl req -new -nodes -out rui_vpxd.csr -keyout rui_vpxd.key -config openssl_vpxd.cfg

    Note: There are no prompts because all information was provided in the openssl.cfg file from above.

  3. Repeat this step for each of the seven different openssl.cfg files. By the end of this section, you have seven different .csr files and seven different .key files.
When the certificate requests are created, proceed to Getting the certificate.
 

Getting the certificate

After the certificate requests are generated, they must be given to the certificate authority for generation of the actual certificate. The authority responds with a signed certificate and, if appropriate, a copy of their root certificate. For the certificate chain to be trusted, the root certificate must be installed on the server which is requesting the certificate.

Follow the appropriate section for the certificate authority in question.

If using commercial non-Microsoft CAs:
  1. Take each certificate signing request (rui.cs, as generated above) and send them to the commercial certificate signing authority.
  2. The CA sends back the generated certificates and the certificate chain file (normally a .PEM file) to ensure that the certificates are trusted.
  3. Proceed to the Installation and configuration of the certificates section of this article to complete the configuration of the custom certificates.

If using a Microsoft CA:

  1. Log into the Microsoft CA certificate authority web interface. By default, it is:

    http://servername/CertSrv/

  2. Click the Request a certificate link.
  3. Click advanced certificate request.
  4. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
  5. Open the certificate request in a plain text editor and paste this text into the Saved Request box:

    -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----

  6. Select the Certificate Template as Web Server.

    Note: VMware recommends that you create a copy of the Web Server Certificate and add the Subject Alternative Name field to it. This allows you to specify more than a single name to be valid on the certificate, such as vcenter.domain.com and vcenter. Users can connect to more than one name and communication will still be valid.

  7. Click Submit to submit the request.
  8. Click Base 64 encoded on the Certificate issued screen.
  9. Click the Download Certificate link.
  10. Save the certificate on the desktop of the server as rui_service.crt, where service is the service you are creating a certificate for.

    Note: By default, Microsoft CA certificates are generated with the .cer format. Either use Save As or change it to .crt before continuing with this procedure.

  11. Repeat steps 2 to 10 to create each of the seven certificates from the seven certificate request files generated in the previous section of this document.
  12. Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
  13. Click the Base 64 option.
  14. Click the Download CA Certificate chain link.
  15. Save the certificate chain as cachain.p7b.
When complete, you have seven certificates (rui_service.crt) and the cachain.pem file generated. Proceed to Installation and configuration of the certificates to complete the configuration of the custom certificates.

Installation and configuration of the certificates

After the certificates have been created, you must validate that the certificates are in the proper format. Edit the certificate with a tool such as Notepad or vi and validate that the file begins with -----BEGIN CERTIFICATE-----. Remove all text before the -----BEGIN CERTIFICATE----- in the rui.crt files.



To complete the installation and configuration of the certificates in the vCenter Server Appliance:

Note: Before proceeding, ensure to back up the existing rui.crt, rui.key, and rui.pxf files.
  1. Stop the VMware VirtualCenter Server service and the SSO service using these commands:

    service vmware-sso stop
    service vmware-vpxd stop

  2. Create a directory using the mkdir command to store the files. This article uses directories named /ssl/service on the vCenter Server Appliance for the file operations. Be sure to create the appropriate directories as you proceed through the article.
  3. Copy rui_vpxd.crt, rui_vpxd.key, and cachain.p7b to the /ssl/vpxd directory on the vCenter Server Appliance.
  4. Rename rui_vpxd.crt to rui.crt by running the command:

    mv rui_vpxd.crt rui.crt

  5. Rename rui_vpxd.key to rui.key by running the command:

    mv rui_vpxd.key rui.key

  6. Run this command to convert the cachain.p7b file to cachain.pem:

    openssl pkcs7 -print_certs -in cachain.p7b -out cachain.pem

  7. Create the rui-ca-cert.pem file by running the command:

    cp cachain.pem rui-ca-cert.pem

  8. Create the .pfx file by running the command:

    openssl pkcs12 –export –out rui.pfx –in rui.crt -inkey rui.key –name rui –passout pass:testpassword

  9. Create the root cert chain required for VPXD/SSO by running the command:

    cat rui.crt rui-ca-cert.pem > chain.pem

  10. Add the CA chain to the default location by running the command:

    cp chain.pem /etc/ssl/certs/rootca.pem

  11. Create a hash pointer to this file by running the command:

    ln -s /etc/ssl/certs/rootca.pem /etc/ssl/certs/`openssl x509 -hash -noout -in /etc/ssl/certs/rootca.pem`.0

  12. Change the certs by running the command:

    /usr/sbin/vpxd_servicecfg certificate change chain.pem rui.key

    Wait until you receive this response:

    VC_CFG_RESULT = 0

    The process of replacing vCenter Server and vCenter SSO certificates is complete. This process replaces these files:

    /etc/vmware-vpx/ssl/rui.crt
    /etc/vmware-vpx/ssl/rui.key
    /etc/vmware-vpx/ssl/rui.pfx
    /etc/vmware-vpx/ssl/sms.truststore
    /etc/vmware-sso/keys/sso.crt
    /etc/vmware-sso/keys/sso.key
    /opt/vmware/etc/lighttpd/server.pem

  13. Copy the rui.ca-cert.pem file to the /etc/vmware-vpx/ssl directory by running the command:

    cp rui-ca-cert.pem /etc/vmware-vpx/ssl

  14. Change the permissions on the file by running the command:

    chmod 400 /etc/vmware-vpx/ssl/rui-ca-cert.pem

  15. Restart the vCenter Server Appliance.
  16. Unregister the Inventory Service from SSO by running the commands:

    cd /etc/vmware-sso/register-hooks.d
    ./02-inventoryservice --mode uninstall --ls-server https:// server.domain.com:7444/lookupservice/sdk

  17. Copy rui_inventoryservice.crt, rui_inventoryservice.key, and a copy of the cachain.pem file as created in step 4 of this section to the /ssl/inventoryservice directory on the vCenter Server Appliance.
  18. Rename rui_inventoryservice.crt to rui.crt by running the command:

    mv rui_inventoryservice.crt rui.crt

  19. Rename rui_inventoryservice.key to rui.key by running the command:

    mv rui_inventoryservice.key rui.key

  20. Create the rui-ca-cert.pem file by running the command:

    cp cachain.pem rui-ca-cert.pem

  21. Create the .pfx file by running the command:

    openssl pkcs12 –export –out rui.pfx –in rui.crt -inkey rui.key –name rui –passout pass:testpassword

  22. Copy rui.key, rui.crt, rui.pfx, and rui-ca-cert.pem to the /usr/lib/vmware-vpx/inventoryservice/ssl directory with the cp command.
  23. Change the permissions on these files by running these commands:

    chmod 400 rui-ca-cert.pem rui.key rui.pfx
    chmod 644 rui.crt

  24. Run these commands to register the Inventory Service back to SSO:

    cd /etc/vmware-sso/register-hooks.d
    ./02-inventoryservice --mode install --ls-server https:// server.domain.com:7444/lookupservice/sdk --user root --password password_of_root user

  25. To re-register the Inventory Service to vCenter Server the next time the service starts, run the command:

    rm /var/vmware/vpxd/inventoryservice_registered

  26. Run these commands to restart and register the service:

    service vmware-inventoryservice stop
    service vmware-vpxd stop
    service vmware-inventoryservice start
    service vmware-vpxd start

    When complete, these files have been replaced:

    /usr/lib/vmware-vpx/inventoryservice/ssl/rui-ca-cert.pem
    /usr/lib/vmware-vpx/inventoryservice/ssl/rui.crt
    /usr/lib/vmware-vpx/inventoryservice/ssl/rui.key
    /usr/lib/vmware-vpx/inventoryservice/ssl/rui.pfx

  27. Unregister the vSphere Web Client from SSO by running the commands:

    cd /etc/vmware-sso/register-hooks.d
    ./10-vmware-vsphere-client --mode uninstall --ls-server https:// server.domain.com:7444/lookupservice/sdk

  28. Copy rui_webclient.crt, rui_webclient.key, and a copy of the cachain.pem file as created in step 4 of this section to the /ssl/vsphere-client directory on the vCenter Server Appliance.
  29. Rename rui_webclient.crt to vsphere-client.crt by running the command:

    mv rui_webclient.crt vsphere-client.crt

  30. Rename rui_webclient.key to vsphere-client.key by running the command:

    mv rui_webclient.key vsphere-client.key

  31. Create the vsphere-client-ca-cert.pem file by running the command:

    cp cachain.pem vsphere-client-ca-cert.pem

  32. Create the .pfx file by running the command:

    openssl pkcs12 –export –out vsphere-client.pfx –in vsphere-client.crt -inkey vsphere-client.key –name rui –passout pass:testpassword

  33. Copy vsphere-client.key, vsphere-client.crt, vsphere-client.pfx, and vsphere-client-ca-cert.pem to the /usr/lib/vmware-vsphere-client/server/SerenityDB/keys directory with the cp command.
  34. Change the permissions on the files by running these commands:

    chmod 400 vsphere-client-ca-cert.pem vsphere-client.key vsphere-client.pfx
    chmod 644 vsphere-client.crt

  35. Run these commands to re-register the web client to SSO:

    cd /etc/vmware-sso/register-hooks.d
    ./10-vmware-vsphere-client --mode install --ls-server https:// server.domain.com:7444/lookupservice/sdk --user root --password password_of_root user

  36. Run these commands to restart the service and ensure that it is registered:

    service vsphere-client stop
    service vsphere-client start

    When complete, these files have been replaced:

    /usr/lib/vmware-vsphere-client/server/SerenityDB/keys/vsphere-client-ca-cert.pem
    /usr/lib/vmware-vsphere-client/server/SerenityDB/keys/vsphere-client.crt
    /usr/lib/vmware-vsphere-client/server/SerenityDB/keys/vsphere-client.key
    /usr/lib/vmware-vsphere-client/server/SerenityDB/keys/vsphere-client.pfx

  37. For OpenLDAP, start by copying rui_slapd.crt, rui_slapd.key, and a copy of the cachain.pem file as created in step 4 of this section to the /ssl/slapd directory on the vCenter Server Appliance.
  38. Rename rui_slapd.crt to slapd.crt by running the command:

    mv rui_slapd.crt slapd.crt

  39. Rename rui_slapd.key to slapd.key by running the command:

    mv rui_slapd.key slapd.key

  40. Create the slapd-ca-cert.pem file by running the command:

    cp cachain.pem slapd-ca-cert.pem

  41. Create the .pfx file by running the command:

    openssl pkcs12 –export –out slapd.pfx –in slapd.crt -inkey slapd.key –name rui –passout pass:testpassword

  42. Copy slapd.key, slapd.crt, slapd.pfx, and slapd-ca-cert.pem to the /etc/openldap/ssl directory with the cp command.
  43. Change the permissions on the files by running these commands:

    chmod 400 slapd-ca-cert.pem slapd.key slapd.pfx
    chmod 644 slapd.crt
    chown ldap:root slapd.*

  44. Run these commands to restart the service and ensure that it is registered:
    service vmware-vpxd stop
    service vmware-vpxd start

    When complete, these files have been replaced:

    /etc/openldap/ssl/slapd-ca-cert.pem
    /etc/openldap/ssl/slapd.crt
    /etc/openldap/ssl/slapd.key
    /etc/openldap/ssl/slapd.pfx

  45. For VAMI, start by copying the rui_vami.crt, rui_vami.key, and a copy of the cachain.pem file as created in step 4 of this section to the /ssl/vami direcory on the vCenter Server Appliance.
  46. Rename rui_vami.crt to vami.crt by running the command:

    mv rui_vami.crt vami.crt

  47. Rename rui_vami.key to vami.key by running the command:

    mv rui_vami.key vami.key

  48. Create the vami-ca-cert.pem file by running the command:

    cp cachain.pem vami-ca-cert.pem

  49. Create the .pfx file by running the command:

    openssl pkcs12 –export –out vami.pfx –in vami.crt -inkey vami.key –name rui –passout pass:testpassword

  50. Unregister the service from vSphere SSO by running the commands:

    cd /etc/vmware-sso/register-hooks.d
    ./10-vami --mode uninstall --ls-server https:// server.domain.com:7444/lookupservice/sdk

  51. Copy vami.key, vami.crt, vami.pfx, and vami-ca-cert.pem to the /etc/vmware-sso/keys directory with the cp command.
  52. Change the permissions on the files by running these commands:

    chmod 400 vami-ca-cert.pem vami.key vami.pfx
    chmod 644 vami.crt

  53. Run these commands to re-register the vami service to SSO:

    cd /etc/vmware-sso/register-hooks.d
    ./10-vami --mode install --ls-server https:// server.domain.com:7444/lookupservice/sdk --user root --password password_of_root user

  54. Restart the vCenter Server appliance.

    When complete, these files have been replaced:

    /etc/vmware-sso/keys/vami-ca-cert.pem
    /etc/vmware-sso/keys/vami.crt
    /etc/vmware-sso/keys/vami.key
    /etc/vmware-sso/keys/vami.pfx

  55. Unregister the service from SSO by running the commands:

    cd /etc/vmware-sso/register-hooks.d
    ./09-vmware-logbrowser --mode uninstall --ls-server https:// server.domain.com:7444/lookupservice/sdk

  56. Copy the rui_logbrowser.crt, rui_logbrowser.key, and a copy of the cachain.pem file as created in step 4 of this section to the /ssl/logbrowser directory on the vCenter Server Appliance.
  57. Rename rui_logbrowser.crt to rui.crt by running:

    mv rui_logbrowser.crt rui.crt

  58. Rename rui_logbrowser.key to rui.key by running the command:

    mv rui_logbrowser.key rui.key

  59. Create the rui-ca-cert.pem file by running the command:

    cp cachain.pem rui-ca-cert.pem

  60. Create the .pfx file by running the command:

    openssl pkcs12 –export –out rui.pfx –in rui.crt -inkey rui.key –name rui –passout pass:testpassword

  61. Copy rui.key, rui.crt, rui.pfx, and rui-ca-cert.pem to the /usr/lib/vmware-logbrowser/conf directory with the cp command.
  62. Change the permissions on the files by running these commands:

    chmod 400 rui-ca-cert.pem rui.key rui.pfx
    chmod 644 rui.crt

  63. Run these commands to re-register the log browser service to SSO:

    cd /etc/vmware-sso/register-hooks.d
    ./09-vmware-logbrowser --mode install --ls-server https:// server.domain.com:7444/lookupservice/sdk --user root --password password_of_root user

  64. From the /ssl/vpxd folder (or the location where you stored the VPXD/SSO certificates), run this command to create a .pfx that includes the SSO certificate (rui.crt), SSO key (rui.key), and the CA certificate (cachain.pem):

    openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile cachain.pem -name "rui" -passout pass:testpassword -out ruiSTS.pfx

  65. Convert this to a JAVA keystore by running the command:

    keytool -v -importkeystore -srckeystore ruiSTS.pfx -srcstoretype pkcs12 -srcstorepass testpassword -srcalias rui -destkeystore rui.jks -deststoretype JKS -deststorepass changeit -destkeypass changeit

    Note: Do not change the destination store password from changeit.

  66. Copy the file to the machine that will be used to log into the vSphere Web Client.
  67. Log into the vSphere WebClient as admin@system-domain.
  68. Navigate to Administration > Sign-On and Discovery > Configuration, then click the STS Certificate tab.
  69. Click Edit > Browse.
  70. Navigate to rui.jks.
  71. When prompted, enter changeit as the password and click OK. The rui key chain is shown in the interface.
  72. Click rui.
  73. Click OK.
  74. When prompted for the password, enter changeit. You see another chain added, and the certificate is available in the GUI.
  75. When complete, restart the Log Browser, Inventory, and vpxd services by running the commands:

    service vmware-inventoryservice stop
    service vmware-inventoryservice start
    service vmware-logbrowser stop
    service vmware-logbrowser start
    service vmware-vpxd stop
    service vmware-vpxd start

    When complete, these files have been replaced:

    /usr/lib/vmware-logbrowser/conf/rui-ca-cert.pem
    /usr/lib/vmware-logbrowser/conf/rui.crt
    /usr/lib/vmware-logbrowser/conf/rui.key
    /usr/lib/vmware-logbrowser/conf/rui.pfx

  76. For Auto Deploy, start by copying the rui_autodeploy.crt and rui_autodeploy.key to the /ssl/autodeploy directory on the vCenter Server Appliance.
  77. Rename rui_autodeploy.crt to waiter.crt by running the command:

    mv rui_autodeploy.crt waiter.crt

  78. Rename rui_autodeploy.key to waiter.key by running the command:

    mv rui_autodeploy.key waiter.key

  79. Copy the waiter.key and the waiter.crt files to /etc/vmware-rbd/ssl.
  80. Change the permissions and ownership on the waiter files by running the commands:

    chmod 644 waiter.crt
    chmod 400 waiter.key
    chown deploy:deploy waiter.crt waiter.key

  81. Re-register the service to the vCenter Server with the commands:

    /etc/init.d/vmware-rbd-watchdog stop
    rm /var/vmware/vpxd/autodeploy_registered
    service vmware-vpxd restart

    When complete, these files have been replaced:

    /etc/vmware-rbd/ssl/rui.crt
    /etc/vmware-rbd/ssl/rui.key

Additional Information

If you need to roll back or generate the default certificates:
  1. Go to http://vcenter_ip_address or fqdn:5480.
  2. Click the Admin tab.
  3. Click Toggle certificate setting under Actions.
  4. Restart the vCenter Server Appliance. During the restart, the certificates are regenerated.
  5. Click the Admin tab and disable the Toggle certificate setting.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 17 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 17 Ratings
Actions
KB: