Creating CA signed certificates for vSphere is a complex task. Therefore, VMware has worked to simplify the process by creating a tool to help automate the process. Before you can run the tool, however, you must have correctly created certificates to be able to utilize the tool. This article provides the steps to create the appropriate certificates. The steps are:
Remember that each component of the vCenter Server configuration requires its own certificate. Before attempting these steps, ensure that:
- You have a vSphere 5.1 or vSphere 5.5 environment.
- The environment has been pre-installed for all components for which you will be installing certificates.
Generating Certificate Requests
There are seven separate components in vCenter Server 5.1 and 5.5 that utilize certificates to encrypt communication. This article can be used if the components are on the same server and if they are on different servers, as long as you have a separate certificate for each component.
As of the SSL Certificate Automation tool version 1.0.1, the certificate requests can be created directly from the tool, automating many manual steps. For more details on manually creating the requests rather than generating them from the tool, see the
Additional Information section of this article.
When creating the requests, the SSL Certificate Automation Tool ensures that by default the requests have the proper uniqueness. The requirements for the certificate requests are that they:
- Have the subject alternative name field included in them.
- Have unique Subject Distinguished Name (DN) for the certificate. The SSL Certificate Automation tool uses
OrganizationalUnitNames
for the components to achieve this uniqueness. - Include
digitalSignature
, keyEncipherment
, and dataEncipherment
components for Key Usage.
To generate the certificate requests:
- From a command line, navigate to the location where you unzipped the tool.
- Run this command:
ssl-updater.bat
- From the SSL Certificate Automation tool, select Option 2 to Generate Certificate Requests.
Note: VMware recommends that the certificate request (and consequently the private key) are generated on the system which is being used for the service.
- Select the option for the service you are generating the certificate request for.
- Enter the information requested for the certificate request. By default the SSL Certificate Automation tool automatically populates much of the information required. The following is a description of the information requested:
- DNS Name - the fully qualified domain name of the server. For example:
server.domain.com
- IP address - the IP address of the server. For example:
10.0.0.10
- Short name - the short hostname of the server. For example:
server
- Country - the two digit country code. For example:
US
- State or Province - The state or province for the certificate. For example:
California
- City or Locality - The city for the certificate. For example:
Palo Alto
- Organization - The name of the organization for the certificate. For example:
VMware
- Organizational Unit name - The organizational unit name for the certificate. By default VMware specifies a default value of and uses it to ensure that the DN of the certificate is unique. Do not change this unless there is another field which makes the DN of the certificate unique.
Note: Unique DNs are a hard requirement for vSphere 5.1. vCenter Single Sign-On uses the certificates to ensure that communication details are secure.
- Enter the directory where the CSR will be saved. By default, the CSRs and KEYs are saved in the
SSL-TOOL-DIRECTORY\Requests
directory.
Important: Ensure that the directory in which the SSL Certificate Automation Tool is extracted and the specified CSR directory above do not have spaces in the names or CSR Generation will fail.
- Repeat steps 2 and 3 for each service which you are generating a certificate for.
This is a sample configuration for vCenter Single Sign-On:
After completing this section, you now have the
rui.csr
and
rui.key
files located in each of the respective directories as specified for the different services.
Important: When generating a certificate request, the private key (rui.key) is also generated. The private key is the sensitive data for the certificate, and as such VMware recommends that you generate each certificate request, and consequently the private key, on the system which it is to be used.
To validate that the CSR is created properly, run the command:
C:\OpenSSL-Win32\bin>openssl req -in \rui.csr -noout -text
Note: The above uses the default path to the OpenSSL tool. If another path was used please substitute.
Alternatively, in a Windows Server on which vCenter Server is installed, run this command from the command prompt:
C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe req -in rui.csr -noout -text
After running the command, verify the output to ensure that all of the parameters entered in the tool are properly set.
Note: The SSL Certificate Automation tool uses RFC standard formatting for the CSR. As a result the Subject Alternate name uses IP: syntax for the IP address. This prevents issues with certificate verification during operation of the product, however does not suppress the certificate warming when navigating to the IP address of the service from the vSphere Client and the Internet Explorer Browser. This is an issue with how certificates are recognized in the Microsoft Certificate Store. Ignore the error, or navigate to the Fully Qualified Domain name to avoid the error.
Proceed to the Obtaining the certificate section to obtain the certificate.
Obtaining the Certificate
After the certificate request is created, it must be given to the certificate authority for generation of the actual certificate. The authority presents a certificate back and a copy of their root certificate. For the certificate chain to be trusted, the root certificate must be installed on the server. Follow the appropriate section below for the steps for the certificate authority in question.
For Commercial CAs, to create each certificate request:
Note: Wild card certificates are not supported.
- Take the certificate request (
rui.csr
, as generated above) and send it to the authority in question. - The authority sends back the generated certificate.
For Microsoft CAs, to create each certificate request:
Note :
- Based on the requirements of the key, ensure that the WebServer Template has been copied to allow for encryption of user data. This can be normally found in Certificate Manager > Extensions > Key Usage > Allow encryption of user data.
- By default, the MS Web Server template does not have Client Authentication enabled.The Certificate Template being used must have both Client Authentication and Server Authentication enabled.
- Log in to the Microsoft CA certificate authority Web interface. By default, it is
http://servername/CertSrv/
. - Click the Request a certificate link.
- Click advanced certificate request.
- Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
- Open the certificate request in a plain text editor and paste the text from the Begin to the End request into the Saved Request box:
-----BEGIN CERTIFICATE REQUEST-----
to -----END CERTIFICATE REQUEST-----
Note: Do not copy the actual -----BEGIN CERTIFICATE REQUEST-----
to -----END CERTIFICATE REQUEST-----.
Only copy the text in between these lines. You may see = (equal) signs near the Begin and End lines (for example, ==-----END). In this case, you must copy the = (equal) signs.
- Select the Certificate Template as the appropriate Web Server template. This is generally a copy of the Web Server Template with Allow encryption of user data setting set.
- Click Submit to submit the request.
- Click Base 64 encoded on the Certificate issued screen.
- Click the Download Certificate link.
- Save the certificate as
rui.crt
in the appropriate c:\certs\
folder. - Repeat steps 2 to 10 for each additional service.
- Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
- Click the Base 64 option.
- Click the Download CA Certificate chain link.
- Save the certificate chain as
cachain.p7b
in the c:\certs
folder. - Double-click the
cachain.p7b
file and navigate to C:\certs\cachain.p7b > Certificates. - Right-click the certificate listed and click All Tasks > Export.
- Click Next.
- Select Base-64 encoded X.509 (.CER), then click Next.
- Save the export to
C:\certs\Root64.cer
and click Next.
Note: This assumes there are no intermediate certificates in the Certificate Authority. Before exporting the certificate into Base-64 encoded X.509 (.CER), if there are two or more levels in the Certificate Authorities and if you have multiple certificates on the .p7b
file, you will not be able to export them to Base64 at the same time. You must export them one by one instead. For example, create files named C:\certs\Root64-1.cer
, C:\certs\Root64-2.cer
, etc.
- Click Finish.
To verify that all of the settings are correct, double-click the rui.crt
file and validate that the proper alternative names and subjects are in each certificate. When complete, the certificates are generated and you now have the rui.crt
file for each service and the Root64.cer
root certificate.
Note: If you have intermediate certificates, you should have a root64-#.cer
file for each intermediate certificate all the way to the root certificate.
Install the root certificate into the Trusted Root Certificate Authorities > Local Computer certificate store on each Windows system which has a service installed or which will be used to connect a client to the services. If you are using intermediate certificates you should install them into the Intermediate Certificate Authorities > Local Computer certificate store.
Note: There should be no text before the -----BEGIN CERTIFICATE----- or after the -----END CERTIFICATE----- in the .crt, or .cer files.
After completing this section, proceed to the Creating the PEM files section.
Creating the PEM files
Once the certificates and keys are created, you must create a PEM certificate chain for each certificate. The chain must contain all certificates in the chain, in the order in which they lead to the root certification authority.
Note: If they are out of order, the validation of the certificate chain will fail.
To create the chain:
- Create a file called
chain.pem
, located in the folder for the service that you are creating the chain for. - Open the
rui.crt
file in Notepad and copy the contents of the file into the chain.pem
file for that service. - Open the
Root64.cer
file in Notepad and paste the contents of the file into the chain.pem
file right after the certificate section. Be sure that there is no whitespace in the file in between certificates.
Note: Complete this action for each intermediate certificate authority as well.
- Once complete, the file looks similar to this example:
Note: The certificates shown in this example are truncated for ease of reading with the text added to the right indicating the order in which the certificates should be pasted into the file. Do not copy this example or add the text to your .pem
file. Ensure there are no spaces before or after any of the -----BEGIN CERTIFICATE----- or -----END CERTIFICATE----- lines.
-----BEGIN CERTIFICATE-----
MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih
4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
TLqwbQm6tNyFB8c=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
TLqwbQm6tNyFB8c=
-----END CERTIFICATE-----
- Save and close the file.
- Repeat these steps for each service for which you are replacing the certificate.
After completing this procedure, you now have
rui.key
and
chain.pem
files for each service you are implementing custom certificates for. Copy these files to the appropriate server for use with the SSL Certificate Automation Tool.