Setup SSL Certificate For vSphere Lab-Part-5-Creating and Replacing vRealize SSL Certificates

In last post of this series we learnt how to replace SSL certificates for different vSphere Components like SSO, Inventory Service, vCenter Server and Web-Client. In this post I am going one step further and will demonstrate how to replace vRealize SSL Certificates.

If you have missed earlier posts of this series I would recommend reading them first from below links:

1: Installing and Configuring CA Server

2: Creating Certificate Templates

3: Creating SSL Web Certificates Template for VMware

Prerequisites

The following prerequisites must be met before jumping into action:

1: Microsoft Enterprise CA server deployed along with IIS installed.
2: Web-Certificate Template created for vSphere components.
3: Download and install Win32 OpenSSL from Here

I have downloaded and installed Win32 Open SSL software on the same server where my vCenter Server is installed and I have added the path up to bin directory in my environment variables so that I can run openssl command from anywhere.

Also I have created a directory called Certs in my C: drive and inside that I have created sub-directories related to different vRealize Components such as vra-id-certs directory for vRealize Identity Appliance. I would store all the key and chain files for different services in their designated directories so that to avoid any confusion of which key belongs to which services.

So, enough of talks now. Lets jump into action now.

Creating certificates for vRealize Identity Appliance

1: Navigate to directory C:Certsvra-id-certs and create a file called identity.cfg with following contents:

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:dc01, DNS:dc01.alex.local, IP:192.168.0.100

[ req_distinguished_name ]
countryName = IN
stateOrProvinceName = Karnataka
localityName = Bangalore
0.organizationName = Alex-Cloud
organizationalUnitName = vRA-ID
commonName = vra1.alex.local

save this file as identity.cfg and in file type select All file type.

Note: Make sure you change the details based on your environment accordingly. Common things to change are DNS hostname and IP details under section [ v3_req].

2: Create the Certificate Signing Request (CSR) by running the following command, specifying the newly created configuration file

# openssl req -new -nodes -out rui.csr -keyout rui.key -config identity.cfg

vra-ssl-3

It will generate the rui.csr and rui.key file in the designated directory

vra-ssl-4

3: Decrypt the private key by running the following command

# openssl rsa -in rui.key -out rui-out.key

vra-ssl-5

  • identity.cfg
  • rui.key
  • rui.csr
  • rui-out.key

4: Log in to the Microsoft CA certificate authority Web interface. By default, it is

https://servername/CertSrv/Default.asp

5: Click on Request a Certificate and then click on submit an advanced certificate request

6: Copy the contents of rui.csr file and paste it in saved request box.

Note: Do not copy the actual —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—–. Only copy the text in between these lines.

Select Certificate template as Lab-SSL (we created this in earlier posts)

Provide additional attributes if there are any and hit Submit.

vra-ssl-6

7: Click Base 64 encoded on the Certificate issued screen and click on Download certificate.

SSL-Certs (15)

The downlaoded file has name certnew.cer.  Rename it to rui.cer.

8: Next, download the Root Certificate from your CA server. Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.

SSL-Certs (16)

Select Base 64 and then Download CA certificate chain

SSL-Certs (17)

The file will be downlaoded as certnew.p7b.

9: Export the certificate by double clicking on it and select All Tasks > Export

vra-ssl-7

10: Export the file as Root64.cer in vra-id-certs directory.

vra-ssl-8

11: Create a PFX file by running the following command

# openssl pkcs12 -export -in rui.cer -inkey rui-out.key -certfile Root64.cer -name “vra1.alex.local” -passout pass:SomePassword -out rui.pfx

vra-ssl-9

Ensure to change the name and password according to your environment

12: Now create the actual pem file by running the following command:

# openssl pkcs12 -in rui.pfx -inkey rui-out.key -out rui.pem -nodes

vra-ssl-10

Note: Remember the Import password. We need this in next step.

Now we have the following files in our vra-id-cert directory

identity.cfg
rui.key
rui.csr
rui-out.key
rui.cer
Root64.cer
rui.pfx
rui.pem

13: To install the certificate in our Identity Appliance, we need two files

  • rui-out.key – The Private Key
  • rui.pem – The actual certificate

Before replacing the SSL keys of identity appliance lets have a look what the self signed certificate says when we access the appliance

vra-ssl-2

As you can see in above screenshot it clearly says Identity of website is not verified.

Same holds true when we access the vRA console

vra-ssl-1

Lets replace the SSL files now for identity appliance first.

14: Access the VAMI console of Identity Appliance by typing https://identity-fqdn:5480

Open rui-out.key and rui.pem file in a notepad

On your Identity Appliance navigate to SSO > SSL and select Import PEM encoded Certificate

In the top section – RSA Private Key, paste the content of rui-out.key

In the bottom section – Certificate Chain, paste the content of rui.pem

and enter the Pass Phrase from the previous step and click Apply Settings

vra-ssl-11

After successful update of certificate you will see a confirmation message in green saying that SSL certificate is replaced successfully

vra-ssl-12

To test the certificate – browse to the Identity Appliance using the SSO port (:7444) and check the certificate information. You will see the certificate now reads that it is presented by your Certificate Authority.

vra-ssl-0

In the same way you can replace certificates for other components like vRealize Automation appliance and IaaS server. I am not going to cover the steps for them because more or less it is same.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂

Leave a Reply