Category Archives: SSL Certs

Posts related to use of SSL certificates and how to alter/replace SSL certificates in vSphere environments along with troubleshooting SSL issues.

Refresh/Regenerate/Replace Esxi 6.0 SSL Certificates

By | 05/11/2017

To improve security in your virtualized environment, it is advisable to use the signed certificates because  ‘self-signed’ certificate will not be trusted by default in it’s communications with other systems. There are various ways to deploy signed certificates on your Esxi hosts and in this post we will look at available options. read more

Configure and manage VMware Endpoint Certificate Store

By | 05/11/2017

VMware Endpoint Certificate Store (VECS) serves as a local repository for certificates, private keys, and other certificate information that can be stored in a keystore. You can decide not to use VMCA as your certificate authority and certificate signer, but you must use VECS to store all vCenter certificates, keys, and so on. ESXi certificates are stored locally on each host and not in VECS.

VECS runs as part of the VMware Authentication Framework Daemon (VMAFD). VECS runs on every embedded deployment, Platform Services Controller node, and management node (vCenter) and holds the keystores that contain the certificates and keys.

VECS polls VMware Directory Service (vmdir) periodically for updates to the TRUSTED_ROOTS store. You can also explicitly manage certificates and keys in VECS using vecs-cli commands.

VECS Default Stores

1: Machine SSL Store (MACHINE_SSL_CERT)

This store is used by the reverse proxy service on every vSphere node. This store is also used by the VMware Directory Service (vmdir) on embedded deployments and on each Platform Services Controller node.

2: Trusted root store (TRUSTED_ROOTS and TRUSTED_ROOT_CRLS)

This store contains all of your trusted root certificates.

3: Solution User Stores 

There are five solution users in vSphere 6 –

  • Machine
  • vpxd
  • vpxd-extensions
  • vSphere web client

VECS includes one store for each solution user. The subject of each solution user certificate must be unique, for example, the machine certificate cannot have the same subject as the vpxd certificate. Solution user certificates are used for authentication with vCenter Single Sign-OnvCenter Single Sign-On checks that the certificate is valid, but does not check other certificate attributes. 

  • The machine endpoint is used by the logging service, component manager, and license server.
  • The vpxd soltuion user is for vCenter Server and is used to authenticate to vCenter Single Sign-On.
  • The vpxd-extensions solution user is used by Auto Deploy and Inventory Service.
  • vsphere-webclient solution is used for the vSphere Web Client.

4: BACKUP_STORE

This store creates a backup of the most recent state of the certificates that you can restore. Unfortunately, at this point, it will only create one restore step, but it is still useful.

Other Stores

Other stores might be added by solutions. For example, the Virtual Volumes solution adds an SMS store. Do not modify the certificates in those stores unless VMware documentation or a VMware Knowledge Base artoc;e instructs you to do so.

Listing VECS Store

To see a list of your current stores on psc node via cli:

psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store list
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vsphere-webclient
BACKUP_STORE

On vCenter server

vcentersrv02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store list
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vsphere-webclient
vpxd
vpxd-extension
SMS
BACKUP_STORE

VIA GUI

Login to PSC UI by typing URL https://psc-fqdn/psc and select Certificate Store from left hand side pane and click on store to see a list of stores

certs-23

In windows based psc, vecs-cli is located in directory: C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe

To see list of all options available with vecs-cli, run the command with help switch (i have snipped the output)

psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli help Usage: vecs-cli { arguments } Arguments: store create --name <name> [--server <server-name>] [--upn <user-name>] store list [--server <server-name>] [--upn <user-name>] store delete --name <name> [ --password <password> ] [--server <server-name>] [--upn <user-name>] [-y] store permission --name <name> --user <username> --grant|--revoke read|write store get-permissions --name <name> [--server <server-name>] [--upn <user-name>] read more

Using Custom Certificates in vSphere Replication

By | 25/06/2016

In this post we will be working on using a custom signed certificates (CA Signed) on vSphere Replication Appliance.

Unlike vCenter Server, there is no automated way of replacing the default certificates on VR appliance and all it needs a bit of manual effort. VMware has outlined the steps in the official KB-2080395 to do so.

Before performing these steps, make sure you have already replaced the default certificates on your vCenter Server.

vSphere Replication appliance ships with openssl and you can use this to generate the certificate signing requests for the vSphere Replication appliance read more

Replacing Esxi 6 SSL Certificates

By | 19/06/2016

In our last post Replacing vSphere 6 SSL Certificates we learned how to replace Machine certificates and VMCA root certificates. In this post we will learn how to replace Esxi default ssl certificates with certificates signed by CA server.

If you have missed earlier posts of this series, then you can read them from below links

1: Setup CA Server for vSphere Lab

2: Set Up Automatic Certificate Enrollment

3: Request Internal Certificate from CA Server

4: Everything You Should Know About Certificate Management in vSphere 6 read more

Replacing vSphere 6 SSL Certificates

By | 17/06/2016

In our last post Certificate Management in vSphere 6 we had  a look on architecture of VMCA and what it do.

In this post I will walk through the steps needed to replace vSphere 6 SSL certificates.

In this post we will be covering following items:

  • Creating certificate templates for vSphere 6
  • Replacing Machine SSL certificates.
  • Replace VMCA Root certificate

If you have missed earlier posts of this series, then you can read them from below links

1: Setup CA Server for vSphere Lab

2: Set Up Automatic Certificate Enrollment

3: Request Internal Certificate from CA Server

4: Everything You Should Know About Certificate Management in vSphere 6 read more

Everything You Should Know About Certificate Management in vSphere 6

By | 11/06/2016

SSL certificates played an important role in vSphere 5.1, and managing the certificates that the vSphere environment emerged as another challenge for most of the vsphere Admins. Replacing SSL certs in prior versions of vSphere (5.5 and 5.1) was a big headache.

Although vSphere 5.5 simplified the process of certificate replacement easy via the command line tools, but still it required a lot of steps to replace certs on each endpoint (vCenter Server, Single Sign On, Inventory Service, Web Client). read more

Request Internal Certificate from CA Server

By | 09/06/2016

In last post Set Up Automatic Certificate Enrollment we walked through the steps for completing automated certificate enrollment.

In this post I will walk through the process on how to request an internal SSL certificate from an IIS web server in the domain, against our internal deployed CA.

Create Web Server Certificate Template for SSL Certs

Connect to the Enterprise CA and open the Certification Authority console.

Expand the certification authority so that you can see Certificate Templates. Right-click Certificate Templates and then click Manage. read more

Set Up Automatic Certificate Enrollment

By | 09/06/2016

In our last post Setup CA Server we saw installation/configuration of CA server. In this post we will see how to automate certificate enrollment process.

For fewer number of components you can generate and sign certificates manually and then replace it one by one. in a small environment. But if you have many servers running in lab or say you are using CA in production where you have 100’s of servers, then replacing the certs manually is a time consuming and very tedious job.

We can automate the automate the certs enrollment via Active Directory to save time. Using Active Directory domain with an Enterprise CA; we can deploy certificates on clients that are part of domain automatically using a process known as autoenrollment. This saves a lot of time and reduces the amount of administrative overhead required to deploy certificates on to client systems. For this to work, we need GPO linked to our domain or an OU configured with the autoenroll policy. read more

Setup CA Server for vSphere Lab- Say Good Bye to Self-Signed Certs

By | 07/06/2016

A while back I wrote a post on Configuring CA Server on Server 2008 so that one can use signed certificate in lab or even in production.

Most vSphere appliances/softwares comes with a self-signed certs and works just fine in home lab. But if you are like me and get annoyed by  the warning message “Your connection is not secure”, then generate signed certificates to use in your lab and get rid of the ugly browser warning message.

As I stated in my earlier post on SSL certs that self-signed certs works just fine but it’s good to know how to work with signed certificates as in production environment organizations don’t use self-signed certificates and rely on SSL certificates bought from 3rd party like Thawte or Verisign. read more

Lesson Learnt While Working With SSL Certificates

By | 31/10/2015

From last 2 days I was working on using signed certificates for my vSphere lab and was determined to replace my self-signed certificate with signed certificate generated by my CA server.

I have written a blog post on how to setup CA server and how to generate signed certificates and how to replace them. If you have missed earlier post of this series you can read them from below links:

1: Installing and Configuring CA Server

2: Creating Certificate Templates

3: Creating SSL Web Certificates Template for VMware read more

Setup SSL Certificate For vSphere Lab-Part-5-Creating and Replacing vRealize SSL Certificates

By | 30/10/2015

In last post of this series we learnt how to replace SSL certificates for different vSphere Components like SSO, Inventory Service, vCenter Server and Web-Client. In this post I am going one step further and will demonstrate how to replace vRealize SSL Certificates.

If you have missed earlier posts of this series I would recommend reading them first from below links:

1: Installing and Configuring CA Server

2: Creating Certificate Templates

3: Creating SSL Web Certificates Template for VMware

Prerequisites read more

Setup SSL Certificate For vSphere Lab-Part-4-Creating and Replacing vSphere SSL Certificates

By | 30/10/2015

You have observed that whenever you connect to vCenter Server using vSphere Client or connect via web-client you receive a warning that the certificate presented is not trusted and bla bla bla.

For lab environments or small environments Self-Signed certificates works just fine, but knowing how to use Signed Certificates is invaluable.

In this post we are going to cover how to create SSL Certificate request and how to replace them. If you have missed earlier posts of this series I would recommend reading them first from below links: read more

Setup SSL Certificate For vSphere Lab-Part-3-Creating SSL Web Certificates Template for VMware

By | 25/10/2015

In this post we are going to cover the SSL Web Certificate creation for VMware. If you have missed earlier posts of this series I would recommend reading them first from below links:

1: Installing and Configuring CA Server

2: Creating Certificate Templates

Lets begin with creating SSL Web certificates for VMware.

1: Launch the Certificate Authority MMC and navigate to Certificate Templates folder. Right click the folder and select Manage.

ssl-38

2: From the displayed list of templates, select Web Server template and right click on it and select Duplicate Template. read more

Setup SSL Certificates For vSphere Lab-Part-2-Creating Certificate templates

By | 23/10/2015

In our last post Setup SSL Certificate Authority For vSphere Lab we saw how to add CA Server Role to a windows server 2008 machine. In this post we will see how to generate certificates.

1: Launch Certificate Authority console from Administrative Tools.

ssl-20

2: Right Click on Certificate Template and click Manage.

ssl-21

3: Select the Windows Authentication Template and right click on it and select Duplicate Template.

ssl-22

4: Select Windows server 2008 Enterprise and hit OK.

ssl-23

5: Give the new certificate template a name. Also we need to change some of the properties of the new template. read more