Mar 13

Implementing CA signed SSL certificates with vSphere 5.x (2034833)

Purpose

This article provides information on manually configuring Certificate Authority (CA) signed SSL certificates in a vSphere 5.1 or vSphere 5.5 environment. VMware has released a tool to automate much of the described process below. Please see Deploying and using the SSL Certificate Automation Tool 1.0.x (2041600) before following the steps in the article.
In the case that you are unable to use the tool this article helps you eliminate common causes for problems during certificate implementation, including configuration steps and details, and helps avoid common misconfigurations in the implementation of custom certificates in your environment.
Note: This article is specifically for vSphere 5.1 and vSphere 5.5. If you are using vSphere 5.0, see Implementing CA signed SSL certificates with vSphere 5.0 (2015383).

Resolution

Configuring CA signed certificates is a challenge with vSphere as with any complex enterprise environment. Securing an environment is a requirement in many large organizations. You need either public certificates (such as Verisign or Globaltrust), Microsoft CA certificates, or OpenSSL CA certificates to ensure a secure communication.
This article provides steps to allow configuration of these certificates on vSphere components in an environment. The article also assumes that all components are installed and running already with self-signed certificates.
Please validate each step below. Each step provides instructions or a link to a document that provides information on configuring the certificates in your environment.
  1. Create a new Certificate Authority template for certificate generation. For more information, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108).
  2. Generate certificate requests and certificates for each of the vCenter Server components. For more information, see:
  3. Replace the vSphere Update Manager Certificates. For more information, see Configuring CA signed SSL certificates for VMware Update Manager in vSphere 5.1 and 5.5 (2037581).

  4. Replace ESXi 5.x host certificates. For more information, see Configuring CA signed SSL certificates with ESXi 5.x hosts (2015499).

If your issue persists even after trying these steps:

Mar 10

Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment (2015387)

Purpose

This article guides you through the installation and configuration of OpenSSL. You may want to install and configure OpenSSL to be able to create custom certificates for vSphere environments. It also helps to eliminate common causes for problems and ensure that the requests generated are appropriate for vSphere environments.

Resolution

Overview

OpenSSL can be used for creating certificate requests and also as a certificate authority. Although the steps that are used to generate the certificate are different, the setup and configuration steps are the same as the certificates that vSphere uses are X.509 v3 SSL certificates. Only the way in which the actual certificate is generated is different.

Setup

Important: Ensure that you are using OpenSSL version 0.9.8. If you do not use this version, the SSL implementation will fail.To setup OpenSSL:

  1. Ensure that the Microsoft Visual C++ 2008 Redistributable Package (x86) is installed on the system on which you want to generate the requests. To download the package, see the Microsoft Download Center.
  2. Download the Shining Light Productions installer for OpenSSL x86 version 0.98r or later at http://www.slproweb.com/products/Win32OpenSSL.html. This is a software developed from the OpenSSL Project.
  3. Launch the installer and proceed through the installation and note the appropriate directory for later use. By default, it is located at c:\OpenSSL-Win32.After this program is installed, you must configure it to issue vSphere certificates.Note: The preceding links were correct as of July 29, 2013. If you find a link is broken, provide feedback and a VMware employee will update the link.

Configuration

To configure OpenSSL follow these steps:
  1. Take a backup of the openssl.cfg file. By default, this file is located at the c:\OpenSSL-Win32\bin directory.
  2. Delete the contents of the file and replace with:Note: Replace the code in Red with the details of the server that you are configuring.[ req ]
    default_bits = 2048
    default_keyfile = rui.key
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req[ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName = DNS:vc50, IP:10.0.0.10, DNS:vc50.vmware.com[ req_distinguished_name ]
    countryName = US
    stateOrProvinceName = NY
    localityName = New York
    0.organizationName = VMWare
    organizationalUnitName = vCenterInventoryService
    commonName = vc50.vmware.com
  3. Save and close the file.The installation is now set to configure a certificate for the server that you have entered in the file. You can repeat this configuration by creating separate files for each server request or by not specifying a value. If you do not specify a value, OpenSSL prompts you for the information.Note: The preceding modified file will not prompt you for information because all information is configured within the file.

Additional Information