Forcefully replacing the VCSA 5.x certificates (Self Signed)

Posted by

Prepare environment:

  • Download OpenSSL from here
  • Run Prepare environment batch (PrepEnv.bat) as administrator.

PrepEnv.bat

mkdir c:\OpenSSL
mkdir c:\Certs
mkdir c:\Certs\vCenter
mkdir c:\Certs\InventoryService
echo [ req ] >>c:\Certs\openssl_generic.cfg
echo default_md = sha512 >>c:\Certs\openssl_generic.cfg
echo default_bits = 2048 >>c:\Certs\openssl_generic.cfg
echo default_keyfile = rui.key >>c:\Certs\openssl_generic.cfg
echo distinguished_name = req_distinguished_name >>c:\Certs\openssl_generic.cfg
echo encrypt_key = no >>c:\Certs\openssl_generic.cfg
echo prompt = no >>c:\Certs\openssl_generic.cfg
echo string_mask = nombstr >>c:\Certs\openssl_generic.cfg
echo req_extensions = v3_req >>c:\Certs\openssl_generic.cfg
echo input_password =testpassword >>c:\Certs\openssl_generic.cfg
echo output_password = testpassword >>c:\Certs\openssl_generic.cfg
echo [ v3_req ] >>c:\Certs\openssl_generic.cfg
echo basicConstraints = CA:false >>c:\Certs\openssl_generic.cfg
echo keyUsage = digitalSignature, keyEncipherment, dataEncipherment >>c:\Certs\openssl_generic.cfg
echo extendedKeyUsage = serverAuth, clientAuth >>c:\Certs\openssl_generic.cfg
echo commonName = vcva55.vmware.com >>c:\Certs\openssl_generic.cfg
  • Runt the OpenSSL installer
  • Install the application in C:\OpenSSL
  • Open openssl_generic.cfg present in c:\Certs\ and modify it for your environment. A sample configuration file appears similar to:
req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
input_password =testpassword
output_password = testpassword
[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcva55, IP: 10.0.0.10, IP:ServerIPv6Address, DNS: vcva55.vmware.com
[ req_distinguished_name ]
countryName = IN
stateOrProvinceName = KA
localityName = Bangalore
organizationName = vmware
organizationalUnitName = vCenterServer
commonName = vcva55.vmware.com

  • Update the highlighted lines as appropriate.
    • Note: If you are not using IPv6 in your environment, this can be omitted from the subjectAltName.
    • Note: The country name is always the two-digit country code for the country.
  • Run Prepare Service configuration batch (PrepSvcCfg.bat) as administrator

PrepSvcCfg.bat

copy c:\Certs\openssl_generic.cfg c:\Certs\vCenterSSO\openssl_vpxd.cfg
copy c:\Certs\openssl_generic.cfg c:\Certs\InventoryService\openssl_inventoryservice.cfg
copy c:\Certs\openssl_generic.cfg c:\certs\LogBrowser\openssl_logbrowser.cfg
copy c:\Certs\openssl_generic.cfg c:\certs\AutoDeploy\openssl_autodeploy.cfg

  • For the VirtualCenter Server Service configuration file, modify the organizationalUnitName to VMware vCenter Service Certificate you will find this file under c:\certs\vCenterSSO\
  • For the vCenter Inventory Service configuration file, modify the organizationalUnitName to VMware Inventory Service Certificate you will find this file under c:\certs\InventoryService\
  • For the VMware Log Browser configuration file, modify the organizationalUnitName to VMware LogBrowser Service Certificate you will find this file under c:\certs\LogBrowser\
  • For the vSphere Auto Deploy configuration file, modify the organizationalUnitName to VMware vSphere Autodeploy Service Certificate you will find this file under c:\certs\AutoDeploy\

Generate a Certificate request and a Certificate:

  • Start a command prompt as an administrator
  • Run Generate certificate request batch (GenCrtReq.bat) as administrator.


GenCrtReq.bat


C:\OpenSSL\bin\openssl req -new -nodes -out c:\certs\vCenterSSO\rui_vpxd.csr -keyout c:\certs\vCenterSSO\rui_vpxd.key -config c:\certs\vCenterSSO\openssl_vpxd.cfg
C:\OpenSSL\bin\openssl req -new -nodes -out c:\certs\InventoryService\rui_inventoryservice.csr -keyout c:\certs\InventoryService\rui_inventoryservice.key -config c:\certs\InventoryService\openssl_inventoryservice.cfg
C:\OpenSSL\bin\openssl req -new -nodes -out c:\certs\LogBrowser\rui_logbrowser.csr -keyout c:\certs\LogBrowser\rui_logbrowser.key -config c:\certs\LogBrowser\openssl_logbrowser.cfg
C:\OpenSSL\bin\openssl req -new -nodes -out c:\certs\AutoDeploy\rui_autodeploy.csr -keyout c:\certs\AutoDeploy\rui_autodeploy.key -config c:\certs\AutoDeploy\openssl_autodeploy.cfg
C:\OpenSSL\bin\openssl x509 -req -days 3650 -in c:\certs\vCenterSSO\rui_vpxd.csr -signkey c:\certs\vCenterSSO\rui_vpxd.key -out c:\certs\vCenterSSO\rui_vpxd.crt
C:\OpenSSL\bin\openssl x509 -req -days 3650 -in c:\certs\InventoryService\rui_inventoryservice.csr -signkey c:\certs\InventoryService\rui_inventoryservice.key -out c:\certs\InventoryService\rui_inventoryservice.crt
C:\OpenSSL\bin\openssl x509 -req -days 3650 -in c:\certs\LogBrowser\rui_logbrowser.csr -signkey c:\certs\LogBrowser\rui_logbrowser.key -out c:\certs\LogBrowser\rui_logbrowser.crt
C:\OpenSSL\bin\openssl x509 -req -days 3650 -in c:\certs\AutoDeploy\rui_autodeploy.csr -signkey c:\certs\AutoDeploy\rui_autodeploy.key -out c:\certs\AutoDeploy\rui_autodeploy.crt
  • After running the above batch you will have the rui_service.csr, rui_service.key and rui_service.crt files located in
    • c:\certs\vCenterSSO\
    • c:\certs\InventoryService\
    • c:\certs\LogBrowser\
    • c:\certs\AutoDeploy\

Installation and configuration of the certificates for all the components:

To complete the installation and configuration of the certificates in the vCenter Server Appliance:

Note: Before proceeding, ensure that you back up the existing rui.crt, rui.key, and rui.pfx files. If you plan to skip the replacement of certificates for any of the components, such as vSphere Auto Deploy, you must restart the vCenter Server Appliance after the last certificate is replaced/services restarted.

  • Connect to the vCenter Server Appliance through SSH.
  • Stop the VMware VirtualCenter Server service and the vCenter Single Sign-On service using these commands:
    • service vmware-stsd stop
    • service vmware-vpxd stop
  • Create a directory using the mkdir command to store the files.
    • mkdir ssl
    • mkdir ssl/vpxd
    • mkdir ssl/inventoryservice
    • mkdir ssl/logbrowser
    • mkdir ssl/autodeploy
  • Using WinSCP from the system you created all of the SSL certificates on, copy the file from c:\certs\vCenterSSO to the /ssl/vpxd directory on the vCenter Server Appliance.
  • Rename rui_vpxd.crt to rui.crt by running the command:
    • cp /ssl/vpxd/rui_vpxd.crt ssl/vpxd/rui.crt
  • Rename rui_vpxd.key to rui.key by running the command:
    • cp /ssl/vpxd/rui_vpxd.key ssl/vpxd/rui.key
  • Using VI editor, remove any text before the first —–BEGIN CERTIFICATE—– and after —–END CERTIFICATE—–.
  • Replace the SSL certs by running the command:
  • Ensure the vCenter Single Sign-On service is started before continuing by running the command: a. service vmware-stsd start
  • Unregister the vCenter Inventory Service from vCenter Single Sign-On by running the commands:
    • cd /etc/vmware-sso/register-hooks.d
    • ./02-inventoryservice –mode uninstall –ls-server https://server.domain.com:7444/lookupservice/sdk
  • Using WinSCP from the system, you created all of the SSL certificates on, copy rui_inventoryservice.crt and rui_inventoryservice.key from c:\certs\InventoryService to the /ssl/inventoryservice directory on the vCenter Server Appliance.
  •  Rename rui_inventoryservice.crt to rui.crt by running the command:
    • cp ssl/inventoryservice/rui_inventoryservice.crt ssl/inventoryservice/rui.crt
  • Rename rui_inventoryservice.key to rui.key by running the command:
    • cp ssl/inventoryservice/rui_inventoryservice.key ssl/inventoryservice/rui.key
  • Create the *.pfx file by running the command:
    • openssl pkcs12 -export -out rui.pfx -in rui.crt -inkey rui.key -name rui -passout pass:testpassword
  • Copy the rui.key, rui.crt, and rui.pfx files to the /usr/lib/vmware-vpx/inventoryservice/ssl directory:
    • cp rui.key /usr/lib/vmware-vpx/inventoryservice/ssl
    • cp rui.crt /usr/lib/vmware-vpx/inventoryservice/ssl
    • cp rui.pfx /usr/lib/vmware-vpx/inventoryservice/ssl
    • Change the permissions on these files by running these commands:
    • cd /usr/lib/vmware-vpx/inventoryservice/ssl/
    • chmod 400 rui.key rui.pfx g. chmod 644 rui.crt
  • Run these commands to register the vCenter Inventory Service back to vCenter Single Sign-On:
    • cd /etc/vmware-sso/register-hooks.d
    • ./02-inventoryservice –mode install –ls-server https://server.domain.com:7444/lookupservice/sdk –user sso_administrator –password sso_administrator_password
      • Note: If $ character is present in the password, add a \ character in front of it. For example, when you use Pa$sw0rd as password:
    • ./02-inventoryservice –mode install –ls-server https://server.domain.com:7444/lookupservice/sdk –user [email protected] –password Pa\$sw0rd
      • Note: As there is a plain-text password on the preceding command, to avoid the history file showing the contents of the password because it is in plain text in the command above, run the unset HISTFILE command prior to executing step 16.
      • Note: The default SSO administrator username for vCenter Single Sign-On 5.5 is [email protected].
    • After a successful registration, you see output similar to:

register-the-vcenter-inventory-service
Successful Registration
  • Unregister the VMware Log Browser service from vCenter Single Sign-On by running the commands:
    • cd /etc/vmware-sso/register-hooks.d
    • ./09-vmware-logbrowser –mode uninstall –ls-server https://server.domain.com:7444/lookupservice/sdk
  • Using WinSCP from the system you created all of the SSL certificates on, copy the rui_logbrowser.crt,rui_logbrowser.key from c:\certs\LogBrowser to the /ssl/logbrowser directory on the vCenter Server Appliance.
  • Rename rui_logbrowser.crt to rui.crt by running the command:
    • cp ssl/logbrowser/rui_logbrowser.crt ssl/logbrowser/rui.crt
  • Rename rui_logbrowser.key to rui.key by running the command:
    • cp ssl/logbrowser/rui_logbrowser.key ssl/logbrowser/rui.key
  • Create the *.pfx file by running this command:
    • openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
  • Copy rui.key, rui.crt, and rui.pfx files to the /usr/lib/vmware-logbrowser/conf directory:
    • cp rui.key /usr/lib/vmware-logbrowser/conf b. cp rui.crt /usr/lib/vmware-logbrowser/conf c. cp rui.pfx /usr/lib/vmware-logbrowser/conf
  • Change the permissions on the files by running these commands:
    • cd /usr/lib/vmware-logbrowser/conf b. chmod 400 rui.key rui.pfx c. chmod 644 rui.crt
  • Run these commands to re-register the VMware Log Browser service to vCenter Single Sign-On:
    • cd /etc/vmware-sso/register-hooks.d
    • ./09-vmware-logbrowser –mode install –ls-server https://server.domain.com:7444/lookupservice/sdk –user sso_administrator –password sso_administrator_password Note: The default SSO administrator username for vCenter Single Sign-On 5.5 is [email protected].
    • On a successful registration, you see output similar to:

vmware-log-browser-service
Successful Registration
  • When complete, restart the Log Browser service by running the commands:
    • service vmware-logbrowser stop
    • service vmware-logbrowser start
  • Using WinSCP from the system you created all of the SSL certificates on, copy the rui_autodeploy.crt and rui_autodeploy.key from c:\certs\AutoDeploy to the /ssl/autodeploy directory on the vCenter Server Appliance.
    • Copy the rui_autodeploy.crt and rui_autodeploy.key to the /etc/vmware-rbd/ssl/ directory:
    • cp ssl/autodeploy/rui_autodeploy.crt /etc/vmware-rbd/ssl/waiter.crt
    • cp ssl/autodeploy/rui_autodeploy.key /etc/vmware-rbd/ssl/waiter.key
    • Change the permissions and ownership on the waiter files by running these commands:
    • cd /etc/vmware-rbd/ssl/
    • chmod 644 waiter.crt g. chmod 400 waiter.key h. chown deploy:deploy waiter.crt waiter.key
  • Re-register the service to the vCenter Server with the commands:
    • service vmware-rbd-watchdog stop
    • rm /var/vmware/vpxd/autodeploy_registered
    • service vmware-vpxd restart Note: autodeploy_registered may not exist.
  • Restart the vCenter Server Appliance. For more information, see Stopping, starting, or restarting vCenter Server Appliance services (2054085).