Hi,
for a higher security level it is recommended to install own (trusted) certificates in to VMware’s vCenter VCSA appliance.
Prepare your certificates. In parentheses the filenames I use for this example. You need:
- The key and the corresponding certificate in pem (Base64) format (vcenter.key, vcenter.pem)
- The whole certificate chain:
-
- The root certificate in pem (Base64) in format (root.pem)
- And if the host certificate is signed by a intermediate CA also these one in pem (Base64) format (intermediate.pem)
Copy all files to your vCenter appliance to the root’s home /root/tls. You can use sftp. Note: The sftp server is not start by default. This post describe how to copy files to the appliance.
First of all create a snapshot of the vCenters VM so that you can, in case of trouble, go back. Also make a note on which Host the vCenter runs.
Establish an ssh connection. If copied, perpare the files. Check if all certificates are in PEM format. This can be recognized by
Command> shell Shell access is granted to root root@vCenter /root/tls # cat *.pem -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Then copy the root and the intermediate certificate into one file trustchain.pem
root@vCenter /root/tls # cat intermediate.pem > trustchain.pem root@vCenter /root/tls # cat root.pem >> trustchain.pem
You can check if key, certificate and trustchain “fits” together. The VCSA import script does this too.
root@vCenter /root/tls # openssl verify -CAfile trustchain.pem vcenter.pem vcenter.pem: OK
Check if the key belongs to the certificate. The md5 hash must be match (make make note the md5 hash for the check after installing the certificate):
root@vCenter /root/tls # openssl x509 -noout -modulus -in vcenter.pem | md5sum ce679643a66e7cfebafc8f3cf2846d11 - root@vCenter /root/tls # openssl rsa -noout -modulus -in vcenter.key| md5sum ce679643a66e7cfebafc8f3cf2846d11 -
Run the lsdoctor tool to recognized some previous certifcate issues. An typical error is
root@vCenter [ ~/lsdoctor-master ]# python lsdoctor.py -l ATTENTION: You are running a reporting function. This doesn't make any changes to your environment. You can find the report and logs here: /var/log/vmware/lsdoctor 2021-12-12T10:29:26 INFO main: You are reporting on problems found across the SSO domain in the lookup service. This doesn't make changes. 2021-12-12T10:29:27 INFO live_checkCerts: Checking services for trust mismatches... 2021-12-12T10:29:27 INFO generateReport: Listing lookup service problems found in SSO domain 2021-12-12T10:29:27 ERROR generateReport: site\vCenter.myDomain.org (Update Manager) found SSL Trust Mismatch: Please run python ls_doctor.py --trustfix option on this node.
Is such errors occures, run lsdoctor wih the trustfix switch
root@vCenter [ ~/lsdoctor-master ]# python lsdoctor.py --trustfix 2021-12-12T10:32:33 INFO findAndFix: Attempting to reregister ec039d94-9443-416d-a002-fc9e8a8fb96d for vCenter.myDomain.org 2021-12-12T10:32:34 INFO findAndFix: We found 45 mismatch(s) and fixed them :) 2021-12-12T10:32:34 INFO main: Please restart services on all PSC's and VC's when you're done.
Then install the certificate. You need the Administrator@vsphere.local user’s password.
Choose Option 1 in the next menu choose option 2
root@vCenter /usr/lib/vmware-vmca/bin/certificate-manager ... 1. Replace Machine SSL certificate with Custom Certificate Enter username [Administrator@vsphere.local]: ... 2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate Please provide valid custom certificate for Machine SSL. File : /root/tls/vcenter.pem Please provide valid custom key for Machine SSL. File : /root/tls/vcenter.key Please provide the signing certificate of the Machine SSL certificate File : /root/tls/trustchain.pem You are going to replace Machine SSL cert using custom cert Continue operation : Option[Y/N] ? :y
This may take a while…
Check if the new certificate is in place
root@vCenter /root/tls # openssl s_client -host vCenter.myDomain.org -port 443 2> /dev/null | openssl x509 -noout -modulus | md5sum ce679643a66e7cfebafc8f3cf2846d11 -
Michael
When trying this, and the web-UI way of setting the certificate I can not get vcenter to present the full chain. Only the first certificate in trustchain.pem is being presented when connecting.
So if I upload the correct way:
——
Intermediate
Root
——
Only the intermediate is presented.
Is there any way to fix this?