Although not mentioned in the VMware KB articles, “Pre-Staging” the SSL certificates is still the easiest method, when doing a clean install, to configure the SSL certificates. This eliminates some of the manual steps as many services (except the SSO) will automatically use the trusted certificates if they are in the right folder during the installation process.

Now confirmed by VMware, the trusted SSL certificates should have the Data Encipherment key usage attribute. If you are using a Microsoft CA with the default “Web Server” certificate, your minted certificates will NOT have this property.

image001

Also confirmed by VMware, a single SSL certificate, even for all-in-one servers will NOT work. This is due to how various components (such as Inventory Service, vCenter, etc.) register with the SSO service. Multiple SSL certificates are required for a functioning system. For a complete installation of vCenter with VUM, you need a minimum of six certificates:

Inventory Service
SSO
Update Manager
vCenter
Web Client
Log Browser

They key difference in each certificate is the “OU” property, not the hostname or any other field. This OU property must be unique, as this seems to be the primary means the SSO service differentiates the SSL certificates for each service. Duplicate “OU” values is bad juju and will cause you a lot of grief. If you are purchasing commercially minted SSL certificates don’t think you can skimp and just get a single certificate, or a wildcard certificate. Pony up the $$ for each certificate.

image002
Certificates are tricky, and depending on how you “mint” them (OpenSSL root CA, Microsoft CA, commercial CA, etc.) the steps may differ significantly. This blog series assumes a Microsoft Windows Server 2008 R2 Enterprise root CA that has the web certificate services installed.

The scope of this post will be only to create the SSL certificates for the vCenter 5.1.0A services. Follow-on posts cover the ins and outs of replacing the service specific certificates, as the process differs for each service. For the official VMware KB article on creating the certificates, click here.

To generate the required vCenter trusted certificates follow these steps:

1. Download and install the Windows OpenSSL binary. You need the OpenSSL v1.0.1c (or later) package. Remember to install the appropriate Visual C++ Redistributable package prior to installing OpenSSL.

2. Install OpenSSL with the default path. You need a certificate directory to store all of the configuration files and resulting certificates. I created a directory called Certs in C:\OpenSSL-Win32. You can put this directory anywhere you want.

3. VMware requires that the vCenter related certificates contain a SAN (subject alternative name) field in them. I’ve provided OpenSSL configuration files below for each of the five services. All of the fields in red must be updated with your information. The country code must be only two letters. My folder structure looks like this:

image003

Save each of the six configuration files below into their respective directory.

Inventory.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName

[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourCity
0.organizationName = YourCompanyName
organizationalUnitName = vCenterInventoryService
commonName = Server.DomainName

SSO.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName

[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourCity
0.organizationName = YourCompanyName
organizationalUnitName = vCenterSSO
commonName = Server.DomainName

vCenter.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName

[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourCity
0.organizationName = YourCompanyName
organizationalUnitName = vCenterServer
commonName = Server.DomainName

WebClient.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName

[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourCity
0.organizationName = YourCompanyName
organizationalUnitName = vCenterWebClient
commonName = Server.DomainName

VUM.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName

[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourCity
0.organizationName = YourCompanyName
organizationalUnitName = VMwareUpdateManager
commonName = Server.DomainName

LogBrowser.cfg

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:ServerShortName, DNS:Server.DomainName

[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourCity
0.organizationName = YourCompanyName
organizationalUnitName = vCenterLogBrowser
commonName = Server.DomainName

4. After you tweak and save your OpenSSL configuration files you need to generate the actual CSR files so you can submit that to your CA. First, we need to generate the RSA 2048 bit private keys.

WARNING: vCenter is extremely picky about the format of the RSA private key file (rui.key) and you will most certainly have a smoking vCenter VM if you don’t have the right format. If the header of the RSA key file only reads “—–BEGIN PRIVATE KEY—–” then Houston, you have a major problem. 

image004

The format of your RSA private key file should have a header of “—–BEGIN RSA PRIVATE KEY—–“. This is the one and ONLY format that vSphere will accept.

image005

Use the following OpenSSL command to create a file called rui.key. Run this in each directory, as each certificate should have a unique private key. Note, these steps differ every so slightly from the VMware KB, but produce the same results. These steps produce the RSA key in the proper format from the get-go, without having to convert them like the KB article has you do.

c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key

image006
Note: I’ve added a script at the bottom of this post that automates the entire certificate process, after you create the OpenSSL configuration files. Scroll down to the end if you wish to try that out instead of individual commands that are in the next several steps.

5. Using the RSA private key and the service-specific configuration file we need to generate CSRs (certificate signing request) for each service. Run the command below in each service certificate folder, changing the name of the configuration file for each invocation.

c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config inventory.cfg

image006

6. After running both commands you should now see rui.csr and rui.key files in each service folder.

image008
Create_CSR.bat
—-
CD /d c:\OpenSSL-Win32\certs\vcenter
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config vcenter.cfg

CD /d c:\OpenSSL-Win32\certs\Inventory
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config inventory.cfg

CD /d c:\OpenSSL-Win32\certs\SSO
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config SSO.cfg

CD /d c:\OpenSSL-Win32\certs\VUM
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config VUM.cfg

CD /d c:\OpenSSL-Win32\certs\webclient
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config webclient.cfg

CD /d c:\OpenSSL-Win32\certs\LogBrowser
c:\OpenSSL-Win32\bin\openssl.exe genrsa 2048 > rui.key
c:\OpenSSL-Win32\bin\openssl.exe req -out rui.csr -key rui.key -new -config LogBrowser.cfg

7. There are a couple of ways you can mint the SSL certificates from a Microsoft CA. One is using the traditional web interface. The other, which a reader pointed out in the comments to their article, is a command line method to automate the process.

To use the command line method you need to know the hostname of your CA, the “name” of your CA (see first screenshot below), and the certificate “template name” which may NOT the same as the certificate “template display name”. The “template name” is usually the template display name without any spaces (see screenshot below).

image009

image010
In one of the certificate directories run the following command, of course changing the properties as needed for your CA. This will produce the rui.crt file, a newly minted SSL certificate.

certreq -submit -config “D001DC01\Contoso-D001DC01-CA” -attrib “CertificateTemplate:VMwareSSL” rui.csr rui.crt

If you want to create the certificate the old fashion method then open the first rui.csr file with NotePad and copy the contents to the clipboard.

image011

  • To create the certificate submit the CSR to the Microsoft CA then download the certificate. Navigate to the homepage of the Microsoft CA and you should see a screen just like the one below. Select “Request a certificate.”

image012

  • Select “advanced certificate request.”

image013

  • Select the second option shown below:

image014

  • Paste the CSR you generated from OpenSSL into the request window. Change the certificate template to “VMware SSL” or whatever you have defined as your SSL certificate template with the additional key usage property. Again, you can check out my blog post here for how to create a custom certificate template that has this required key usage feature. If you only see “User” and “Basic EFS” options, then the account you are using lacks the proper permissions on the CA to request certificates. Use a more privileged account to perform the request.

image015

  • Submit the certificate request (Base 64 encoded) then Save As and use a file of rui.crt and place it into the appropriate folder (e.g. C:\OpenSSL-Win32\Certs\Inventory) directory.

image016

  • Further in this process we will also need the public root certificate file in Base-64 encoded format. One way to accomplish this is to select “Download Certificate chain” (in addition to Download Certificate) for one of your SSL certificates. Download this file as cachain.p7b.
  • Double click the cachain.P7B file the CertMgr snap-in should appear. Open the Certificates node then find the root CA certificate, right click, and export it. Save the Base-64 encoded file as Root64.cer. Your directory structure should look like the following:

image017

  • To validate the certificate has all of the right fields, double click on the rui.crt file and it should open up. Click on the Details tab and verify that the “OU” sub-field of the Subject name matches the service for which you created the certificate for. I would also double check the Subject Alternative Name to ensure both the short hostname and the server’s FQDN is listed.

image018

  • Repeat the certificate minting process for the remaining services. Each folder should contain  rui.csr, rui.key, rui.crt the OpenSSL configuration files.

image019

  • To create the required PKCS#12 PFX files use the following command for each service (note that “testpassword” is required by VMware. Do NOT try and use a custom password!). Notice that we also embed the root certificate into the PFX file (-certfile).

C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey  rui.key -certfile C:\openssl-Win32\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx

To make life a little easier below is a little batch file that automates the PFX creation process. Of course change any paths that you need to.

Create_PFX.bat

CD /d c:\OpenSSL-Win32\certs\SSO
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile C:\openssl-Win32\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx

CD /d c:\OpenSSL-Win32\certs\Inventory
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile C:\openssl-Win32\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx

CD /d c:\OpenSSL-Win32\certs\vCenter
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile C:\openssl-Win32\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx

CD /d c:\OpenSSL-Win32\certs\VUM
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile C:\openssl-Win32\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx

CD /d c:\OpenSSL-Win32\certs\WebClient
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile C:\openssl-Win32\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx

CD /d c:\OpenSSL-Win32\certs\LogBrowser
C:\openssl-Win32\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile C:\openssl-Win32\certs\root64.cer -name rui -passout pass:testpassword -out rui.pfx

—-

  • To validate the PFX files were created correctly you can run the following command from one of the service certificate folders:
     C:\openssl-win32\bin\openssl pkcs12 -in rui.pfx -info

    When you run that command you will be prompted a few times to enter the password, which is ‘testpassword’. Validate all of the fields look appropriate.

image020

  • Copy your Certs\Root64.cer file to C:\ProgramData\VMware\SSL (you will need to create the SSL directory) and rename the file to ca_certificates.crt.

image021

  • Next up is creating a trust store with your CA certificates, both the root and any intermediary CAs. vCenter requires certificate files with a specific name in a specific location. The file names of the associated certificate are in the format of hash.0 where hash is the result of the OpenSSL hash command (see below) and each file has an extension of 0 (zero).
  • Compute the hash for your base-64 encoded root certificate file (root64.cer), then copy the root64.cer certificate file to the C:\ProgramData\VMware\SSL directory, and change the file name to your hash value and change the file extension to 0 (e.g. 8c3f9174.0).
     c:\OpenSSL-Win32\bin\openssl.exe x509 -subject_hash_old -noout -in c:\OpenSSL-Win32\certs\root64.cer

    The output should be a short string of numbers and letter, as shown below.

image022

  • Repeat the hashing process for any intermediary CAs, such that the full certificate chain has a set of files named with their hash value. You do not need to hash any other certificates that you have created. My example is shown below.

image023
Now that we have generated all of the required key pairs and certificates we need to replace the Single Sign On and Lookup Service certificates.

Below is the batch file that will create the private RSA keys, create CSRs based on the OpenSSL configuration file, get a minted certificate from a MS CA, then create the PFX file with the VMware password. Fully automated! The Certreq command is very picky about the format of the CA name and certificate template. See the steps above for screenshots and more details on what to put there. It is not as obvious as it may first appear.


Set OpenSSL_BIN=c:\OpenSSL-Win32\bin\openssl.exe
Set Cert_Path=c:\OpenSSL-Win32\certs
Set Cert_Template=VMwareSSL
Set CA_Name=D001DC01\Contoso-D001DC01-CA
set CA_Cert_Path=c:\OpenSSL-Win32\certs\root64.cer

CD /d %Cert_Path%\vcenter
%OpenSSL_BIN%  genrsa 2048 > rui.key
%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config vcenter.cfg
certreq -submit -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_CERT_Path% -name rui -passout pass:testpassword -out rui.pfx

CD /d %Cert_Path%\Inventory
%OpenSSL_BIN%  genrsa 2048 > rui.key
%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config inventory.cfg
certreq -submit -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_CERT_Path% -name rui -passout pass:testpassword -out rui.pfx

CD /d %Cert_Path%\SSO
%OpenSSL_BIN%  genrsa 2048 > rui.key
%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config SSO.cfg
certreq -submit -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_CERT_Path% -name rui -passout pass:testpassword -out rui.pfx

CD /d %Cert_Path%\VUM
%OpenSSL_BIN%  genrsa 2048 > rui.key
%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config VUM.cfg
certreq -submit -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_CERT_Path% -name rui -passout pass:testpassword -out rui.pfx

CD /d %Cert_Path%\webclient
%OpenSSL_BIN%  genrsa 2048 > rui.key
%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config webclient.cfg
certreq -submit -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_CERT_Path% -name rui -passout pass:testpassword -out rui.pfx

CD /d %Cert_Path%\LogBrowser
%OpenSSL_BIN%  genrsa 2048 > rui.key
%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config LogBrowser.cfg
certreq -submit -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_CERT_Path% -name rui -passout pass:testpassword -out rui.pfx