VMware

This Question is Answered

1 "correct" answer available (10 pts) 1 "helpful" answer available (6 pts)
1 2 3 4 Previous Next 58 Replies Last post: Mar 5, 2009 3:05 AM by Markisha1979  

Replace VMware Virtual Center SSL Certificate with Microsoft CA posted: Jun 7, 2007 9:05 AM

Click to view dmaster's profile Expert
dmaster
457 posts since
Apr 27, 2006
Hello All,

I'm trying to replace the default SSL certificates from Virtual Center 2.01 with certificates from my own Microsoft Enterprise root CA..

I followed this howto..
http://edward.aractingi.net/blog/archives/virtualization/

in this article i'am missing how i get my rui.crt certificate ?
i am only able to get the rui.pem , rui.pfx and rui.key files

And this howto..
http://www.vmware.com/pdf/vi_vcserver_certificates.pdf
(I get the feeling that this document is not meant for a Microsoft CA just a local root CA)

in this article i get stuck on page 8 with the line..
openssl ca -out ruit.crt -config openssl.cnf -infiles mycsr.csr

error message
c:\Program files\openssl\openssl ca -out Webaccess.crt -config openssl.cfg -infiles Webaccess.csr
Using configuration from openssl.cfg
Loading 'screen' into random state - done
unable to load CA certificate
3360:error:0906D06C:PEM routines:PEM_read_bio:
no start line:.\crypto\pem\pem_lib.c:663:Expecting: CERTIFICATE

Was anybody able to replace this certificates ? Who can help me out ?

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

1. Jun 8, 2007 2:22 AM in response to: dmaster
Click to view masaki's profile Virtuoso
masaki
1,814 posts since
Oct 26, 2005
the certificates are on the ESX HOST under /etc/vmware/ssl

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

2. Jun 8, 2007 3:06 AM in response to: masaki
Click to view RobMokkink's profile Expert
RobMokkink
679 posts since
Jun 7, 2005
I install the openssl tools on the VC server and then do a request to the MS CA website.

When the certificate is in, i use a couple of openssl commands to export it to openssl format, so that VC can use it.

Currently i can't access the documents, when i am home i will post them here.

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

3. Jun 8, 2007 5:43 AM in response to: masaki
Click to view dmaster's profile Expert
dmaster
457 posts since
Apr 27, 2006
Do i also have to replace the certificates from my esx3 host to get VC2 and Webaccess working with my Microsoft Enterprise root CA ?

according page 4 of the VMware white paper i have to replace rui.key , rui.crt and rui.pfx

i cannot figer out how i get my new rui.crt certificate, probably with openssl but i don't know the exact syntax.. as you can see in the error message..

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

4. Jun 8, 2007 11:56 AM in response to: dmaster
Click to view Tr0llk1ng's profile Novice
Tr0llk1ng
16 posts since
Feb 23, 2007
rui.crt as far as i know is just the Root Certificate to trust. you can check if you open the file on a windows client - it shows the root certificate. (you can also open the PFX with "testpassword" as password.. found this in the pdf above..)

basically i've the same problem afterwards, i've tried to replace the rui files but restart of the Virtual Center Server leads to an unexpected terminate of the service without information why.. Change back to original RUI and everything works fine.
also tested to change PFX password to testpassword or without password, now change..

anybody able to change the ssl certificate of just the web access?

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

5. Jun 8, 2007 12:41 PM in response to: Tr0llk1ng
Click to view RobMokkink's profile Expert
RobMokkink
679 posts since
Jun 7, 2005
do this:

install openssl tools on VC server.

generate a new key:

openssl genrsa 1024 > rui.key

Create a signing request:
openssl req -new -key rui.key > rui.csr

Open the rui.csr with a text editor and select all the text.

Issue the certificate on the MS CA and download the cert file to rui.crt

Then convert the rui.crt to rui.pfx with the following command:

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout
pass:testpassword -out rui.pfx

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

6. Jun 9, 2007 5:34 AM in response to: RobMokkink
Click to view dmaster's profile Expert
dmaster
457 posts since
Apr 27, 2006
Hello All,

i managed to replace my virtualcenter 2.01 certificates, so i can use virtualcenter webaccess without getting a warning of untrusted certificates..

+++++++++++++++++
But what about the certificates : rui.key and rui.crt wich are located on the ESX Server Host (/etc/vmware/ssl/ ) ? Do i have to replace them also ? Do i have to create new certificates for the ESX server host ?

What is the advantage of that ? Is this necessary when you replaced the virtualcenter host certificates ?
+++++++++++++++++

i created a small howto for replacing the VC2 host certificates..
Thanks Rob for your hint about creating the rui.crt certificate..

*********************************************************
Howto - Create new certificates with Openssl and Microsoft Certificate Services Web Enrollment for VirtualCenter 2.01

rui.key
=======
openssl genrsa 1024 > rui.key

rui.csr
=======
openssl req -new -key rui.key > rui.csr -config openssl.cfg
when asked for common name, fill in the hostname or the FQDN of the VirtualCenter server

rui.crt
=======
Goto --> Microsoft Certificate Services Web Enrollment

press --> Request a certificate

then press --> Or, submit an advanced certificate request.

then press --> Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a

base-64-encoded PKCS #7 file.

then paste the contents of rui.csr into the field "Saved Request:"

choose with "Certificate Template:" for "Web Server"

press submit

select "Base 64 encoded"

then download the certificate and rename it to rui.crt

rui.pfx
=======
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -out rui.pfx

Enter Export Password: <choose your own password>
Verifying password - Enter Export Password: <retype your password>

Replacing the Certificates on VirtualCenter 2 Host
==================================================
copy the files : rui.key , rui.crt and rui.pfx to C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\

Restart your VirtualCenter server service. This will also restart your Webaccess service..

Message was edited by:
dmaster

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

7. Jun 9, 2007 5:35 AM in response to: RobMokkink
Click to view RobMokkink's profile Expert
RobMokkink
679 posts since
Jun 7, 2005
just retested the procedure.

Make sure when you download the certitificate you select base64

When you didn't specified a password on the request you can just issue the following command to create a .pfx

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -out rui.pfx

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

8. Jun 9, 2007 5:54 AM in response to: RobMokkink
Click to view RobMokkink's profile Expert
RobMokkink
679 posts since
Jun 7, 2005
hey dmaster you where a little bit faster then me ;-)

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

9. Jun 9, 2007 8:48 AM in response to: RobMokkink
Click to view RobMokkink's profile Expert
RobMokkink
679 posts since
Jun 7, 2005
i also replaced the certificates on the esx hosts.
Unfortunaly i doesn't like the new certs.
Can't get the servers in VC anymore.

strange that is didn't test this sooner?

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

10. Jun 10, 2007 11:17 PM in response to: RobMokkink
Click to view dmaster's profile Expert
dmaster
457 posts since
Apr 27, 2006
What about the ESX Host certificates : rui.key and rui.crt wich are located /etc/vmware/ssl/ ?

Do i have to replace them also ? The are probably not the same like the VirtualCenter Host certificates.

Do i have to create new certificates for the ESX server host on the same way i did on the VC2 host, again with a webserver template ?

What is the advantage of that ?

Is this necessary when you replaced the virtualcenter host certificates ?

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

11. Jun 13, 2007 5:25 AM in response to: dmaster
Click to view RobMokkink's profile Expert
RobMokkink
679 posts since
Jun 7, 2005
If you want to connect through the webinterface from a client etc.

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

12. Jun 21, 2007 6:11 AM in response to: RobMokkink
Click to view dmaster's profile Expert
dmaster
457 posts since
Apr 27, 2006
okay.. it's clear for me now.. thanks for the help..

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

13. Jun 21, 2007 6:12 AM in response to: dmaster
Click to view dmaster's profile Expert
dmaster
457 posts since
Apr 27, 2006
problem solved, answer is posted in this topic

Re: Replace VMware Virtual Center SSL Certificate with Microsoft CA

14. Jul 8, 2007 5:48 AM in response to: dmaster
Click to view RobMokkink's profile Expert
RobMokkink
679 posts since
Jun 7, 2005
Today iw as rebuilding my test lab and i made a huge error in my post:

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -out rui.pfx

Do this:

openssl pkcs12 -export -in rui.crt -inkey rui.key -name <your fqdn of the virtualcenter server> -out rui.pfx

This also fixed a lot of other issues.
1 2 3 4 Previous Next Go to original post

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities