VMware Cloud Community
dmaster
VMware Employee
VMware Employee

Replace VMware Virtual Center SSL Certificate with Microsoft CA

Hello All,

I'm trying to replace the default SSL certificates from Virtual Center 2.01 with certificates from my own Microsoft Enterprise root CA..

I followed this howto..

http://edward.aractingi.net/blog/archives/virtualization/[/b]

in this article i'am missing how i get my rui.crt[/b] certificate ?

i am only able to get the rui.pem[/b] , rui.pfx[/b] and rui.key[/b] files

And this howto..

http://www.vmware.com/pdf/vi_vcserver_certificates.pdf[/b]

(I get the feeling that this document is not meant for a Microsoft CA just a local root CA)

in this article i get stuck on page 8 with the line..

openssl ca -out ruit.crt -config openssl.cnf -infiles mycsr.csr

error message[/b]

c:\Program files\openssl\openssl ca -out Webaccess.crt -config openssl.cfg -infiles Webaccess.csr

Using configuration from openssl.cfg

Loading 'screen' into random state - done

unable to load CA certificate

3360:error:0906D06C:PEM routines:PEM_read_bio:

no start line:.\crypto\pem\pem_lib.c:663:Expecting: CERTIFICATE

Was anybody able to replace this certificates ? Who can help me out ?

Reply
0 Kudos
58 Replies
Dennis2
Contributor
Contributor

What does vpxd -p do?

It requires me to enter a password for some database. Should that be fore the same account and database used when installing VC?

Reply
0 Kudos
Dave_Mishchenko
Immortal
Immortal

The command will re-encrypt the database login with the new SSL cert. The encrypted password is then stored in the registry. It'll be the same password that you already use for SQL login to the VC database. Without this change you won't be able to start VC with a new cert.

Reply
0 Kudos
Dennis2
Contributor
Contributor

Thanks Alex and Dave.

VC works like a charm now Smiley Happy

Reply
0 Kudos
Box293
Enthusiast
Enthusiast

I followed all the steps and it all works OK, no warnings when I log into VC.

However when I try and bring up the console of a virtual guest all I get is a black screen.

If I revert back to the original certificates and do the vpxd -p thing the consoles works OK again.

I only did the certificate change on the VC server. Do I need to do it to all the ESX servers as well?

VCP3 & VCP4 32846 VSP4 VTSP4
Reply
0 Kudos
Dave_Mishchenko
Immortal
Immortal

You have to disconnect and reconnect your hosts (see the bottom of this article - http://kb.vmware.com/kb/1003070).

Reply
0 Kudos
Box293
Enthusiast
Enthusiast

Ahhh the good old read the manual thingy.

I'll have to do that this weekend we are performing some maintenance.

Thanks very much.

VCP3 & VCP4 32846 VSP4 VTSP4
Reply
0 Kudos
todd_shawcross
Contributor
Contributor

Hello,

Has anyone tried replacing the certificates for VC 2.5? I can generate all the files using these steps (however they are different size's to VMWare ones), but the VC service will not start. I'm at a bit of a loss at the moment VMWare support will not help when a Microsoft CA is involved.

I'm using:

Win32OpenSSL-0_9_8g (installed on VC server)

VirtualCenter 2.5

Thanks,

Todd

Reply
0 Kudos
Dave_Mishchenko
Immortal
Immortal

Did you run the vpxd -p command after replacing the certificate?

Reply
0 Kudos
todd_shawcross
Contributor
Contributor

Yeah, tried that. I just generated the certificates with the lite verion of open ssl and it is working now....

Reply
0 Kudos
Dennis2
Contributor
Contributor

Exactly this has already been asked 10 entires above yours and answered to in the following entries.

Reply
0 Kudos
todd_shawcross
Contributor
Contributor

Thanks for you input Dennis.

Reply
0 Kudos
Jwoods
Expert
Expert

Today iw as rebuilding my test lab and i made a huge error in my post:

openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -out rui.pfx

Do this:

openssl pkcs12 -export -in rui.crt -inkey rui.key -name <your fqdn of the virtualcenter server> -out rui.pfx

This also fixed a lot of other issues.

Rob/Dmaster, does the "security warning" still appear for you after replacing the ssl cert on VC? Whenever I generate a cert for either hostname or FQDN I still receive the security warning.

Cert generated using hostname "VCSERVER1" --> The certificate received from "vcserver1.foo.foo.com" was issue for "VCSERVER1". Secure communication with "vcserver1.foo.foo.com" cannot be guaranteed.

Cert generated using FQDN "vcserver1.foo.foo.com" --> The certificate received from "VCSERVER1" was issue for "vcserver1.foo.foo.com". Secure communication with "vcserver1.foo.foo.com" cannot be guaranteed.

I didn't expect to receive any warning after replacing the cert. Just thought it would go straight through after login. I know I can simply check "Do not display..." or just ignore, but wanted to verify whether or not this behavior is expected.

Reply
0 Kudos
Dennis2
Contributor
Contributor

If your computer doesn't trust the issuer of the certifiacte you have to install the root certificate of the issuer on all your computers that will be running the VC client.

Reply
0 Kudos
Jwoods
Expert
Expert

If your computer doesn't trust the issuer of the certifiacte you have to install the root certificate of the issuer on all your computers that will be running the VC client.

And that's the weird part. The cert was issued by my Enterprise CA. The VC server is in the domain and has the root cert in the cert store.

Reply
0 Kudos
Dennis2
Contributor
Contributor

Have you verifed that the root certificate actually is loaded on your client computer where you start the VC cleint application?

Reply
0 Kudos
Jwoods
Expert
Expert

Have you verifed that the root certificate actually is loaded on your client computer where you start the VC cleint application?

Yep, it's there. What I'm getting from your questioning is that the additional screen that I'm seeing upon login should not exist after the cert has been replaced?

Reply
0 Kudos
smpeck
Contributor
Contributor

Thanks for the information. I followed these directions and I am now able to use the VI client witout cert warnings using a certificate fom my local domain's CA. However, I run into problems accessing the web interface. Using IE, I get the following message box:

"Choose a digital certificate. The website you want to view requests identification. Please choose a certificate." There are no certificates listed in the menu. Any ideas?

Reply
0 Kudos
Jwoods
Expert
Expert

Problem solved. Cert had the FQDN, but it seems VIC requires FQDN to compare against cert! I was originally using shortname. Thanks for the help Dennis!

Reply
0 Kudos
Dennis2
Contributor
Contributor

Yep. That's how certifictes work. If you deviate from the subject name in any way the check will fail.

Reply
0 Kudos
astrolab
Contributor
Contributor

I tried to put together a step-by-step process on regenerating the VirtualCenter certificate. It applies to an environment with a Microsoft CA, but it can be adapted to any root CA. Please let me know of any errors.

1. *Install openSSL Light on the VC Server. ** Moderator note: Win32 OpenSSL Light can be downloaded from the kind folks at **

2. Generate an RSA private key and a certificate-signing request

BACK UP THE EXISTING RUI.CRT, RUI.KEY and RUI.PFX TO A SECURE LOCATION.

They are located in c:\docs and settings\all users\app data\vmware\ VMware VirtualCenter\SSL

From the VC Server, navigate at the command prompt to the openSSL\bin directory

Issue the following commands:

openssl genrsa 1024 > rui.key

openssl req -new -key rui.key > rui.csr

Fill in the appropriate information. ** Moderator note: Your Name/Common Name is the FQDN of your VC Server ie. servername.domain.com **

3. Request a Certificate

Go to your CA webpage.

Click on Request a Certificate

Open the file that you saved above with notepad and copy all of the the contents including the "---BEGIN CERTIFICATE REQUEST-" and "-END CERTIFICATE REQUEST---" lines

Be sure that the Certificate Template is set to Web Server. There is no need to enter anything into the Additional Attributes field.

Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Paste the notepad contents of the certificate request file from above into the Saved Request field and click on the Submit button.

Select Base 64 Encoded and click Download Certificate and save the certificate to C:\...\openSSL\bin ** Moderator note: Save file name as rui.crt **

During this process, you may receive an email with certificate information in it. You may safely delete the email.

4. Create a .pfx (personal individual exchange) file for rui.crt

At the Command Prompt on the VC server navigate to C:\...\openSSL\bin and issue:

openssl pkcs12 -export -in rui.crt -inkey rui.key -name VirtualCenterServerFQDN -out rui.pfx

5. Move rui.crt, rui.key, and rui.pfx to

c:\docs and settings\all users\app data\vmware\ VMware VirtualCenter\SSL

6. Disconnect all ESX hosts managed by VirtualCenter ** Moderator note: (original step: Power off all VMs on the hosts in the VC. This needs to be done because after the VC loads the new certs it will not be possible to gracefully shutdown the VMs from the VC Client, though it can still be done through RDP or Service Console.)

7. ** Moderator note: Added step 7: Stop the VMware VirtualCenter Server service **

7.5

  • From CMD, navigate to the C:\Program files\VMware\Infrastructure\VirtualCenter Server\* directory, and issue the following command:

Vpxd -p (it re-encrypts the DB password). When prompted. type the pw used for the VC database.

8. Start the VMware VirtualCenter Server service ** Moderator note: Starting the VC Service should be sufficient. (oringal step: Restart the VC server.) 9. ** Moderator note: This step not necessary ** (original step: Restart all ESX hosts.)

10. Reconnect all ESX hosts, ** Moderator note: VMs should already be powered on ** (original step: and power on the VMs.)

11. IMPORTANT: connect to the VC Infrastructure by using the Virtual Center FQDN.

Now, the question for the forum is: if I regenerate the certificate on every single ESX host, using the same Microsoft CA, the host is not happy, gets disconnected and when trying to reconnect I receive the error: bad username or password. Has anybody implemented a comprehensive certificate strategy where both VC and the single hosts use certificates issued by the same CA?

Message was edited by: jasonboche

Added/changed some steps as noted.

Reply
0 Kudos