Hi community,
We are in process of building a vRO environment with 2 nodes behind a load balancer in an active/active mode. We are interested in using Domain CA Certs for the environment. I'm using the below config file to generate the .key, .csr files etc.. I have a couple of queries..
1. Which format the certs should be in - DER, PEM, PFX etc..
2. How and where should I do the certificate import when load balancer is in the picture. We don't import certs to LB, we offload SSL to the nodes.
Config file format used -
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vrotest, IP:1.1.1.1, DNS:vrotest.company.com, DNS:vrot01, IP:1.1.10.2, DNS:vrot01.company.com, DNS:vrot02, IP:1.1.10.3, DNS:vrot02.company.com
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = MO
localityName = Kansas City
0.organizationName = Test
organizationalUnitName = VMW
commonName = vrotest.company.com
Please help!!
VMSavvy
There are actually two different keystores used by vRO. Once is on the node itself and the other is stored in the DB. I know there are some post out there on replacing the vRO certificated and for me I have ended up creating new keystores with the cert and private keys added.
I have bookmarked this - https://blog.netnerds.net/wp-content/uploads/2013/07/ReplaceSSL-vSphere41U3-50.ps1
Inside is a section for VCO that I have keep to use as an example with syntax
##############################################################################
#
# Orchestrator
#
###############################################################################
if ($isvmo) {
$vmoservice = Get-WmiObject -Class Win32_Service -Filter "Name='VMwareOrchestrator'"
if ($vmoservice -ne $null) { $vmoexists = $true }
Write-Host -Foreground "DarkBlue" -Background "White" "Updating Orchestrator.."
Copy-Item -Force "$vmosslnew\rui.crt" $vmossl
Copy-Item -Force "$vmosslnew\rui.key" $vmossl
Copy-Item -Force "$vmosslnew\rui.pfx" $vmossl
if ($vmoexists -eq $true) {
if ((Get-Service VMwareOrchestrator).status -eq "Running") { Stop-Service VMwareOrchestrator ; $startvmo = $true }
}
Remove-Item "$vmossl\jssecacerts"
&"$Infrastructure\jre\bin\keytool.exe" -v -importkeystore -srckeystore "$vmossl\rui.pfx" -srcstoretype pkcs12 -srcstorepass testpassword -srcalias "rui" -destkeystore "$vmossl\jssecacerts" -deststoretype JKS -deststorepass dunesdunes -destkeypass dunesdunes -destalias "dunes"
&"$Infrastructure\jre\bin\keytool.exe" -noprompt -importcert -alias vcenter -keystore "$vmossl\jssecacerts" -storepass dunesdunes -file "$vcsslnew\rui.crt"
Write-Host -Foreground "DarkBlue" -Background "White" "Restarting Orchestrator. This can take a while.."
if ((Get-Service vCOConfiguration).status -eq "Running"){ Restart-Service vCOConfiguration} else { Start-Service vCOConfiguration ; Stop-Service vCOConfiguration}
if ($vmoexists -eq $true) {
if ((Get-Service VMwareOrchestrator).status -eq "Running"){ Restart-Service VMwareOrchestrator } else{ Start-Service VMwareOrchestrator ; Stop-Service VMwareOrchestrator}
}
if ($startvmo -eq $true) {Start-Service VMwareOrchestrator}
}
In case you missed it "http://pubs.vmware.com/vsphere-55/topic/com.vmware.ICbase/PDF/vcenter-orchestrator-551-install-confi..." there is chapter for replacing SSL certificate of vCO with CA signed. Check under section "Install a Certificate from a Certificate Authority". Important part is the path to the certificate store ""install_directory\app-server\conf\security\jssecacerts" and the alias name of certificate used for SSL -"dunes". Since it is standard java keystore all tools like e java utility keytool can be used for replacing the certificate.
Related to load balaning there is sample configuration with apache here : http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=203415...
There is also automatic tool for replacing all certificates in vSphere. but personally I have not used it
VMware KB: Implementing CA signed SSL certificates with vSphere 5.x
Hope it helps!
HI,
to 1) PFX is fine:
If you already have working vRO with PS you can use the "Generate Certificate" WF and i twill generate everything for you form the config file to the PFX file:
vCO Workflow to automate the certificate generation process | Spas Kaloferov's Blog
To learn more on how to change the certificate, visit:
How to change the SSL certificate of a vCO Appliance
http://kaloferov.com/blog/how-to-change-the-ssl-certificate-of-a-vco-appliance/
to 2) If you do not do SSL interruption on the LB level, then there is nothing out of the ordinary about the certificate.
the CFG file should look like this:
[ req ]
default_md = sha512 (if your CA support it, otherwise you can also use sha1, ect ...)
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: vro-01.myDomain.com, DNS: vro-01, DNS: vro-02.myDomain.com, DNS: vro-02, DNS: vro-clu.myDomain.com, DNS: vro-clu,
[ req_distinguished_name ]
countryName = UK
stateOrProvinceName = London
localityName = London
0.organizationName = VMware
organizationalUnitName = vRealize Orchestrator
commonName = vra-orch-clu.sddc.lab
Best Regards,
Spas Kaloferov
(www.kaloferov.com/blog)