Zewwy
Contributor
Contributor

SSL Automation Tool Fails at assigning New Certs

Jump to solution

Hey all,

I'm having a baffling problem... Let me get the basics out of the way..

I'm running 2 ESXi hosts on version 5.1.

I installed vCenter on a VM, hosted on Windows server 2008 R2..

I ran the simple installation method using SQL express 2008, server is for the most part standalone.

Successfully installed the vCenter services, logged in as Administrator@vsphere.local, configured logging in as domain admin account, and set that domain as primary.

I am able to successfully log in as a domain admin, but couldn't configure teh vCenter server as it stated none was found, So I had to log in again with the vsphere admin, and enable domain admins permissions on the vCenter server object.

All good finally created my Datastore, Cluster and added hosts all went well...

Now I finally wanted to get to the point where I wanted certifcates signed by our enterprise CA, so I don't have to worry about the validity of the certs every time I connect.

VMware KB: Deploying and using the SSL Certificate Automation Tool 1.0.x

After TONS of reading, I configured my Cert Template in my Enterprise CA, got to must required specs, expect its set to sha1, and would recommend sha-256... but whatever, generate my req, get it signed, create a cert chain...

Now I'm finally on assigning cert to service...  (note this tool is installed directly onto the vCenter Server, c:\VMware dir)

Press 3 (Update SSO)

Press 1 (Update the SSO Cert)

Enter all the required fields as expected with full directory paths..

Then I get this!! Error but below is taken from the actual log file.

2014-08-05T12:05:56.741-0500 [c.v.s.c.r.RunBuilder] INFO  Running: reg query HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Infrastructure\SSOServer /t REG_SZ /v InstallPath

2014-08-05T12:05:56.909-0500 [c.v.s.c.r.RunBuilder] INFO  Exit status: 1

Now I open reg edit and navigate to this reg directory, but such a key of "InstallPath" doesn't exist... What am I doing wrong?!?!?

0 Kudos
1 Solution

Accepted Solutions
Akopylov
Commander
Commander

Hello, Zewwy.

You should definitely use SSL Automation Tool 5.5 for your vCenter and its services (Web Client, Inventory Service, etc...). About ESXi: I replaced host`s certs by my hands, not by the Tool :smileygrin:.

Also ensure that you use SHA256RSA algorithm. Here is the instruction for ESXi VMware KB: Configuring CA signed certificates for ESXi 5.x hosts .

View solution in original post

0 Kudos
8 Replies
Zewwy
Contributor
Contributor

Bump.... anyone?! thoughts, suggestions?

To help clarify others:

vCenter 5.5

ESXi hosts vSphere 5.1

documentation states: The SSL Certificate Automation Tool 5.5 works with your vSphere 5.5 environment only. If you need to replace the certificates on a vSphere 5.1 environment, see Deploying and using the SSL Certificate Automation Tool (2041600).

With my setup am I in a vSphere 5.1 enviro, or a vSphere 5.5 enviro??


Seems like the documentation could use some review...

0 Kudos
Akopylov
Commander
Commander

Hello, Zewwy.

You should definitely use SSL Automation Tool 5.5 for your vCenter and its services (Web Client, Inventory Service, etc...). About ESXi: I replaced host`s certs by my hands, not by the Tool :smileygrin:.

Also ensure that you use SHA256RSA algorithm. Here is the instruction for ESXi VMware KB: Configuring CA signed certificates for ESXi 5.x hosts .

0 Kudos
JimKnopf99
Commander
Commander

Hi,

i could recommend the following website.

http://www.derekseaman.com/2013/10/vsphere-5-5-install-pt-1-introduction.html

I saved me a lot of time with implementing my certs.

Frank

If you find this information useful, please award points for "correct" or "helpful".
Zewwy
Contributor
Contributor

Thanks for the info. I have since use the SSL automation tool 5.5, and ran the update planner, and all steps to update the certs using a internal MS based CA. And was successful, I'll hopefully read the documentation on getting the host certs updates as well.

One quick question on that is, will this effect vCenter connection to each host?

Should I create a domain based account to manage these hosts, and then tell vCenter the new AD credentials to use to manage these hosts, and will the vCenter server loose communication to the host when updating the certs on them?

Hopefully the artciles provided will shed some light on these questions.

Thanks all!

0 Kudos
Akopylov
Commander
Commander

Zewwy, no AD accounts are not necessary, just provide root host`s credential when you will add ESXi to your vCenter, it will create vpxuser account to manage the new host (as usual) and already existing hosts will just rejoin the cluster. Actually i put hosts to vCenter after changing of certs, but you should not get any problem. Just ensure that you have the pssibility to manage the host directly, not through vCenter (in case of certs changing failure).

Also ye, Derek Seaman`s blog contains pretty much information, but it was not help me in certs change, because my vServices hosts on different vms (and his script is only for simple installation), however there is a lot useful information about vSphere installation so pay attention to it. You can check http://www.derekseaman.com/2013/12/vsphere-55-install-pt-19-esxi-ssl-certs.html about changing ESXi certs.

Hope it will help, i think SSL is a pretty painful story Smiley Happy

JimKnopf99
Commander
Commander

Hi,

you will get issues if you change the cert while your hosts are connected to your vcenter.

So first, disconnect the host, change the cert and reconnect the host to vcenter.


If you want to, you could create a ad group and add them to the host admin group. But you don't need that.


Frank

If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
Zewwy
Contributor
Contributor

Thanks Akopyjov,

     That's how I have them added now is via their hosts root account. And considering that the host connects to them fine with the self signed certs its not really that big a deal to me since I usually just manage them via vCenter now. But like in the event vCenter fails (or breaks cause I changed the hostname without redeploying new certs) Then I manage them directly using the 5.1 phat client.

So now I'm wondering is there any real benefit to me to re-issue the hosts certs...? Since I very rarely administer them directly..

Thanks for all the helps guys, it has been really insightful!

0 Kudos
Akopylov
Commander
Commander

Hello, Zewwy.

I would change ESXi certs in your place. You can avoid "man-in-the-middle" between vCenter and ESXi, not only between your client and ESXi, i think so. And also whats the point to replace certs not on all components of virtual infrastructure, but only on a few? There are not much problems with replacing ESXi certs, I would say it was easier for me to replace them than replace certs of vCenter services (inventory, etc). But it is just my opinion.

0 Kudos