5 Replies Latest reply on Oct 24, 2015 12:09 AM by sholland1980

    VCSA 6.0: Replacing external-facing SSL certificates by CA signed certs

    praseodymium Novice

      We'd like to use third-party CA signed SSL certificates for our external-facing vSphere components (e.g. vSphere Web Client, web console, …), so that users with vSphere access do not have to trust any internal CA certificates. On vSphere 5.5, there was a complicated but workable solution available.

       

      For vSphere 6, some documentation on VMCA is available and it looks like we'll have to replace the Machine SSL certificates with custom certificates, but I'm not completely sure if this is the best/recommended approach. More specifically, it looks like this approach still replaces a number of internal certificates, while I'd prefer to only replace external-facing certificates.

       

      Does anyone have experience with this?

        • 1. Re: VCSA 6.0: Replacing external-facing SSL certificates by CA signed certs
          praseodymium Novice

          Looks like the way to go is using the certificate-manager tool (/usr/lib/vmware-vmca/bin/certificate-manager) with option 1, Replace Machine SSL Certificate with Custom Certificate.

           

          Unfortunately this throws an error:

          Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.


          And the log shows:

          2015-03-13T22:31:28.906Z INFO certificate-manager Command executed successfully

          2015-03-13T22:31:28.906Z INFO certificate-manager Certificate backup created successfully

          2015-03-13T22:31:28.907Z INFO certificate-manager Running command : ['/usr/lib/vmware-vmafd/bin/dir-cli', 'trustedcert', 'publish', '--cert', '/root/ssl/chain.crt', '--password', '*****']

          2015-03-13T22:31:28.920Z INFO certificate-manager Command output :-

           

          2015-03-13T22:31:28.921Z ERROR certificate-manager

          2015-03-13T22:31:28.921Z ERROR certificate-manager Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.

          2015-03-13T22:31:28.921Z ERROR certificate-manager {

              "resolution": null,

              "detail": [

                  {

                      "args": [

                          ""

                      ],

                      "id": "install.ciscommon.command.errinvoke",

                      "localized": "An error occurred while invoking external command : ''",

                      "translatable": "An error occurred while invoking external command : '%(0)s'"

                  },

                  "Error while publishing cert using dir-cli."

              ],

              "componentKey": null,

              "problemId": null

          }

           

          Not very helpful, but running this command for ourselves provides more information:

          vc:~ # /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/ssl/chain.crt

          Enter password for administrator@vsphere.local:

          The file [/root/ssl/chain.crt] contains more than 1 certificate

          If you want to publish a chain of certificates, use the command "trustedcert publish" with the --chain flag.

          dir-cli failed. Error 13: Possible errors:

          LDAP error: Confidentiality required

          Win Error: Operation failed with error ERROR_INVALID_DATA (13)

           

          Ah! We need the --chain flag because we use a CA certificate chain instead of a single root certificate. Let's fix the certificate-manager library to include this option:

          vc:~ # sed -i "/trustedcert/ s/$/\'--chain\',/" /usr/lib/vmware/site-packages/cis/certificateManagerOps.py

          And optionally verify that line 434 was edited to append this flag:

          vc:~ # vim +434 /usr/lib/vmware/site-packages/cis/certificateManagerOps.py


          Now all that's left is running certificate-manager again to enjoy our CA-signed certs!

          • 2. Re: VCSA 6.0: Replacing external-facing SSL certificates by CA signed certs
            Matt.B Enthusiast

            Thanks for the detail.  I had the same issue and was able to get past the chain error but it failed again.  Can you share how you created your chain.crt?  From our internal CA, I downloaded our Base64 certificate chain as chain.p7b.  I then used the VCSA 6.0 with this command to convert it to .pem.

            openssl pkcs7 -print_certs -in chain.p7b -out chain.pem

             

            I ran /usr/lib/vmware-vmca/bin/certificate-manager and did the import for Machine SSL with the machine SSL cert, key, and chain.pem.

             

             

             

            From the logs, my recent error is "2015-04-27T21:45:32.672Z INFO certificate-manager MACHINE_SSL_CERT certificate replacement failed. SerialNumber and Thumbprint not changed after replacement, certificates are same before and after".

            • 3. Re: VCSA 6.0: Replacing external-facing SSL certificates by CA signed certs
              praseodymium Novice

              You should be using a pem-format chain with all intermediate certificates concatenated together (e.g. "cat server.crt subordinate-ca.crt signing-ca.crt > server.pem"). In my case the certificates were already given in pem format, so there was no conversion needed.


              If you encounter the "certificates are same before and after" error, start over from a snapshot or run the appropriate dir-cli command manually (instead of using the certificate-manager tool):

              /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/ssl/chain.crt --chain

              • 4. Re: VCSA 6.0: Replacing external-facing SSL certificates by CA signed certs
                Matt.B Enthusiast

                Thanks, with this info and carefully re-reading the KB, I was able to get the SSL certs properly installed with the correct cert chain.  However, my primary goal is getting past an error validating the certificate chain that is thrown by SRM 6.0 when accessing Sites under Site Recovery.  I'll start a new thread on that specific issue.

                • 5. Re: VCSA 6.0: Replacing external-facing SSL certificates by CA signed certs
                  sholland1980 Lurker

                  Question, when using the chain, for the 'Please provide the signing certificate of the Machine SSL certificate'  file , did you use something like

                  cat subordinate-ca.crt signing-ca.crt > cachain.crt in addition to the concatenated server.pem?