Archive

Posts Tagged ‘certificates’

What’s New in vSphere 6.0: Certificate Management

February 2nd, 2015 No comments

VMware has finally officially announced what is to be included in vSphere 6.0 after lifting the lid on parts of the update during VMworld 2014 keynotes and sessions. 

See my introductory post: What’s New in vSphere 6.0: Finally Announced (about time!) for details of all the components.

VMware is at last tackling the nightmware of managing vSphere certificates in a more holistic way. Things were relatively simple until VMware started splitting up the compoments of vSphere into multiple components each requiring their own certificate with very particular settings. VMware had released the SSL Certificate Automation Tool which at least attempted to make the installation of the certificates a little easier but it took the perseverance and excellent scripting of Derek Seaman with his certificate series to make the actual process usable.
Customer feedback regarding certificate management has repeatedly highlighted the convoluted process so VMware has finally come up with a solution they believe reduces the operational overhead of managing certificates.

VMware is included two components into the new Platform Services Controller:
The VMware Certificate Authority (VMCA). This is not just a certificate management tool but actually a full blown Certificate Authority in itself. It can provision each ESXi host and each vCenter Server and its associated services with certificates that it signs.
The VMware Endpoint Certificate Service (VECS). This is a service that will store all certificates and private keys for vCenter Server and its associated services.

This means you will no longer have to manually update each separate vCenter component, you can just store all the certs in the VECS and get vCenter to use them.
ESXi host certificates will still be stored locally on each host but can be provisioned from the VMCA.
You don’t have to use the VMCA as a certificate authority or have it in your certificate chain and can choose to use your Enterprise CA or roll your own but you will need to use the VECS to store certs and keys for vCenter.

VMware is also simplifying the number of certificates it requires for vCenter internally. vCenter 5.5 needed separate certificates for at least the following:

 6.0cert1
With vSphere 6.0 there are more components but these components are now being grouped together into what’s being called Solution Users (SU). SUs now hold the certificate for the group rather than each component.
6.0cert2
This is what it looks like in the PSC
 6.0cert3
All the certificate management will be done from a CLI. If you upgrade vCenter or hosts from ESXi 5.x, they will keep their existing certificates.
There are also a number of deployment options:
VMCA Root CA
This is where the VMCA acts as your entire certificate authority and is therefore the simplest deployment. This is the default installation. You will need to trust the VMCA in your browsers to avoid pesky certificate warnings.
Subordinate VMCA
After installation you can make the VMCA a subordinate CA to your Enterprise CA. The VMCA will then mint your certificates which makes the process simpler and itself would be trusted by your enterprise CA.
External CA
After installation, all certificates are replaced from yout Enterprise CA. VMCA will still manage the certificates but it allows you to use your existing Enterprise PKI solution.
Hybrid (VMCA & External)
You can use a hybrid model where the VMCA is created during installation and your vCenter certificates are replaced. YOu can then choose which certificates to replace from your external CA and which to have the VMCA generater. You could for example have all externally facing certificates generated from your Enterprise CA and all the internal hidden from view VMware vCenter service certificates generated by the VMCA.
At last VMware is making certificate management a little easier, to be honest it should have been there when they decided you needed a million very particular certificates for vCenter but I suppose with a rather large development organisation working on different components, common certificates wasn’t high on the priority list, I’m glad it is now.

 

Categories: ESX, vCenter, VMware Tags: , ,

vSphere 5 Certificates: 6 – Replacing the default vCenter 5 Inventory Service Certificate

February 28th, 2012 2 comments

This is part 6 of a 7 part post on managing vSphere 5 Certificates:

  1. Installing a Root Certificate Authority
  2. Distributing the root CA certificate to clients
  3. Creating the default vCenter 5 Server Certificate and including a DNS alias
  4. Replacing the default vCenter 5 Server Certificate
  5. Replacing the default vCenter 5 Web Client Server Certificate
  6. Replacing the default vCenter 5 Inventory Service Certificate
  7. Replacing the default vSphere Update Manager 5 Server Certificate

vCenter Server actually has three different components which need their certificates updated, vCenter ServervCenter Web Client Server and vCenter 5 Inventory Service. Initially I had only written the vCenter Server certificate steps but luckily Michael Webster (VCDX #66) keeps me on my toes and I’ve now added parts for the other two components.

You should have now created the default vCenter 5 server certificate files, replaced the default vCenter 5 Server certificate, replaced the vCenter 5 Web Client Server certificate and can now go ahead and replace the vCenter 5 Inventory Service Certificate with the same new certificate files you have created.

On the vCenter Server navigate to C:\Program Files\VMware\Infrastructure\Inventory Service\ssl.

Make a backup copy of the SSL folder.

image

Copy the rui.crt, rui.key and rui.pfx files from C:\OpenSSL-Win64\bin into the into the vCenter Inventory Service SSL folder

image

Read more…

vSphere 5 Certificates: 5 – Replacing the default vCenter 5 Web Client Server Certificate

February 28th, 2012 12 comments

This is part 5 of a 7 part post on managing vSphere 5 Certificates:

  1. Installing a Root Certificate Authority
  2. Distributing the root CA certificate to clients
  3. Creating the default vCenter 5 Server Certificate and including a DNS alias
  4. Replacing the default vCenter 5 Server Certificate
  5. Replacing the default vCenter 5 Web Client Server Certificate
  6. Replacing the default vCenter 5 Inventory Service Certificate
  7. Replacing the default vSphere Update Manager 5 Server Certificate

vCenter Server actually has three different components which need their certificates updated, vCenter ServervCenter Web Client Server and vCenter 5 Inventory Service. Initially I had only written the vCenter Server certificate steps but luckily Michael Webster (VCDX #66) keeps me on my toes and I’ve now added parts for the other two components.

You should have now created the default vCenter 5 server certificate files, replaced the default vCenter 5 Server certificate and can now go ahead and replace the vCenter 5 Web Client Server Certificate with the same new certificate files you have created.

On the vCenter Server navigate to C:\Program Files\VMware\Infrastructure\vSphere Web Client\DMServer\config\.

Make a backup copy of the SSL folder.

image

Copy the rui.crt, rui.key and rui.pfx files from C:\OpenSSL-Win64\bin into the into the vCenter Web Client Server SSL folder

image

Read more…

vSphere 5 Certificates: 4 – Replacing the default vCenter 5 Server Certificate

February 28th, 2012 4 comments

This is part 4 of a 7 part post on managing vSphere 5 Certificates:

  1. Installing a Root Certificate Authority
  2. Distributing the root CA certificate to clients
  3. Creating the default vCenter 5 Server Certificate and including a DNS alias
  4. Replacing the default vCenter 5 Server Certificate
  5. Replacing the default vCenter 5 Web Client Server Certificate
  6. Replacing the default vCenter 5 Inventory Service Certificate
  7. Replacing the default vSphere Update Manager 5 Server Certificate

vCenter Server actually has three different components which need their certificates updated, vCenter Server, vCenter Web Client Server and vCenter 5 Inventory Service. Initially I had only written the vCenter Server certificate steps but luckily Michael Webster (VCDX #66) keeps me on my toes and I’ve now added parts for the other two components.

You should have now created the default vCenter 5 server certificate files and can now go ahead and replace the existing certificate for vCenter 5 Server with the new certificate files you have created.

On the vCenter Server navigate to C:\ProgramData\VMware\VMware VirtualCenter.

Make a backup copy of the SSL folder.

Image(2)

Copy the rui.crt, rui.key and rui.pfx files from C:\OpenSSL-Win64\bin into the into the vCenter SSL folder

Image(1)

Read more…

vSphere 5 Certificates: 7 – Replacing the default Update Manager 5 Server Certificate

November 30th, 2011 3 comments

This is the final post of a 7 part post on managing vSphere 5 Certificates:

  1. Installing a Root Certificate Authority
  2. Distributing the root CA certificate to clients
  3. Creating the default vCenter 5 Server Certificate and including a DNS alias
  4. Replacing the default vCenter 5 Server Certificate
  5. Replacing the default vCenter 5 Web Client Server Certificate
  6. Replacing the default vCenter 5 Inventory Service Certificate
  7. Replacing the default Update Manager 5 Server Certificate

VMware Update Manager uses a different self-signed certificate to authenticate against vCenter Server which also needs to be replaced. You can use the same vCenter certificate if the Update Manager installation is on the same server as vCenter or create and trust a new certificate using the same procedure with the Update Manager server name if it is on another server.

On the Update Manager Server navigate to the Update Manager installation directory C:\Program Files (x86)\VMware\Infrastructure\Update Manager.

Make a backup copy of the SSL folder.

image

Copy the same rui.crt, rui.key and rui.pfx certificate files you created as part of the vCenter Server certificate process into the SSL folder if Update Manager is on the same server else use the other ones you have created.

Image(1)_thumb

Read more…

vSphere 5 Certificates: 3 – Creating the default vCenter 5 Server Certificate and including a DNS alias

November 30th, 2011 16 comments

This is part 3 of a 7 part post on managing vSphere 5 Certificates:

  1. Installing a Root Certificate Authority
  2. Distributing the root CA certificate to clients
  3. Creating the default vCenter 5 Server Certificate and including a DNS alias
  4. Replacing the default vCenter 5 Server Certificate
  5. Replacing the default vCenter 5 Web Client Server Certificate
  6. Replacing the default vCenter 5 Inventory Service Certificate
  7. Replacing the default vSphere Update Manager 5 Server Certificate

You should now have a root CA certificate distributed to all clients so you can proceed with creating certificates for vCenter 5 which will be trusted by this root CA certificate. These steps will also allow you to create DNS aliases for your certificate if you need them so you can connect to your vCenter server using any of the aliases and still have a valid certificate.

In order to create certificates you will need an application to generate them, one of the easiest is OpenSSL.

Installing OpenSSL
If you install OpenSSL on a vCenter Server, as vCenter 5 only installs on 64-bit you should download the 64-bit version of Win64OpenSSL_Light-1_0_1b and its pre-requisite Visual C++ 2008 Redistributables (x64)

Install Visual C++ 2008 using all default settings.
imageimage

Read more…

vSphere 5 Certificates: 2 – Distributing the Root CA certificate to clients

November 30th, 2011 No comments

This is part 2 of a 7 part post on managing vSphere 5 Certificates:

  1. Installing a Root Certificate Authority
  2. Distributing the root CA certificate to clients
  3. Creating the default vCenter 5 Server Certificate and including a DNS alias
  4. Replacing the default vCenter 5 Server Certificate
  5. Replacing the default vCenter 5 Web Client Server Certificate
  6. Replacing the default vCenter 5 Inventory Service Certificate
  7. Replacing the default vSphere Update Manager 5 Server Certificate

The posts will
Once you have installed the Root Certificate Authority (CA) you may need to distribute the root certificate to clients. The root CA certificate needs to be in the Trusted Root Certification Authorities certificate store on all clients who need to access vCenter for the certificate trust chain to work. If you are not using your own root CA and have used a commercial root CA this certificate is most likely already in your certificate store.

If the root CA is installed using Active Directory Certificate Services on a server that has access to the Active Directory directory service, the root authority’s certificate will automatically be placed in all users’ Trusted Root Certification Authorities certificate store. This means the distribution of the root CA is taken care of by AD and there’s nothing more you need to do.

As I have installed Active Directory Certificate Service on a domain controller with Domain Admin credentials this distribution has taken place. You can check this by going to any server or workstation within the trusted domain forest and after doing a reboot just to ensure the certificate has had time to be copied down check the Trusted Root Certification Authorities list and see if there are certificates in the list for your own CA. In my example you can see that there are two Self-Signed for lab.int certificates in the list so the deployment has been successful.

image

Read more…

vSphere 5 Certificates: 1 – Installing a Root Certificate Authority

November 30th, 2011 No comments

Updated: 27 February 2012 to include vCenter 5 Web Client Server and vCenter 5 Inventory Service 

This is the first part of a 7 part post on vSphere 5 Certificates:

  1. Installing a Root Certificate Authority
  2. Distributing the root CA certificate to clients
  3. Creating the default vCenter 5 Server Certificate and including a DNS alias
  4. Replacing the default vCenter 5 Server Certificate
  5. Replacing the default vCenter 5 Web Client Server Certificate
  6. Replacing the default vCenter 5 Inventory Service Certificate
  7. Replacing the default vSphere Update Manager 5 Server Certificate

The posts will take you through building your own certificate trusting infrastructure and distributing the certificates, creating your own vCenter and Update Manager certificates which can also include DNS aliases and all the steps required to put it all together.

Managing certificates is one of the aspects of a virtualisation environment that is often overlooked or even avoided as it is seen as a hassle and having secure certificates is often not a core requirement of your virtualisation infrastructure.
However there are reasons why you may need to have certificates installed within your environment. Many financial companies, government departments or security sensitive installations require trusted certificates to be installed due to legal regulatory requirements. Public cloud providers need to ensure they are exposing their cloud in a trusted and secure manner and certificates is a part of that. Even if you only have an internal facing infrastructure, Citrix XenDesktop requires the vCenter certificate be installed on the Desktop Delivery Controllers for https access to work.

Even if none of these apply to you, surely the pesky certificate warning that every vSphere Client user gets when launching the client is annoying enough to do something about it!

You can click on Install this certificate and do not display any security warnings but this would bypass any certificate checking and each client would need to do this individually.

Image(3)

Read more…