Beiträge mit Tag ‘vcenter’

Replace VMware VirtualCenter Certificate

Geschrieben von Tris am in vcenter

I messed around with the official Whitepaper of VMware to replace the VC Certificate with SSL, but this did not work for me. How i maked it working: 1. Download the openssl binaries on following site: http://gnuwin32.sourceforge.net/packages/openssl.htm 2. Extract the folder to c:openssl 3. Create a file: serial in the bin directory, open it and write 10000 into this file 4. Create a file: certindex.txt in the bin directory 5. Create a file openssl.cnf in the bin directory with following content: dir                    = . [ ca ] default_ca                = CA_default [ CA_default ] serial                    = serial database                = certindex.txt new_certs_dir                = certs certificate                = cacert.pem private_key                = cakey.pem default_days                = 3650 default_md                = md5 preserve                = no email_in_dn                = no nameopt                    = default_ca certopt                    = default_ca policy                    = policy_match [ policy_match ] countryName                = match stateOrProvinceName            = match organizationName            = match organizationalUnitName            = optional commonName                = supplied emailAddress                = optional [ req ] default_bits                = 1024            # Size of keys default_keyfile                = key.pem        # name of generated keys default_md                = md5                # message digest algorithm string_mask                = nombstr        # permitted characters distinguished_name            = req_distinguished_name req_extensions                = v3_req [ req_distinguished_name ] # Variable name                Prompt string #————————-      ———————————- 0.organizationName            = Organization Name (company) organizationalUnitName            = Organizational Unit Name (department, division) emailAddress                = Email Address emailAddress_max            = 40 localityName                = Locality Name (city, district) stateOrProvinceName            = State or Province Name (full name) countryName                = Country Name (2 letter code) countryName_min                = 2 countryName_max                = 2 commonName                = Common Name (hostname, IP, or your name) commonName_max                = 64 # Default values for the above, for consistency and less typing. # Variable name                Value #————————      —————————— 0.organizationName_default        = Example Company localityName_default            = Location stateOrProvinceName_default        = ZH countryName_default            = CH [ v3_ca ] basicConstraints            = CA:TRUE subjectKeyIdentifier            = hash authorityKeyIdentifier            = keyid:always,issuer:always [ v3_req ] basicConstraints            = CA:FALSE subjectKeyIdentifier            = hash 6. Open CMD and navigate to the openssl/bin directory 7. Use following command to create the CA Cert: openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 -config openssl.cnf 8. Import the cacert.pem to your local Trusted Root CA (use MMC) 9. Create the certificate request for VC openssl req -new -nodes -out mycsr.csr -config openssl.cnf 10. Send this Request to an official CA or use your newly created CA to sign this request: openssl ca -out rui.crt -config openssl.cnf -infiles mycsr.csr 11. Rename key.pem to rui.key 12. Create a PFX openssl pkcs12 -export -in rui.crt -inkey rui.key -passout pass:YOURPASSWORD -out rui.pfx 13. Install the PFX to your local computer account certificates (use mmc) 14. Place the following files to your VC Cert directory: C:Documents and SettingsAll UsersApplication DataVMwareVMware VirtualCenterSSL - rui.crt - rui.key - rui.pfx 15. Restart VC Service and reconnect all your ESX Hosts. 16. Have Fun ;) You can also use your Windows CA to generate a VC Cert On your CA certificate request web form, choose advanced then on Advanced Certificate Request page select Webserver template and type in the name of the server (usually the DNS or FQDN) in Name text box.Certificate Add-in in MMC Select Mark keys as exportable check box and submit. You still need to install openssl to export the private key from the certificate . # Export the private key file from the pfx file openssl pkcs12 -in rui.pfx -nocerts -out key.pem # Convert .pem to .key openssl rsa -in key.pem -out rui.key