Prologue – Part 0
The ‘Self-Signed Story’ has started two years ago, exactly in Aug, 2014. At that time we were using a vCenter certificate (rui.crt), which had only 512 bits RSA public key. This was comming from an old vSphere 4.0 installation, from 2011. In 2014 we had the version vCenter Server 5.5.0b. I have upgraded the vCenter Server to the 5.5 U1c, but with the 5.5 U1 the JRE has been also updated. The new JRE 1.7.0_45 version doesn’t support any more the certificates which are weaker than 1024 bits. So because of we had 512 bits cert, in the Web Client I had an empty inventory and a lot addition errors.
The solution was the following: I had to create stronger self-signed certificate for the vCenter and replace it. I wrote about this issue in Aug, 2014, check this post for the details. (It’s Hungarian, but the error messages are English 😀 )
I am planning 3 posts about this topic. The first is about creating request and self-signed certificate for the vCenter server, in the second we will replace them (plus troubleshooting…) and in the last third post we will check the other components.
So what is the problem?
The self-signed certificate for the vCenter was valid for two years, in my case exactly from 27th of Aug, 2014 to 27th of Aug, 2016. I know that you have already figured out what was the situation: the certificate has expired: So I cannot even login into the old .net based vSphere Client, or I get an empty inventory in the Web Client. Additionally, I got some error messages:
And the recent tasks view:
I have also tried to connect to the vCenter with PowerCLI:
Here is the point: “… such as a value that indicates an expired certificate..” No doubt, it has to be replaced.
Creating certificate request and obtain vCenter SSL certificate
If you do not have already, you need a Root CA. E.g. after installing the Active Directory Certificate Services (installation steps) and the Certification Authority Web Enrollment Support (installation steps) on a Windows server you can submit certificate requests. But before, you also need a special Certificate Template only for VMware. The easiest way is to modify the default Microsoft CA Web Server template settings to meet the VMware certificate requirements. There is a good post here how to do that.
The next step is to download the vCenter Certificate Automation Tool 5.5 (VMware SSL Certificate Automation Tool) and install it. There is also a good KB about this with the name Deploying and using the SSL Certificate Automation Tool 5.5 (2057340).
Now we need to generate a certificate request for the vCenter Server. This procedure is documented under the KB: Generating certificates for use with the VMware SSL Certificate Automation Tool (2044696) In highlights:
- Start the ssl-updater.bat and select the option 2, then 3.
- Answer all of the questions
- At the end you will get the rui.csr and rui.key files.
Then we can obtain the certificate from the Microsoft CA using the request. For this procedure the same KB can be useful. Steps:
- Open the MSCA at http://MSCAservername/CertSrv/
- Click on the “Request a certificate” link.
- Click “advanced certificate request”, copy the content of the rui.csr file to the “saved request” box. Select the “Certificate template” – in our case the name of the modified Web Server template is the “VMware-SSL”
- Press “Submit”, select “Base 64 encoded” and download the certificate
- Save as rui.crt. You can open and verify; it should be valid for plus two years
- On the home page click on “Download a CA Certificate,…” link. Save the certificate chain as cachain.p7b.
- Open it and export the certificate, Select “Base-64 encoded X.509 (.CER)”, save as Root64.cer
- Install the root certificate into the “Trusted Root Certificate Authorities > Local Computer”
- Create the chain.pem file. Copy content of the followings into a new empty file:
- rui.crt -> chain.pem
- Root64.cer -> chain.pem, so like in the example (KB). Assuming that Intermediate certificate is not used:
-----BEGIN CERTIFICATE----- MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa <-----Certificate SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih 4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Root Certificate /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC TLqwbQm6tNyFB8c= -----END CERTIFICATE-----
So now we have all of the needed files, the chain.pem and the rui.key. In the next part we will replace the expired vCenter certificates!