The Trouble with CA SSL Certificates and vCenter 5

This article is a follow up to the one I posted previously regarding The Trouble with CA SSL Certificates and ESXi 5. This article will focus on successfully changing the default VMware SSL certificates on vCenter 5 and vCenter Update Manager hosts with CA signed certificates using a Microsoft CA (it will also work with public and OpenSSL CAs, but I have not tested it yet). One of the things that makes it hard for people to get this right is that like with ESXi 5 there is no one document or source of truth that explains in sufficient detail what the requirements and supported configurations are or how to implement CA signed SSL certificates in vCenter Server.  I’m hoping that the information in this article will help and encourage more people to change out the default certs (to improve security), and make the process far more reliable and easier to achieve with vCenter 5. Although not covered here, vCenter Heartbeat is becoming more critical as a component in VMware Infrastructures to provide high availability to vCenter. There is currently no supported way to change the SSL certificates that vCenter Heartbeat uses. There is an unsupported method that I will test and if successful will post once I’ve configured vCenter Heartbeat in my environment.

VMware vCenter CA SSL Certificate Resources

As with my previous article I had to run through a bunch of different resources, some of them the same, some of them different. There are some differences in the way you need to generate certificates between vCenter (and VUM) and the ESXi hosts. The below resources are in no particular order or importance. The all contained important information, which I have distilled into a successful process for this article.

If you want a way to fully manage the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere environments. 

vi_vcenter_certificates.pdf

vSphere 5 Security Guide

Replacing vCenter Server 4.1 Certificates

Generating Domain Root CA signed certificates for vCenter Server

VMware KB 1023011 – Replacing SSL certificates for VMware vCenter Update Manager by using the Update Manager Utility

VMware KB 2007824 – After upgrading to vCenter Server 5.0, the vCenter Service Stats and Hardware Status tab cannot be accessed

VMware KB 2009857 – Certificate warning is reported even after replacing vCenter Server 5.0 default SSL certificates with custom SSL certificates

Creating a Certificate with Multiple Hostnames

vSphere 5 Certificates – Replacing the Default vCenter 5 Server Certificate

vSphere 5 Certificates – Replacing the Default Update Manager Server Certificate

Import an OpenSSL CSR into a Windows CA

Replace SSL Certificates: Replace vCenter SSL Certificates

Replacing vCenter 4.1 SSL Certificate with Active Directory Issued One

Replacing vCenter SSL Certificate with Certificate Issued by Microsoft Certificate Authority

Special thanks to the author of WoodITWork.com, Julian Wood for the excellent articles that he posted that were a great help in putting this together.

Now for the Trouble

With a bit of trial and error you could easily enough replace the vCenter Server certificate with a CA signed certificate with a similar process that I showed you for ESXi. However this won’t do you any good as all of your web services will fail. There is a high likelihood that even if you followed the information in VMware KB 2007824 for vCenter 5 that you would be in no better position. The reason for this is that you would likely not have the correct options in either your CA certificate template, or in your OpenSSL configuration file. There are some slight changes in both of these places that will most likely trip you up. It’s not until you read vSphere 5 Certificates – Replacing the Default vCenter 5 Server Certificate and vSphere 5 Certificates – Replacing the Default Update Manager Server Certificate and then VMware KB 1023011 that you might pick up on the necessary fields that you need to concern yourself with. If you don’t take good care you will find yourself without functioning web services, which is were a lot of the vCenter goodies are. Updating Update Manager is actually on the whole a lot easier than vCenter, provided you have the correct options in your CA Template and also your OpenSSL configuration file. As in my previous article I have invested considerable effort to bring you a solution, that I hope will save you a lot of time and frustration. Also note that just updating the SSL Certificate in the vCenter SSL folder is not good enough. You will also need to replace the SSL Certificate files in the Inventory Service SSL directory and also the SSL directory of any other installed components, such as vSphere Web Client.

Now for the Fix

To ensure that the certificates in vCenter Server actually work and function correctly with the Web Services you actually need to add some additional fields into your CA template and your Certificate Signing Request via the OpenSSL configuration file. The information you need is actually contained in VMware KB 1023011. But honestly this isn’t the first place you’re going to look when trying to change out vCenter Server Certificates as it relates to Update Manager. Why this critical information is not present in the security guide I’m not sure. To save you having to read it all the key bits of configuration for OpenSSL are as follows:

Section [ req ]

encrypt_key = no

Section [ x509 ] in the KB and [ v3_req ] in my example configuration

keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth

I found that the default VMware generated certificate had an additional keyUsage parameter, so in my example I have added nonRepudiation and  dataEncipherment, so my config line is as follows:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment

You must also include a Subject Alternative Name, which should be the FQDN of the vCenter Server. You can optionally include multiple DNS names in the Subject Alternative Name section, as I have done in my example, to include also the short name of the server. This will ensure that no certificate warning box will be presented if a truly valid server name is used to access it. If you have ever configured certificates for SRM you will know that it uses Subject Alternative Name and Common Name (CN) differently. In the SRM case The Common Name is normally set to “SRM” and must be the same on both sides. The Subject Alternative Name is then set to the FQDN of the SRM Server. This is quite a different use compared to vCenter.

Because we are specifying a Subject Alternative Name for the vCenter Server you must ensure that your CA certificate template includes this option. This options may not be available in all Microsoft CA versions (I have tested 2003 and 2008 successfully).

Although the KB is a good source of information it is still quite easy to get confused by the way it is written. It also doesn’t have all the details, but it’s good that it has more details than many of the other sources of information. For example if you tried issuing the command that includes the -x509 statement you would not have good results if you are sending the request to a CA, as it needs to be base64 encoded.

There is one piece of very important information in the KB that is quite easy to gloss over and it is this:

openssl pkcs12 -in ./mycert.p12 –info #To see the information in pfx file

In my example I actually just ran the command directly against rui.pfx instead of having an additional step. But this step is critical to test the pfx file and ensure it’s integrity and that it can be deciphered using the correct password. If this part of the process fails you know your pfx file is no good and you should not proceed to replace the certificates on the vCenter or Update Manager Servers.

The key pieces of information you need from KB 2007824 are steps 10 through 12, which I have included in my step by step process below.

Step by Step vCenter Server SSL Certificate Replacement using Windows and a Microsoft CA

You will notice that I have repeated some of the steps below from my previous article on ESXi SSL Certificate replacement. This is intentional so that you have all the necessary steps in one place and don’t have to switch back and forth between multiple articles (like I had to do).

You could execute a similar process to the one I’m about to describe using an OpenSSL or Public CA and using the Unix/Linux version of OpenSSL, however this is how I did it successfully in my lab and with my customer. As mentioned in the vSphere 5 Security Guide VMware uses X.509 v3 SSL certificates (base-64 encoded) for encrypting traffic between various components. If you CA has been set to support only SHA512 hash that is fine, it will work, although the VMware documentation doesn’t mention it. The three key files for an vCenter Server are rui.crt, rui.key and rui.pfx.

In order to generate the certificates you’ll need to get a copy of OpenSSL x86 v0.98r or higher, and have access to a Microsoft CA (2003 or higher). The certificates will use a clone of a standard web server request template with Subject Alternative Name added, for my lab I modified the default Web Server Certificate Template to accept up to 15 years for certificates. On the system where you will generate the certificate signing request rui.csr) you will need to ensure you have Microsoft Visual C++ 2008 Redistributable Package (x86) before installing OpenSSL. For the purposes of this process you will use the Microsoft CA Web Pages to submit the certificate request and download the resulting base-64 encoded certificate. You can use the certreq command if you wish also (not covered here). Before applying the certificates to your environment you should ensure that your clients and vCenter server trust your CA, if it’s an AD integrated CA this should be automated, else you may have to pre-trust the Root or Intermediary CA  by loading the CA public cert into your clients and vCenter server (not covered in this process).

Don’t forget to test access to all the management tools you use in your environment once the vCenter Certificate is updated. You will likely need to update their connections to vCenter as they will still hold the old SSL thumbprint.

Prerequsites:

Microsoft CA (2003 or above, with Web Server Template with Subject Alternative Name included and configured to your liking)
The CA Template must have the “Allow Key Exchange Only With Key Encryption” option selected in its key usage policy
Microsoft Visual C++ 2008 Redistributable Package (x86) on the system where you will generate the certificate signing request (CSR)
OpenSSL 0.98r or above on the system you will use to generate the CSR
vCenter 5.0

Things to watch out for:

Do not change the password in the OpenSSL configuration from ‘testpassword’, it must remain testpassword.
As stated above you must download the certificate in PEM (Privacy Enhanced Mail) base-64 encoded format.

Process Step by Step:

1. Before you start this process you should log into vCenter Server and check that all the services linked with Web Services are working, such as Hardware Status Tab, vCenter Service Status, and also Profile Driven Storage. These are the areas that are very likely to get broken if the process is not followed correctly.
2. After having installed Microsoft Visual C++ 2008 Redistributable Package (x86) and Open SSL 0.98r or later on a management system (vCenter or other system, not the CA) open a command prompt (As Administrator if on Windows 2008) and change to the OpenSSL\bin folder. Use the same command prompt opened As Administrator for all the OpenSSL actions in this list.
3. Edit the openssl.cfg file and ensure it looks similar to the one included at the bottom of this article but with your organization specific information, save the configuration.
4. Execute the following command – openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg. Note: there will be no prompts as all the information is contained within the configuration file. This is a bit different than when generating the CSR for the ESXi hosts, but that is because there are more of them, and you may not want to have to generate entire config files for each host. For ESXi hosts it is much easier to just hit enter a few times and then specify a common name (fqdn) and then more on. However for vCenter and Update Manager it is better to have everything in the config file, especially as you will likely be specifying multiple Subject Alternative Names (SAN’s – not to be confused with storage area networks).
5. Copy or submit rui.csr to your CA, submit an advanced certificate reqeust, using the Web Server template that you modified, and download the base-64 encoded certificate to the system with OpenSSL that was used to generate the CSR (Screenshots of this available here: How to use CA certificate to replace VMware certificate on ESX(i) 4 and vCenter or here: vSphere 5 Certificates – Replacing the Default vCenter 5 Server Certificate.)
6. Execute the following command – openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx. This will create a rui.pfx file which we will now verify. Note: I have had trouble specifying the -name rui with double quotes so I have removed them. When you verify the pfx file ensure the friendly name just says rui without any other characters. Note: Do not change the password from “testpassword”.
7. Execute the following command – openssl pkcs12 -in rui.pfx -info. When prompted enter the password testpassword. You should see an base64 encoded string or characters displayed on the screen and information about the file. Note you will be asked to enter the password twice when it is displaying the private key. Ensure the certificate is visible and that the friendly name is rui without any other special characters.
8. Create a folder on the system used to generate the CSR to back up the existing VMware default certificates that are on the vCenter Server, a separate directory will be needed for vCenter Server, Inventory Service, and any other services (such as vSphere Web Client) running on the vCenter Server.
9. Copy the existing rui.crt, rui.key and rui.pfx files from the vCenter and Inventory Service SSL folders to the backup folders you just created. You should also back these files, and the new certificate files up to a safe location. The location by default for vCenter this is C:\ProgramData\VMware\VMware VirtualCenter\SSL and for the Inventory Service SSL certificate is C:\Program Files\VMware\Infrastructure\Inventory Service\ssl.
10. Copy the new rui.crt, rui.key, and rui.pfx files that were generated to the target host in the vCenter Server and Inventory Service SSL locations.
11. You will use the vCenter Server Managed Object Browser to load the new SSL Certificates into memory. Ensure that you have not yet disabled the MoB as part of your hardening before you have successfully changed the certificates. To access the MoB browse to the following location from the vCenter Server – https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1, when prompted enter a vCenter Administrator username and password.
12. The Managed Object Type for the vpx.SecurityManager will load, Click on reloadSslCertificate
13. Click on Invoke Method
14. The new SSL certificates will be loaded into memory and you will see the following if successful – Method Invocation Result: void.
15. If you do not already have an RDP or Console session open on your vCenter Server please open one now. Log in as an administrator and open a command prompt As Administrator.
16. Change directory to C:\Program Files\VMware\Infrastructure\VirtualCenter Server\
17. Execute the following command and when prompted enter the database password – vpxd -p. This will update the encrypted form of the db password after the new certificate, which will allow all the web services to access it. NOTE: You should enter the existing database password, not a new password at this point.
18. Stop and then restart the VMware VirtualCenter Server, which will in turn restart vCenter Management Web Services, Inventory, and Profile Driven Storage Services. You may have to reconnect all your hosts if you are doing vCenter SSL certs before the host certs. In my environment I did the hosts first and did not have to reconnect them when changing the vCenter SSL certs as a result.
19. After the initial restart you may notice that after 5 minutes or so the Profile Driven Storage Service has stopped (I did). At that point you should restart it again and it should remain running.
20. Log into vCenter Server and verify that all Host Status Tab’s are working, the vCenter Service Status is functioning and all services are running correctly, and that Profile Driven Storage configuration is accessible and working.

Now that you’ve updated the vCenter Server and also the Inventory Service Certificates you may need to also update your vSphere Web Client Certificate if it is also on your vCenter Server. The location for the vSphere Web Client SSL Certificate is C:\Program Files\VMware\Infrastructure\vSphere Web Client\DMServer\config\ssl by default. Once you have updated the vSphere Web Client SSL Certificate and restarted the services you will then need to browse to the vSphere Web Client Admin App and re-register vCenter Server to ensure that it is registered with the correct thumbprint. Browse to https://localhost:9443/admin-app.

Up to step 10 the process is almost exactly the same for Update Manager. For Update Manager however you need to copy the new certificate files into <Update Manager Installation Directory>\SSL, after taking a backup of course. The default locations are as follows:

• The default path in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL
• The default path in 32-bit Windows is C:\Program Files\VMware\Infrastructure\Update Manager\SSL

Once the new certificate files are copied into the correct location you need to do the following on the Update Manager Server:

1. If you do not already have an RDP or console session open on the Update Manager Server do that now and log in as an administrator.
2. Stop the Update Manager Services
3. Change directory to the Update Manager Installation Directory, by default as per above minus the SSL part.
4. Double click on VMwareUpdateManagerUtility.exe to execute the file.
5. Log in by using the administrator credentials and the IP address or host name of vCenter Server system.
6. In the Options pane of the Update Manager Utility, click SSL Certificate.
7. In the Configurations pane, select Followed and verified the steps and click Apply.
8. Once the operation completes start the VMware vCenter Update Manager service.

Please let me know if you have any trouble with the above process, and also if it works for you, your comments and feedback are appreciated.

Example OpenSSL Configuration file (openssl.cfg) without most of the normal comments and white space that is included:

# vCenter OpenSSL example configuration file start.
HOME            = .
RANDFILE        = $ENV::HOME/.rnd
oid_section        = new_oids

[ new_oids ]

[ ca ]
default_ca        = CA_default        # The default ca section

[ CA_default ]

dir                = ./demoCA        # Where everything is kept
certs                = $dir/certs        # Where the issued certs are kept
crl_dir            = $dir/crl        # Where the issued crl are kept
database            = $dir/index.txt    # database index file.
new_certs_dir        = $dir/newcerts        # default place for new certs.
certificate            = $dir/cacert.pem     # The CA certificate
serial            = $dir/serial         # The current serial number
crlnumber            = $dir/crlnumber    # the current crl number  must be commented out to leave a V1 CRL
crl                = $dir/crl.pem         # The current CRL
private_key        = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file
x509_extensions    = usr_cert        # The extentions to add to the cert
name_opt         = ca_default        # Subject Name options
cert_opt             = ca_default        # Certificate field options
default_days        = 5475            # how long to certify for
default_crl_days    = 30            # how long before next CRL
default_md        = sha512        # which md to use.
preserve            = no            # keep passed DN ordering
policy            = policy_match

[ policy_match ]
countryName            = match
stateOrProvinceName    = match
organizationName        = match
organizationalUnitName    = optional
commonName            = supplied
emailAddress            = optional

[ policy_anything ]
countryName            = optional
stateOrProvinceName    = optional
localityName            = optional
organizationName        = optional
organizationalUnitName    = optional
commonName            = supplied
emailAddress            = optional

[ req ]
default_bits            = 2048
default_keyfile             = privkey.pem
distinguished_name        = req_distinguished_name
attributes                = req_attributes
x509_extensions        = v3_ca    # The extentions to add to the self signed cert
input_password         = testpassword
output_password         = testpassword
encrypt_key             = no
prompt                = no
string_mask             = nombstr
req_extensions         = v3_req     # The extensions to add to a certificate request

[ req_distinguished_name ] # change these settings for your environment
countryName                = NZ
stateOrProvinceName        = Auckland
localityName                = Auckland
0.organizationName            = IT Solutions 2000 Ltd
organizationalUnitName        = IT
commonName                = vc.homedns.org
emailAddress                = admin@yourdomain.com

[ req_attributes ]

[ usr_cert ]

basicConstraints        =CA:FALSE
nsComment            = “OpenSSL Generated Certificate”
subjectKeyIdentifier        =hash
authorityKeyIdentifier    =keyid,issuer

[ v3_req ]
basicConstraints         = CA:FALSE
keyUsage                 = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage         = serverAuth, clientAuth
subjectAltName         = DNS:vc.homedns.org, DNS:vc41.homedns.org, DNS:vc41 #examples only

[ v3_ca ]
subjectKeyIdentifier        =hash
authorityKeyIdentifier    =keyid:always,issuer:always
basicConstraints         = CA:true

[ crl_ext ]
authorityKeyIdentifier    =keyid:always,issuer:always

[ proxy_cert_ext ]
basicConstraints        =CA:FALSE
nsComment            = “OpenSSL Generated Certificate”
subjectKeyIdentifier        =hash
authorityKeyIdentifier    =keyid,issuer:always
proxyCertInfo            =critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

# vCenter OpenSSL example configuration file end.

# vCenter Update Manager OpenSSL example configuration file Start.

HOME            = .
RANDFILE        = $ENV::HOME/.rnd
oid_section        = new_oids

[ new_oids ]

[ ca ]
default_ca        = CA_default        # The default ca section

[ CA_default ]

dir                = ./demoCA        # Where everything is kept
certs                = $dir/certs        # Where the issued certs are kept
crl_dir            = $dir/crl        # Where the issued crl are kept
database            = $dir/index.txt    # database index file.
new_certs_dir        = $dir/newcerts        # default place for new certs.
certificate            = $dir/cacert.pem     # The CA certificate
serial            = $dir/serial         # The current serial number
crlnumber            = $dir/crlnumber    # the current crl number must be commented out to leave a V1 CRL
crl                = $dir/crl.pem         # The current CRL
private_key        = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file
x509_extensions    = usr_cert        # The extentions to add to the cert
name_opt         = ca_default        # Subject Name options
cert_opt             = ca_default        # Certificate field options
default_days        = 5475            # how long to certify for
default_crl_days    = 30            # how long before next CRL
default_md        = sha512        # which md to use.
preserve            = no            # keep passed DN ordering
policy            = policy_match

[ policy_match ]
countryName            = match
stateOrProvinceName    = match
organizationName        = match
organizationalUnitName    = optional
commonName            = supplied
emailAddress            = optional

[ policy_anything ]
countryName            = optional
stateOrProvinceName    = optional
localityName            = optional
organizationName        = optional
organizationalUnitName    = optional
commonName            = supplied
emailAddress            = optional

[ req ]
default_bits        = 2048
default_keyfile         = privkey.pem
distinguished_name    = req_distinguished_name
attributes            = req_attributes
x509_extensions    = v3_ca    # The extentions to add to the self signed cert
input_password     = testpassword
output_password     = testpassword
encrypt_key         = no
prompt             = no
string_mask         = nombstr

req_extensions = v3_req     # The extensions to add to a certificate request

[ req_distinguished_name ] # change these settings for your environment
countryName            = NZ
stateOrProvinceName    = Auckland
localityName            = Auckland
0.organizationName        = IT Solutions 2000 Ltd
organizationalUnitName    = IT
commonName            = updmgr.homedns.org
emailAddress            = admin@corp.it-solutions.homedns.org

[ req_attributes ]

[ usr_cert ]
basicConstraints        =CA:FALSE
nsComment            = “OpenSSL Generated Certificate”
subjectKeyIdentifier        =hash
authorityKeyIdentifier    =keyid,issuer

[ v3_req ]
basicConstraints         = CA:FALSE
keyUsage             = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage         = serverAuth, clientAuth
subjectAltName        = DNS:updmgr.homedns.org, DNS:updmgr # examples only

[ v3_ca ]
subjectKeyIdentifier        =hash
authorityKeyIdentifier    =keyid:always,issuer:always
basicConstraints         = CA:true

[ crl_ext ]
authorityKeyIdentifier    =keyid:always,issuer:always

[ proxy_cert_ext ]
basicConstraints        =CA:FALSE
nsComment            = “OpenSSL Generated Certificate”
subjectKeyIdentifier        =hash
authorityKeyIdentifier    =keyid,issuer:always
proxyCertInfo            =critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

# vCenter Update Manager OpenSSL example configuration file End.

—

This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.