CONFIGURE SELF SIGNED CERTIFICATES IN ESXi HOST

vQuicky – For the impatient like me 🙂

> VMware communications are all encrypted over SSL

> VMware uses self generated ssl certificates to encrypt session information.

> VMware uses standard X.509 Version 3 certificates which conform to Privacy Enhanced Mail and the key used is a RSA that ranges from 412 to 4096 bits with a recommendation of 2048 bits

> Download Openssl-Win32 (link below) and install it on a windows box to create the certificate signing request.

> Preconfigure openssl.cfg (below) and create your rui.csr and rui.key from the config file.

openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg

> Either ship the certificate signing request to a third party SSL trust or create a rui.crt certificate using openssl commands

openssl x509 -req -days 365 -in rui.csr -signkey rui.key -out rui.crt

> Once done, copy rui.crt and rui.key to /etc/vmware/ssl

> If https error pops up, then the certificate has a passphrase – quick way to restore host is recreate vmware signed certificates by using the following command to restore vclient connectivity.

/sbin/generate-certificates

inDepth

I rebuilt my lab, however I am tired of seeing the above. So lets learn how to add SSL certs to our hosts and make them more secure. We all know that vSphere encrypts session information using digital certs. In my case for my lab, default certificates are fine by if you were working for a huge organization then standard SSL certificates may be a requirement. ESXi creates standard certificates by default which are not signed by a CA (certificate authority) and can also be vulnerable to man in the middle attacks.

VMware uses standard X.509 version 3 – also known as X.509v3 certificates to encrypt session information over SSL. This also applies to any communication between vCenter and Esxi host as well. Remember when you want to replace the default certificates, the new ones must conform to Privacy Enhanced Mail or PEM format. Privacy Enhanced Mail stores data in a Base-64 encoded distinguised encoding rules -DER format. As always the key used to sign certificates must be a standard RSA Key with an encryption length that ranges from 412 to 4096 bits. The whitepaper recommends a length of 2048 bits.

How to do it?

Before we dig deeper, remember if an ESXi 5.0 host is part of a HA Cluster, changing the SSL cert will break HA. To avoid this, make sure you are running vCenter 5.0 U1 or later. Now that Update 1 is out, you might as well upgrade to that before doing anything.

You need to download OpenSSL to create a self signed certificate. Now I am using Windows and downloaded the Win32 OpenSSL from slproweb. You can download it here. Once done simply install it.

Now we can either do it manually by answering all prompts and then removing the passphrase encrypt key or by manually editing the openssl.cfg file that you find in the directory location below.

In the file just replace the bold parts. I picked this up from the kb article.

# vSphere OpenSSL example configuration file start.
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids

[ new_oids ]

[ ca ]
default_ca = CA_default # The default ca section

[ CA_default ]

dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 5475 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha512 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
input_password = testpassword
output_password = testpassword
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ] # change these settings for your environment
countryName = US
stateOrProvinceName = New York
localityName = New York
0.organizationName = Customer Name
organizationalUnitName = IT
commonName = vc.domain.com
emailAddress = [email protected]

[ req_attributes ]

[ usr_cert ]

basicConstraints =CA:FALSE
nsComment = “OpenSSL Generated Certificate”
subjectKeyIdentifier =hash
authorityKeyIdentifier =keyid,issuer

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: vc.domain.com, DNS: vc41.domain.com, DNS: vc41 #examples only

[ v3_ca ]
subjectKeyIdentifier =hash
authorityKeyIdentifier =keyid:always,issuer:always
basicConstraints = CA:true

[ crl_ext ]
authorityKeyIdentifier =keyid:always,issuer:always

[ proxy_cert_ext ]
basicConstraints =CA:FALSE
nsComment = “OpenSSL Generated Certificate”
subjectKeyIdentifier =hash
authorityKeyIdentifier =keyid,issuer:always
proxyCertInfo =critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

# vSphere OpenSSL example configuration file end.

Once saved, open up the Openssl directory which is typically located at C:\OpenSSL-Win32\bin

We now want to get the certificate signing request and the key created from the config file above. The command is

>openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg

I initially did not pre configure the openssl.cfg. You can do it that way as well but remember to remove the passphrase from the key as you don’t want to enter the passphrase for the http daemon every time.  If you were wanting to use a commercial signed certs then just send them this rui.csr and they will send in the certificate. To create your own self-signed certificate run the following command.

>openssl x509 -req -days 365 -in rui.csr -signkey rui.key -out rui.crt

Once we have the above, you will have three files in the /bin directory which are rui.key, rui.crt and rui.csr. We need the rui.crt and the rui.key files.

Use WINSCP to copy these two files to the host. In the host navigate to /etc/vmware/ssl and copy the files.  Once copied, restart the management agents. Alternatively you can reboot as well. If something screws up no worries as you can restore the vmware certificates by recreating them. You can ssh to the host and recreate the vmware signed certs by the following command.

>/sbin/generate-certificates

>/sbin/services.sh restart

If all went well, get to the https://ipaddress and you should see your self signed cert installed.

Now you have your certificate installed!

Please comment or correct me if you find some errors 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation