There is a lot of information out there for installing vCenter 5.1, but the information is lacking for getting SSL certs working properly. I first want to thank Derek Seaman over at www.derekseaman.com for his posts regarding what to do. I have tried to shorten this a little bit for my own recollection. Here is what I did to get SSL certs working.
Preparation
- Make sure you have installed the SSO Server, Inventory Service Server, and vCenter Server. I used three separate machines for my environment, but you can use just one if you wanted to.
- Download and install the Visual C++ 2008 Redistributables (x64) and Win64 OpenSSL v0.9y from http://slproweb.com/products/Win32OpenSSL.html on your SSO server.
Create a c:\certs folder on the SSO server containing the following subfolders:
- Download the SSL Certificate Automation Tool from https://my.vmware.com/group/vmware/get-download?downloadGroup=SSL-TOOL-10. Unzip this to c:\vmwarecerttool folder.
- Following Derek Seaman’s blog post http://www.derekseaman.com/2012/09/create-vmware-windows-ca-certificate.html , create a VMware-SSL template on your CA server.
- You will need the following information during the install:
SSO Administrator
Username: admin@System-Domain
Password:
vCenter Administrator
Username:
Password:
Original Database Password
Creating Certificates
1. Edit the ssl-environment.bat file located in c:\vmwarecerttool and fill in the appropriate information:
set sso_cert_chain=c:\certs\sso\chain.pem
set sso_private_key=c:\certs\sso\rui.key
set sso_node_type=single
set sso_admin_is_behind_lb=no
set is_cert_chain=c:\certs\inventory\chain.pem
set is_private_key_new=c:\certs\inventory\rui.key
set vc_cert_chain=c:\certs\vCenter\chain.pem
set vc_private_key=c:\certs\vCenter\rui.key
set ngc_cert_chain=c:\certs\WebClient\chain.pem
set ngc_private_key=c:\certs\WebClient\rui.key
set logbrowser_cert_chain=c:\certs\LogBrowser\chain.pem
set logbrowser_private_key=c:\certs\LogBrowser\rui.key
set vco_cert_chain=c:\certs\Orchestrator\chain.pem
set vco_private_key=c:\certs\Orchestrator\rui.key
set vum_cert_chain=c:\certs\UpdateManager\chain.pem
set vum_private_key=c:\certs\UpdateManager\rui.key
set sso_admin_user=admin@system-domain
set vc_username=corp\vminstaller
2. Next, create the following configuration files in their respective folders. Make sure that you name the files correctly. Do not include the .cfg filename in the .cfg file. I have done this…J Do not change the organizationalUnitName! I have created an example of the Inventory.cfg. I got these from http://www.derekseaman.com/2012/09/vmware-vcenter-51-installation-part-2.html .
EXAMPLE: Inventory.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:VCINV1, DNS:VCINV1.DOMAIN.LOC
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = Missouri
localityName = Saint Louis
0.organizationName = IT
organizationalUnitName = vCenterInventoryService
commonName = VCINV1.DOMAIN.LOC
Inventory.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your Inventory Server), DNS:(FQDN of your Inventory Server)
[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName = vCenterInventoryService
commonName = (FQDN of your Inventory Server)
SSO.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your SSO Server), DNS:(FQDN of your SSO Server)
[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName = vCenterSSO
commonName = (FQDN of your SSO Server)
vCenter.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your vCenter Server), DNS:(FQDN of your vCenter Server)
[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName =vCenterServer
commonName = (FQDN of your vCenter Server)
WebClient.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your vCenter Server), DNS:(FQDN of your vCenter Server)
[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName =vCenterWebClient
commonName = (FQDN of your vCenter Server)
VUM.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your vCenter Server), DNS:(FQDN of your vCenter Server)
[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName =VMwareUpdateManager
commonName = (FQDN of your vCenter Server)
LogBrowser.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your vCenter Server), DNS:(FQDN of your vCenter Server)
[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName =vCenterLogBrowser
commonName = (FQDN of your vCenter Server)
Orchestrator.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:(Your vCenter Server), DNS:(FQDN of your vCenter Server)
[ req_distinguished_name ]
countryName = (Country Code)
stateOrProvinceName = (State)
localityName = (City)
0.organizationName = (Organization)
organizationalUnitName =VMwareOrchestrator
commonName = (FQDN of your vCenter Server)
3. You should now have one configuration file in each of the certificate folders you created earlier. Next, we need to pull down the root certificate. I am using Microsoft CA, so that is the only example I can give. Open a browser and go to https://yourcaserver/certsrv/. Make sure you fill in your CA server. Click on Download a CA certificate, certificate chain or CRL. Change the encoding method to Base 64 and click Download CA certificate chain. Change the file name to cachain.p7b.
4. Double click on the downloaded certificate, then locate the certificate in the console. If you have more than one certificate in the console, skip to step 3 below. If you have just one certificate, right click on the certificate and select All Tasks -> Export. Select Base-64 encoded and save the certificate with a filename of Root64.cer in the root of the Certs directory.
Notice that I have a root CA and a Subordinate CA
5. If you have a root and intermediate CAs (two or more certs in the console), you have some extra work. Export each certificate from the console as Base-64 and save into different files (e.g. Root64-1.cer and Root64-2.cer). You MUST save your Root CA as Root64-1.cer and the intermediary CA as Root64-2.cer.
6. We also need a concatenated file of the CAs (Root64.cer), in reverse order. Reverse order means the root is at the bottom of the file, and the subordinate CA is at the top. From an administrative command prompt in the c:\certs folder run:
copy Root64-2.cer+Root64-1.cer Root64.cer
7. Create a batch file in c:\certs called create_csr.bat. Paste the following into this file:
Set OpenSSL_BIN=c:\OpenSSL\bin\openssl.exe
Set Cert_Path=C:\Certs
CD /d %Cert_Path%\vcenter\
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config vcenter.cfg
CD /d %Cert_Path%\Inventory\
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config inventory.cfg
CD /d %Cert_Path%\SSO\
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config SSO.cfg
CD /d %Cert_Path%\UpdateManager\
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config VUM.cfg
CD /d %Cert_Path%\webclient\
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config webclient.cfg
CD /d %Cert_Path%\LogBrowser\
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config LogBrowser.cfg
CD /d %Cert_Path%\Orchestrator\
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config Orchestrator.cfg
8. Open an administrative command prompt and then browse to c:\certs. Run the create_csr.bat. This will create two files in each of the cert folders. If the files don’t create, check the configuration files that you created earlier.
Example: Inventory Folder
9. Now it is time to mint the certificates using these two files. Under c:\certs create another batch file. This time call the batch file vCenter5.1_CertRequest.bat. Paste in the following and make sure that you change the Certificate Authority Name. This batch file can be found here http://www.derekseaman.com/2012/09/vmware-vcenter-51-installation-part-2.html .
:: Script to request vCenter 5.1 SSL certificates from a Microsoft CA
:: Modify these variables for your paths and CA information
:: Place your root64-1.cer and root64-1.cer (if using an intermediate CA)
:: in the Cert_Path directory. OpenSSL config files must already exist.
:: Also creates the chain.pem files for the VMware Certificate automation tool
::
:: Written by Derek Seaman, derekseaman.com
::
:: Certificate Authority Template name
Set Cert_Template=VMware-SSL
:: Certificate Authority Name
Set CA_Name=D001DC01\Contoso-D001DC01-CA
:: Path to OpenSSL
set OPENSSL_CONF=c:\OpenSSL\bin\openssl.cfg
Set OpenSSL_BIN=c:\OpenSSL\bin\openssl.exe
:: Path to your vcenter services directory with the config files
Set Cert_Path=C:\certs
:: Do not change anything below here
Set Root_CA_Cert=%Cert_Path%\Root64-1.cer
Set Sub_CA_Cert=%Cert_Path%\Root64-2.cer
Set CA_Chain=%Cert_Path%\Root.cer
if exist %Sub_CA_Cert% (
copy /B %Sub_CA_Cert% + %Root_CA_Cert% %CA_Chain%
Set CA_Cert_Chain=%CA_Chain%
) Else (
Set CA_Cert_Chain=%Cert_Path%\root64.cer
)
CD /d %Cert_Path%\vcenter
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config vcenter.cfg
certreq -submit -q -f -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Chain% chain.pem
CD /d %Cert_Path%\Inventory
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config inventory.cfg
certreq -submit -f -q -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Chain% chain.pem
CD /d %Cert_Path%\SSO
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config SSO.cfg
certreq -submit -f -q -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Chain% chain.pem
CD /d %Cert_Path%\UpdateManager
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config VUM.cfg
certreq -submit -f -q -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Chain% chain.pem
CD /d %Cert_Path%\webclient
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config webclient.cfg
certreq -submit -f -q -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Chain% chain.pem
CD /d %Cert_Path%\LogBrowser
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config LogBrowser.cfg
certreq -submit -f -q -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Chain% chain.pem
CD /d %Cert_Path%\Orchestrator
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config Orchestrator.cfg
certreq -submit -f -q -config “%CA_NAME%” -attrib “CertificateTemplate:%Cert_Template%” rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx
copy /B rui.crt + %CA_Cert_Chain% chain.pem
You should see a bunch of messages like this:
All of the certs folders should now contain some new files:
10. Copy the c:\certs and c:\vmwarecerttool folder from the SSO server to both the Inventory and vCenter Server. Part 2 will fail if you forget to do this.
Favoritevmguy 
Pingback: Part 2 — vCenter 5.1 U1 — Creating and installing SSL certs for SSO. | Favoritevmguy
Hi
Thanks for information given
We were strageling with ssl umplement for several days
Till reaching your site -which gaves the data missing
By the way automatic tool 1.0.1 – supports csr creation
It has this bug with the private.key
Which requires recreation of RSA
openssl RSA -in rui.key -out rui.key
without the inventory update fails
Glad to know that this has been helping some people. I need to look at the automatic tool again; did you find a problem with any of the steps regarding the tool?
My spouse and I stumbled over here coming from a different page
and thought I may as well check things out. I like what I see so now i’m following you.
Look forward to exploring your web page for
a second time.
Lifehammer, hopefully you found some useful information here. Hopefully I will have some new items up shortly.