1. vCenter – SSL Automation Tool
ESXi Host – OpenSSL
SRM – OpenSSL
vBrownbag – Michael Russell
@kerryspring2
kerryspring2@eircom.net
2. Resources #1
#vBrownBag US View SSL Certs with Shane Williford
http://professionalvmware.com/2012/12/vbrownbag-us-view-ssl-certs-with-
shane-williford-coolsportoo/
#vBrownBag Follow-up How I learned to love the CSR with Jim Millard
http://professionalvmware.com/2013/05/vbrownbag-follow-up-how-i-learned-
to-love-the-csr-with-jim-millard-millardjk/
vSphere 5.1 Hardening Guide - Official Release
http://communities.vmware.com/docs/DOC-22981
Windows OpenSSL distribution (ver 0.9.8)
http://slproweb.com/products/Win32OpenSSL.html
How to use trusted certificates with VMware vCenter Site Recovery Manager
http://communities.vmware.com/docs/DOC-11411
3. Resources #2
vCenter Certificate Automation Tool Download
https://my.vmware.com/group/vmware/get-download?downloadGroup=SSL-TOOL-101
Generating certificates for use with the VMware SSL Certificate Automation Tool
http://kb.vmware.com/kb/2044696
Deploying and using the SSL Certificate Automation Tool (& Known Issues)
http://kb.vmware.com/kb/2041600
Process for Replacing SSL Certificates - vSphere 5 (7 Parts) - Julian Wood
http://www.wooditwork.com/2011/11/30/vsphere-5-certificates-1-installing-a-root-
certificate-authority-3/
vCenter 5.1 U1 installation including SSL replacement (15 Parts) - Derek Seaman
http://www.derekseaman.com/2012/09/vmware-vcenter-51-installation-part-1.html
4. SSL Automation Tool Notes
Microsoft Certificate Server SHA-1 vs SHA2-256
Duplicate Template – Windows Server 2003 Enterprise
Windows Server 2003 CA Server must be Enterprise Edition
Deploy Root Certificate to Servers with vCenter components
Generate chain.pem files from root64.cer & rui.crt
Add Extensions: Allow Encryption of User Data (vCenter/ESXi)
/Client Authentication (SRM)
OpenSSL v 0.9.8 – Copy OpenSSL DLLs to binaries (/bin) dir
Certificate Tool vs vSphere Upgrades
http://kb.vmware.com/kb/2048202
SSO user is admin@system-domain
vCenter Database Password = ?
Update Manager installation – Register FQDN, not IP Address
5. ESXi Hosts – SSL Notes
ESXi Host HA Issues: http://kb.vmware.com/kb/2006210
perl HostReconnect.pl --server <ip address> --username
administrator@lab.local
vMA permit Winscp:
http://communities.vmware.com/message/2020784
sudo vi /etc/host.allow
add the following line;
sshd: ALL: ALLOW
then save the file :WQ!
OpenSSL Commands to generate CSR:
openssl req -new -nodes -out rui.csr -keyout rui.key -config
openssl.cfg
Drop rui.crt & rui.key into /etc/vmware/ssl
6. ESXi Hosts – OpenSSL.cfg
default_bits = 2048 (Change from 1024)
default_keyfile = rui.key (Change from privkey.pem)
req_extensions = v3_req (Remove # at start of line)
countryName_default = IE (Update to your Country Code)
stateOrProvinceName_default = Leinster (Update)
localityName_default = Dublin (Add & Update)
0.organizationName_default = Lab (Update to your Company Name)
organizationalUnitName_default = IT (Update & Remove # at start of line)
[ v3_req]
subjectAltName = @alt_names (Add this under “keyUsage =“ line)
[alt_names]
DNS.1 = iedubdc2esx01.lab.local (Use FQDN here)
DNS.2 = iedubdc2esx01 (Use Shorter Netbios Name here)