vSphere Security : Vcenter Certificate with OpenSSL

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Table of Contents

introduction

in first article of vSphere SEcurity : we will discuss how to secure vcenter with custom VMCA certificate 

as we know : that vcenter create self signed certificate during setup , which is good with somehow to secure connection 

BUT ,,,,

 NOT secured enough since its only recognized by vcenter it’s self 

network diagram

For Better View > Open Image in different TAB

please have a look to network diagram above 

we have :

  •  domain controller for AD   DC101.pioneers.lab with IP address 172.16.100.101 
  • ESXI151 with  IP address 172.16.100.151   
  • ESXI152 with  IP address 172.16.100.152
  • ESXI153 with IP address 172.16.100.153
  •  VCenter server VCSA161.pioneers.lab with IP address 172.16.100.161 and  with the default  self-signed certificate
  • Suse Linux server SLES122.pioneers.lab with IP address 172.16.100.122 which will run CA by application openSSL

Configuration Steps

our steps to configure VCSA with customer VMCA certificate : 

  • Check VCSA self-signed certificate
  • Configure  vCenter server VCSA161.pioneers.lab  to request new certificate
  • Copy request file to CA server which is Suse Linux server called SLES122.pioneers.lab
  • Install openSSL application on SLES122.pioneers.lab
  • Setup CA Certificate Authority on SLES122.pioneers.lab
  • Create customer certificate based on request  
  • Import new custom create certificate to VCSA161
  • Replace default self-signed certificate by new custom certificate
  • Verify certificate is installed

Check VCSA self-signed certificate

to Check VCSA self-signed certificate

open vcenter by using https://vcsa161.pioneers.lab 

 

select administration >> certificate manager >> provide credential
view self-signed certificate with valid for 10 years
certificate issued by CA

create certificate request on VCSA161

this first step is to configure VCSA to request for certificate 

open SSH [putty] to VCSA161 with ip address 172.16.100.161

create folder /tmp/certs for certificates request
Run the certificate manager by typing /usr/lib/vmware-vmca/bin/certificatemanager.
select 1 to geenrate request
provide path to store request
provide request info in reds

install openssl tool on SLES122

after we have created request > it’s time to setup certificate authority in linux server  SLES122.pioneers.lab 

the application responsible to CA setup is called openSSL 

connect to SLES122 with SSH [ Putty]  to install application openSSL 

 

application is not installed
command to install openssl
openssl is installed

setup CA on SLES122

now we will setup certificate authority CA on SLES122 

connec to to SLES122 with SSH [ putty ]

first create folder to store certificate 

create folder /ca to store certificate
run command openssl genrsa -out rootCA.key 2048 >> to setup CA
run command "openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt " to create certificate template >> please note certificate will be valid 1024 day = 3 years
provide certificate template info in reds

create custom certificate for VCSA161

now we will create certificate for VCSA161 based on request >>

using winSCP utility :  copy request from from VCSA161 to SLES122 

 

two certificate request file
copy two files to SLES122 server to folder /ca
create file san.cnf to provide VCSA161 information >> winSCP is greate utility to copy files from to linux servers > we have created separate article about it
write 3 letter for VCSA161 in san.cnf

In the SSH connection Runcommand 

openssl x509 -req -in vmca_issued_csr.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out vcsa161.pioneers.lab .crt -days 1024 -sha256 -extfile san.cnf

this command will create certificate for VSA161 based on request file and san.cnf file 

run command above
copy certificate created in above to vcsa161 using utility winSCP

import custom certificate to VCSA161

now it’s time import certificate into vcenter application  

copy file to VCSA161 /tmp/certs folder
Run the certificate manager by typing /usr/lib/vmware-vmca/bin/certificatemanager.
select number 2 to import custom certifiacte
provide files path
type yes [y] to confirm operation import
importing process
importing process completed

replace self signed certificate with custom certificate

certificate is imported to vcenter but this first certificate [self signed certificate [ still take effect 

now we will replace self signed certificate with custom created 

login to vcenter with https://vcsa161 > administration > certificate management 

For Better View > Open Image in different TAB
select replace
provide file path
certificate replaced successfully
custom certificate details

verify custom SSL certificate

to verify custom certificate is applied > open browser > https://vcsa61.pioneers.lab 

we  will  notice that custom certificate is applied and valid for 3 years 

without any error or warning 

 

custom certificate applied

Conclusion

one of the best practice to secure  vSphere environment is to secure web access with Certificate authority 

we have discuss how to create microsoft ADCS [Active Directory security service ] and how to secure exchange and web server in course active directory please press here 

you can configure VCSA or ESXI host to use SSL certificate from both microsoft ADCS or CA openSSL 

in networks pioneers we believe in Diversity:so we provide you the the options and you decide which is the best for you microsoft ADCS or VMCA 

 

Share this post
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

About Me

Our Power in Numbers

 17 

Courses

321

Articles

3,882

Images
and All configurations images are proudly made in Pioneers Lab

Articles By Course

Recent Articles

Subscribe

Contact us

have a challenge ? don’t hesitate to contact us