Are you struggling with uploading a new certificate to your VMware Identity Manager? Well, you are not alone.
But it isn’t that hard. You just need to know what the requirements are and then it is a matter of converting your existing certificate or building the chain correctly. In this blog post I’ll try to explain the process.
Identity Manager support certificate using PEM encoding with the private key using the PKCS #1 standard (from version 3.2 Identity Manager also supports PKCS #8). In order to change the certificate on Identity Manager you need to upload the full certificate chain. Yes, I know.. This will not make most people’s life any easier. But it is just the backdrop and if you are a certificate ninja, with above information you should be good to go..
Let’s start with some basics.
For certificates there is two main formats in which it is encoded.
Encodings (also sometimes used as the file extensions):
.DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
.PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
It is very easy to see in which format your certificate is encoded. Simply open the file using a text editor (since I mentioned a text editor, when working with certificates never ever use Notepad in Windows. Use Notepad ++ or something similar with correct ANSI support).
Above is how a DER encoded certificate looks like..
..and this is how a PEM encoded looks like. I.e. a PEM encoded certificate is more humanly readable and it starts with —–BEGIN CERTIFICATE—–.
With your certificates comes the private key. There are two main standards when it comes to private keys. If your key is PEM encoded use a text editor to see which standard your private key is stored in.
If your Private Key looks like above (starting with —–BEGIN PRIVATE KEY—–) it is PKCS #8 standard.
And this is how a PKCS #1 Private Key looks like, starting with —–BEGIN RSA PRIVATE KEY—–.
Last certificate 101 topic for this blog post is how to build a certificate chain with PEM encoded certs.
The simplest way of investigating how your chain looks like is to have a look at the certificate, many times just by double clicking on the file.
In this example my certificate is a wildcard certificate for the domain “myhorizondemo.com”. I have one intermediate certificate and lastly the ROOT CA.
You build a chain using a text editor. You start with copying your server/end certificate and put it at the top of the file. Second you put any intermediate certificates and lastly you place the ROOT, save the file. Now you have your chain.
Enough with certificate 101 basic. At this point, if you have your certificate in PEM encoded format you now know how to create the certificate chain and you can upload the whole certificate chain into Identity Manager using the SSL Certificate Chain form.
I will explain later in this blog post how to convert between different Private Key standards. So, if you do not have a PKCS #1 Private Key, I’m sorry but you will have to continue to read.
Converting .p12 or .pfx to PEM
I’ve yet to mention PKCS #12. But many times your certificate is stored in a password protected file with a .p12 or .pfx file extension. This file contains your Private Key and certificate all in one file. Many times the whole chain is included as well. This is great. Because it is super simple to extract and convert the certificate and key into a format VMware Identity Manager requires.
This is my PKCS #12 file.
In order to extract the certificate and key and convert them I am using OpenSSL. OpenSSL is by default installed on most Linux OSes, MacOS and is available for download for Windows.
Above is how my certificate chain looks like.
First, I want to extract my certificate from the .pfx file. I do that by running the following OpenSSL command:
openssl pkcs12 -in mycaservercert.pfx -nokeys -out mycaservercert.pem
Above is the actual command and output using my own filenames. Since the file is protected with a password you are prompted for the password during extraction.
If I open my my_server_cert.pem file it looks like this:
You need to clean it up for vIDM to be happy.. Get rid of all extra info outside of the —–BEGIN CERTIFICATE—– sections. Cleaned up it looks something like this:
As you can see the PEM encoded chain has a total of 4 certificates in it. End certificate and two intermediate and then lastly the ROOT. Where the second intermediate comes from (doesn’t show when I looked at the certificate) I cannot tell. But I just leave it in there and it works.
Next is to extract the Private Key. I do this using this command:
openssl pkcs12 -in mycaservercert.pfx -nodes -nocerts -out mycaservercertkey.pem
When looking at the extracted key in a text editor it looks like below:
In other words, it is PKCS #8. So we need one last command to convert it to PKCS #1.
Convert from PKCS #8 to PKCS #1 Private Key
Run this command:
openssl rsa -in mycaservercertkey.pem -check -out mycaservercertkeyrsa.pem
Now when I look at the Private Key file it looks like below:
As you can see it starts with —–BEGIN RSA PRIVATE KEY—–. So now VMware Identity Manager will accept the key. Copy everything except the “RSA key ok” part and paste it into the Private Key field in Identity Manager.
Once both the chain and key has been pasted into the fields hit Add.
Kick back, grab a cup of coffee and wait. and wait.. and wait some more.. Whatever you do, do not refresh or hit back in your browser. The change certificate operation easily takes 10 minutes.