Home > Blogs > VMware TAM Blog > Category Archives: Support

Category Archives: Support

Certificates for Dummies – Part One: VCSA and PSC Certificates’ Overview and Configuring PSC with Intermediate VMware Certificate Authority (VMCA)

jean_oliveira

 

By Jean Oliveira

My name is Jean Oliveira, and I’m a Technical Account Manager in Brazil. In this role, I am often asked to assist in areas where I am not an expert, which involves research. For example, I have a customer who planned to replace VMware vCenter Server and VMware vSphere hosts’ self-signed certificates with internal signed certificates. To complete this task, he wanted to use the VMware Certificate Authority service as an Intermediate CA. My goal for this post is to help others work through this same issue in their environments.

This blog is organized into two parts:

  • Part One: VCSA (vCenter Virtual Server Appliance) and Platform Services Controller (PSC) Certificates Overview and Configuring PSC with Intermediate VMware Certificate Authority (VMCA)
  • Part Two: Replacing vCenter Server Certificates with VMCA (VMware Certificate Authority)

Before entering any command or accessing a KB, I first had to understand the new architecture behind vCenter 6.x. In the previous version of vCenter Server, each component had its own certificate:

joliveira_vcenter-components

In the new VMware architecture, there are only four certificates, with each one responsible for a set of components. The Platform Services Controller is responsible for signing and storing certificates in this new architecture.

joliveira_vcenter-architecture

In the PSC, each active certificate must be unique. A certificate is composed of the following: Common Name (CN), Organization (O), Organizational Unit (OU), Locality (L), State/Province (ST), and Country (C).

Initially, I had assigned the name “Web-Client” for all certificates generated for the Web Client service, which crashed my PSC. Based on my experience, I learned that each certificate’s Subject Name must be unique!

joliveira_certificate-details

Keeping this in mind, I used the following naming conventions:

Common Name (CN): Server FQDN
Organization (O): My organization’s name
Organizational Unit (OU): I used the “certificate service name”; for example, VPXD, VPXD-Ext, Web-Client, Machine, and so on
State/Province (ST): Sao Paulo
Country (C): BR

The next step is to join the PSC to the Active Directory domain. In the Manage/Settings/Active directory, click the Join button and enter the proper authentication as shown in the following screen.

joliveira_active-directory

Be sure to restart your PSC to apply the change.

Then, prepare the Microsoft Root Certificate Server. In my lab, I used a Windows Server 2003 R2 as a Root Certification Authority, so I had to configure it using “Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009)”.

My next step was to replace the PSC SSL root certificate with the certificate signed by my Microsoft Root Certificate authority, and then replace all machine and solution certificates.

To do this, I connected to my PSC through SSH. If you have trouble enabling the Bash shell, please follow “Toggling the vCenter Server Appliance 6.x default shell (2100508)”.

I located the folder, /usr/lib/vmware-vmca/bin, and ran the command, ./certificate-manager, selecting Option 2, “Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates”. You can review the following choices I made, and replace them with the correct values for your environment.

  • Do you wish to generate all certificates using configuration file: Option[Y/N] ?: Y Select Y.
  • Please provide valid SSO and VC privileged user credential to perform certificate operations.
  • Enter username [Administrator@vsphere.local]:  Enter your administrator username.
  • Enter password:  Enter the password.
  • MACHINE_SSL_CERT.cfg file exists, Do you wish to reconfigure: Option[Y/N] ?: Y Select Y to reconfigure the answer file.
  • Enter proper value for ‘Country’ [Previous value: US]: BR
  • Enter proper value for ‘Name’ [Previous value: CA]: psc-01a.corp.lab I used the PSC server FQDN.
  • Enter proper value for ‘Organization’ [Previous value: VMware]: Corporate Lab
  • Enter proper value for ‘OrgUnit’ [Previous value: VMware]: Machine-SSL I used the Service Name.
  • Enter proper value for ‘State’ [Previous value: California]: Sao Paulo
  • Enter proper value for ‘Locality’ [Previous value: Palo Alto]: Sao Paulo
  • Enter proper value for ‘IPAddress’ [optional]:
  • Enter proper value for ‘Email’ [Previous value: email@acme.com]: administrator@corp.lab
  • Enter proper value for ‘Hostname’ [Enter valid Fully Qualified Domain Name (FQDN), For Example: example.domain.com]: psc-01a.corp.lab
  • Please configure machine.cfg with proper values before proceeding to next step.
  • Enter proper value for ‘Country’ [Previous value: US]: BR
  • Enter proper value for ‘Name’ [Default value: CA]: psc-01a.corp.lab I used the PSC server FQDN.
  • Enter proper value for ‘Organization’ [Default value: VMware]: Corporate Lab
  • Enter proper value for ‘OrgUnit’ [Default value: VMware]: Machine I used the Service Name.
  • Enter proper value for ‘State’ [Default value: California]: Sao Paulo
  • Enter proper value for ‘Locality’ [Default value: Palo Alto]: Sao Paulo
  • Enter proper value for ‘IPAddress’ [optional]:
  • Enter proper value for ‘Email’ [Default value: email@acme.com]: administrator@corp.lab
  • Enter proper value for ‘Hostname’ [Enter valid Fully Qualified Domain Name (FQDN), For Example: example.domain.com]: psc-01a.corp.lab
  • Please configure vsphere-webclient.cfg with proper values before proceeding to next step.
  • Enter proper value for ‘Country’ [Default value: US]: BR
  • Enter proper value for ‘Name’ [Default value: CA]: psc-01a.corp.lab I used the PSC server FQDN.
  • Enter proper value for ‘Organization’ [Default value: VMware]: Corporate Lab
  • Enter proper value for ‘OrgUnit’ [Default value: VMware]: vsphere-webclient I used the Service Name
  • Enter proper value for ‘State’ [Default value: California]: Sao Paulo
  • Enter proper value for ‘Locality’ [Default value: Palo Alto]: Sao Paulo
  • Enter proper value for ‘IPAddress’ [optional]:
  • Enter proper value for ‘Email’ [Default value: email@acme.com]: administrator@corp.lab
  • Enter proper value for ‘Hostname’ [Enter valid Fully Qualified Domain Name (FQDN), For Example: example.domain.com]: psc-01a.corp.lab
    • Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate
    • Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate
  • Option [1 or 2]: 1 Select Option 1 to generate the certificate request for the Root Certificate Server.
  • Please provide a directory location to write the CSR(s) and PrivateKey(s) to:
  • Output directory path: /tmp/ca
  • Please configure certool.cfg with proper values before proceeding to next step.
  • Enter proper value for ‘Country’ [Default value: US]: BR
  • Enter proper value for ‘Name’ [Default value: CA]: psc-01a.corp.lab I used the PSC server FQDN.
  • Enter proper value for ‘Organization’ [Default value: VMware]: Corporate Lab
  • Enter proper value for ‘OrgUnit’ [Default value: VMware]: certtool I used the Service Name.
  • Enter proper value for ‘State’ [Default value: California]: Sao Paulo
  • Enter proper value for ‘Locality’ [Default value: Palo Alto]: Sao Paulo
  • Enter proper value for ‘IPAddress’ [optional]:
  • Enter proper value for ‘Email’ [Default value: email@acme.com]: administrator@corp.lab
  • Enter proper value for ‘Hostname’ [Enter valid Fully Qualified Domain Name (FQDN), For Example: example.domain.com]: psc-01a.corp.lab
  • CSR generated at: /tmp/ca/vmca_issued_csr.csr Save this path and name!

I used WinSCP to copy the file vmca_issued_csr.csr from my PSC Server to my Windows Root Certification Authority Server, C:\Users\Administrator\Desktop.

As stated earlier, in my lab I used a Windows 2003 R2 Root Certification Authority server and, in this Windows version, V3 certificate templates are NOT visible in the Certificate Web Server. Therefore, I had to use the command line to issue the certificates. If you are using Windows 2008 and later, this is not a problem. If you are using Windows 2003 as I was, let me save you some research time! Below are the command line steps to issue the certificates.

Before submitting the request, I had to find the vSphere 6.0 VMCA template name. To find a list of all templates, open a command prompt in the Root Certificate Server, and type:

C:\Users\Administrator\Desktop>certutil –CATemplates

After locating the vSphere 6.0 VMCA name, “vSphere6.0VMCA,” I entered the following command to request the VMCA certificate:

C:\Users\Administrator\Desktop>certreq -attrib “CertificateTemplate:vSphere6.0VMCA” -submit vmca_issued_csr.csr

I saved the certificate file as vmca_issued_cert.cer.

The next step was to create the certificate chain, which included the VMCA Certificate (generated in the previous step), and the Domain Root certificate. To complete this step, I did the following:

  • Created a new empty file, server-root.cer
  • Opened the vmca_issued_cert.cer in Notepad and copied all information to the file, server-root.cer
  • Opened the certenew.cer in Notepad and copied all information to the file, server-root.cer
  • Saved the file server-root.cer

Now I had a full chain certificate file that I copied it to my PSC Server, folder /tmp/ca.

Moving on, I returned to the SSH session and chose option 1 below:

  • CSR generated at: /tmp/ca/vmca_issued_csr.csr
    • Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate
    • Exit certificate-manager
  • Please provide valid custom certificate for Root.
  • File: /tmp/ca/server-root.cer Enter the full path and name to the file, server-root.cer.
  • Please provide valid custom key for Root.
  • Please provide valid custom certificate for Root.
  • File: /tmp/ca/root_signing_cert.cer The path is the same as above, and the file name is default.
  • Please provide valid custom key for Root.
  • File: /tmp/ca/vmca_issued_key.key The path is the same as above, and the file name is default.
  • You are going to replace Root Certificate with custom certificate and regenerate all other certificates
  • Continue operation: Option[Y/N] ?: Y Select Y.
  • Get site nameCompleted [Replacing Machine SSL Cert…]
  • default-site
  • Updated 9 service(s)
  • Status: 100% Completed [All tasks completed successfully]

When it finished, I restarted all services by running service-control –stop –all, and then service-control –start –all.

To verify everything was working, I looked in the certificate store.

VMware has also a good KB you can use as a guide, “Configuring VMware vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority (2112016)”.

Stay tuned for Part Two, when I will walk you through the process for replacing vCenter certificates with VMCA signed certificates. Talk to you then!


Jean Oliveira is a Technical Account Manager for VMware based in São Paulo, Brazil. For the last +5 years he is helping their customers in the hybrid-cloud journey, saving money and achieving a higher IT maturity. When not working, he loves to be with his wife Shirley. You can connect with Jean on LinkedIn.

Global Teamwork Smooths the Way for a Major vSphere 6 Upgrade

TAM_MediumBy Robert Codo, Santosh Raju Gumidelly, and Amit Rathod

We were recently involved in a major global effort to upgrade a customer to vSphere 6, and want to describe how VMware TAM services can help in scenarios such as this.

To set the scene, let’s review the customer and the challenges they faced in upgrading their global infrastructure to vSphere 6. This company has three data centers in North America and three outsourced data centers in Europe. All the support for their outsourced data centers are located in Asia. They have several hundred ESXi hosts, which run thousands of VMs.

There were strict schedules in place for completing the upgrade to the entire infrastructure by the end of August, after kicking off the project in March. Tight deadlines were required to maintain VMware support compliance and to leverage key technical enhancements available in vSphere 6 that would support the customer’s critical business objectives. As a result, a great deal of planning and coordination was needed to achieve these goals in the time allotted. Luckily, this company already had three TAMs on their team: Me (Robert) in North America, Amit in Europe, and Santosh in India. When we first learned of this project, we were already familiar with the inner workings of the company and had a good idea of what was needed to assist them.

Our primary goal was to develop an upgrade strategy plan for them to upgrade the entire environment by the stated deadline of August 24, 2016. We knew this would not be a “one-size-fits-all” process, since there were disparate vCenter deployments across the environment – and they were not standardized. We wanted to drive standardization across the board as part of the upgrade to better position our customer for smooth future upgrades. We already knew their allowed business outage times and availability details when leveraging the outsourced data center management teams. We incorporated this knowledge into our planning.

As we developed the plan, we assisted our customer in identifying gaps in their ability to complete these goals on their own in the required timeframe. We partnered with our colleagues in the Professional Services Organization (PSO) to create a targeted plan that uses consulting services to supplement available manpower, where needed. We also identified training needs for both the customer and the outsourced teams for vSphere 6, VSAN, and NSX. We wanted to ensure they would feel confident and be successful in supporting the upgraded environment once this effort was completed. Our three-person TAM team coordinated the global PSO delivery and support throughout the initiative to ensure a successful outcome.

One of the major deliverables we created during this project was a vSphere 5 to vSphere 6 upgrade prerequisites document. It was developed as a group effort with the customer, the PSO consultant resources, and the TAM team. The upgrade document was based on a combination of published best practices, lessons learned from some of the early upgrades, and the collective knowledge of the collaborative team. Please feel free to download if you find yourself needing to move to v6 quickly – especially if the upgrade is from a disparate set of configurations! Amit has posted a personal blog on the subject here for you to review as well.


Rob_Codo

 

 

Rob Codo has been a Senior TAM at VMware for 9 years.

 

 

 

Santosh_Raju_Gumidelly

 

 

With close to 8+ years of experience in the IT industry, Santosh Raju Gumidelly in his recent assignment works as a Technical Account Manager in the Professional Services Organization at VMware India. He has achieved various certifications such as VCP on DCV, DT and Cloud, RHCE, Dell Certified Engineer, etc.

 

 

Amit_Rathod
Amit Rathod works as a Technical Account Manager in the Professional Services Organization at VMware India. With industry leading and advanced certifications such as VCAP-DCD, TOGAF, etc he has 10+ years of experience and is a vExpert 2016. He is the author of vrevealed.wordpress.com and can be followed on Twitter @vrevealed .