Part 2 : VMWare VCenter 6.7 : PSC External Certificate Installation
Once Both the PSC are installed and configured we need to Replace the Certificate on Both PSC nodes with subnet alternate DNS records having First PSC, Second PSC and Load balanced PSC Name. We will cover the load balancer part in Part 3.
Contents of the Post
Step 1: Create CSR request File
This step will cover how to create a request file then CSR for SSO SSL certificate which needs to be requested either from the PSC iteself or from external third party CA. These certificates eventually needs to be installed on Both PSC.
CSR generation is covered under vmware article https://kb.vmware.com/s/article/2147627
- First we need to connect to any PSC using putty or terminal
- run shell to login to shell
- create certs folder under root directory using mkdir certs command
- then change directory to certs using cd certs
- create the config file using cat > filename -> enter -> paste the config file contents -> enter -> ctrl + z
Configuration file (psc_ha_csr_cfg.cfg) contents are below
[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:vcenter-psc01.sslab.com, DNS:vcenter-psc02.sslab.com, DNS:vcenter-psc-lb.sslab.com
[ req_distinguished_name ]
countryName = AE
stateOrProvinceName = State
localityName = City
0.organizationName = SSLAB
organizationalUnitName = Department
commonName = vcenter-psc-lb.sslab.com
Note: subjectAltName = DNS:vcenter-psc01.sslab.com, DNS:vcenter-psc02.sslab.com, DNS:vcenter-psc-lb.sslab.com , these are the names of First PSC, Second PSC and Load balanced VIP Name.
Note: Common name should be load balanced VIP name: commonName = vcenter-psc-lb.sslab.com
Sample Output for all steps are given below.
Command> shell
Shell access is granted to root
root@vcenter-psc01 [ ~ ]# pwd
/root
root@vcenter-psc01 [ ~ ]# mkdir certs
root@vcenter-psc01 [ ~ ]# ls
certs
root@vcenter-psc01 [ ~ ]# cd certs
root@vcenter-psc01 [ ~/certs ]# cat > psc_ha_csr_cfg.cfg
[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:vcenter-psc01.sslab.com, DNS:vcenter-psc02.sslab.com, DNS:vcenter-psc-lb.sslab.com
[ req_distinguished_name ]
countryName = AE
stateOrProvinceName = State
localityName = City
0.organizationName = SSLAB
organizationalUnitName = Department
commonName = vcenter-psc-lb.sslab.com
root@vcenter-psc01 [ ~/certs ]# cd ..
Run below command to create the certificate request file psc-ha-vip.csr with keyfile using the above created config file.
openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:2048 -keyout /certs/psc-ha-vip.key -config /certs/psc_ha_csr_cfg.cfg
If you receive any directory /certs not found errors, remove / before certs and run command as shown below.
openssl req -new -nodes -out certs/psc-ha-vip.csr -newkey rsa:2048 -keyout certs/psc-ha-vip.key -config certs/psc_ha_csr_cfg.cfg
Step 2: Download CSR and Request Certificate from CA
Fix : WINSCP connecting issues with PSC or vCenter
We need to connect to PSC with WINSCP however there are known errors that you might get SFTP server or buffer size errors then follow below steps to enable bash shell so that PSC will allow secure SFPT connections.
First enable bash shell on the PSC appliance
- Bash shell can be enabled form vm console -> F2 -> trouble shooting options or
- login to PSC using https://fqdn:5480 ->access -> edit -> Bash shell -> enable and give some no like 90 min. ( as shown below)
Then from the putty or terminal SSH session -> shell -> run below command to change to bash shell
chsh -s /bin/bash
After fixing the WINSCP issue, connect and download the CSR file from PSC.
Option 1: Generating a certificate from the VMCA
Run this command to create the certificate from the psc-ha-vip.csr and the the psc_ha_csr_cfg.cfg file outputting a psc-ha-vip.crt file.
openssl x509 -req -days 3650 -in /certs/psc-ha-vip.csr -out /certs/psc-ha-vip.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile /certs/psc_ha_csr_cfg.cfg
Run this command to copy the current VMCA root certificate and rename it to cachain.crt.
cp /var/lib/vmware/vmca/root.cer /certs/cachain.crt
Run this command to create Machine SSL Certificate that contains the newly created certificate and the VMCA root certificate named psc-ha-vip-chain.crt.
cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/cachain.crt >> /certs/psc-ha-vip-chain.crt
Option 2: Generate Certificate from Microsoft CA or External CA
The certificate can be requested form an external CA as well, in my case microsoft CA is in use. Select Advanced Certificate request and request the certificate as shown below.
- Once certificate is requested select Base 64 and download the certificate – Rename it to psc-ha-vip.crt
- Click on Home and download the ROOT certificate – Rename it to RootCA.crt
Step 3: Upload Certificates and Create Certificate Chaining
Using WINSCP upload server certificate psc-ha-vip.crt and Root certificate RootCA.crt to /certs folder in PSC appliance.
This command will create psc-ha-vip-chain.crt file, which contains all the certificates in chain from server certificate , then intermediate and ROOT certificates. Our case no intermediate certifiacate authorities are present.
cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/RootCA.crt >> /certs/psc-ha-vip-chain.crt
This command will create cachain.crt file, which includes the ROOT and all intermediate CA certificates.
cat /certs/RootCA.crt >> /certs/cachain.crt
If in case there are intermediate certificates are present then below will help.
cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/CustomInterCA1.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/CustomInterCA2.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/CustomRootCA.crt >> /certs/psc-ha-vip-chain.crt
If there is intermediate certificates, run these commands to create a cachain.crt of the intermediate certificates and the root certificate.
cat /certs/CustomInterCA1.crt >> /certs/cachain.crt
cat /certs/CustomInterCA2.crt >> /certs/cachain.crt
cat /certs/CustomRootCA.crt >> /certs/cachain.crt
Step 4: Replace Current SSL certificates in First PSC
verify using ls command under /certs folder for psc-ha-vip-chain.crt , psc-ha-vip.key and cachain.crt files are present.
To replace the SSL Certificate SSH to the PSC node, login to shell and run below command as shown.
/usr/lib/vmware-vmca/bin/certificate-manager
Select First Option 1 – Then Option 2
When Prompted for file path provide below information as shown.
- custom certificate file : /certs/psc-ha-vip-chain.crt
- custom key file : /certs/psc-ha-vip.key
- signing certificate (CA) file : /certs/cachain.crt
Note: If getting any path errors remove the / before certs, as we are running it under root as shown below.
It will update all the services, stop and start them as shown below.
Restart the PSC appliance after this.
Step 5: Replace SSL certificates in Second PSC & Verify
Copy the complete certs folder in First PSC to your computer using WINSCP , then copy the complete certs folder to Second PSC appliance.
Login to Second PSC appliance using putty or terminal and repeat Step 4 for the second PSC.
Once the certificate assigning is completed and PSC is restarted, open the fqdn of both psc from browser and verify that certificate is in place and without any errors.
Note: if the CA root certificate is not installed on the machine from which you are opening in browser you might get cert error. in that case verify cert and ignore warning.
Next Load balancer configuration needs to be completed.
Quick Links for vCenter 6.7 Installation Series
Links to all the posts in vCenter 6.7 VCHA installation with External load balanced PSC
Part 1 : VMWare VCenter 6.7 : External PSC for LB Step-By-Step Installation
Part 2 : VMWare VCenter 6.7 : PSC External Certificate Installation
Part 3 : VMWare VCenter 6.7 : PSC loadBalancing with NetScaler
Part 4 : VMWare VCenter 6.7 : VCenter 6.7 Installation with External PSC
Part 5 : VMWare VCenter 6.7 : VCenter 6.7 VCHA configuration
Hi Siva. Nice Post.
Are these certificates necessary for PSCs?
Default ones also will work.
Hi Siva,
Nice article overall.. Could you please let me know what is the impact of changing self signed to custom CA certificate to other components being registered through vCenter and PSC ?