Part 2 : VMWare VCenter 6.7 : PSC External Certificate Installation

Once Both the PSC are installed and configured we need to Replace the Certificate on Both PSC nodes with subnet alternate DNS records having First PSC, Second PSC and Load balanced PSC Name. We will cover the load balancer part in Part 3.

Step 1: Create CSR request File

This step will cover how to create a request file then CSR for SSO SSL certificate which needs to be requested either from the PSC iteself or from external third party CA. These certificates eventually needs to be installed on Both PSC.

CSR generation is covered under vmware article https://kb.vmware.com/s/article/2147627

  1. First we need to connect to any PSC using putty or terminal
  2. run shell to login to shell
  3. create certs folder  under root directory using mkdir certs command
  4. then change directory to certs using cd certs
  5. create the config file using cat > filename -> enter -> paste the config file contents -> enter -> ctrl + z

Configuration file (psc_ha_csr_cfg.cfg) contents are below

[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:vcenter-psc01.sslab.com, DNS:vcenter-psc02.sslab.com, DNS:vcenter-psc-lb.sslab.com
[ req_distinguished_name ]
countryName = AE
stateOrProvinceName = State
localityName = City
0.organizationName = SSLAB
organizationalUnitName = Department
commonName = vcenter-psc-lb.sslab.com

Note: subjectAltName = DNS:vcenter-psc01.sslab.com, DNS:vcenter-psc02.sslab.com, DNS:vcenter-psc-lb.sslab.com , these are the names of First PSC, Second PSC and Load balanced VIP Name.

Note: Common name should be load balanced VIP name: commonName = vcenter-psc-lb.sslab.com

Sample Output for all steps are given below.

Command> shell
Shell access is granted to root
root@vcenter-psc01 [ ~ ]# pwd
/root
root@vcenter-psc01 [ ~ ]# mkdir certs
root@vcenter-psc01 [ ~ ]# ls
certs
root@vcenter-psc01 [ ~ ]# cd certs

root@vcenter-psc01 [ ~/certs ]# cat > psc_ha_csr_cfg.cfg
[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:vcenter-psc01.sslab.com, DNS:vcenter-psc02.sslab.com, DNS:vcenter-psc-lb.sslab.com
[ req_distinguished_name ]
countryName = AE
stateOrProvinceName = State
localityName = City
0.organizationName = SSLAB
organizationalUnitName = Department
commonName = vcenter-psc-lb.sslab.com

root@vcenter-psc01 [ ~/certs ]# cd ..

Run below command to create the certificate request file psc-ha-vip.csr with keyfile using the above created config file.

openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:2048 -keyout /certs/psc-ha-vip.key -config /certs/psc_ha_csr_cfg.cfg

If you receive any directory /certs not found errors, remove / before certs and run command as shown below.

openssl req -new -nodes -out certs/psc-ha-vip.csr -newkey rsa:2048 -keyout certs/psc-ha-vip.key -config certs/psc_ha_csr_cfg.cfg

Sample output is given below.

Step 2: Download CSR and Request Certificate from CA

Fix : WINSCP connecting issues with PSC or vCenter

We need to connect to PSC with WINSCP however there are known errors that you might get SFTP server or buffer size errors then follow below steps to enable bash shell so that PSC will allow secure SFPT connections.

First enable bash shell on the PSC appliance

  • Bash shell can be enabled form vm console -> F2 -> trouble shooting options  or
  • login to PSC using https://fqdn:5480 ->access -> edit -> Bash shell -> enable and give some no like 90 min. ( as shown below)

Then from the putty or terminal SSH session -> shell -> run below command to change to bash shell

chsh -s /bin/bash

After fixing the WINSCP issue, connect and download the CSR file from PSC.

Option 1: Generating a certificate from the VMCA

Run this command to create the certificate from the psc-ha-vip.csr and the the psc_ha_csr_cfg.cfg file outputting a psc-ha-vip.crt file.

openssl x509 -req -days 3650 -in /certs/psc-ha-vip.csr -out /certs/psc-ha-vip.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile /certs/psc_ha_csr_cfg.cfg

Run this command to copy the current VMCA root certificate and rename it to cachain.crt.

cp /var/lib/vmware/vmca/root.cer /certs/cachain.crt

Run this command to create Machine SSL Certificate that contains the newly created certificate and the VMCA root certificate named psc-ha-vip-chain.crt.

cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/cachain.crt >> /certs/psc-ha-vip-chain.crt

Option 2: Generate Certificate from Microsoft CA or External CA

The certificate can be requested form an external CA as well, in my case microsoft CA is in use. Select Advanced Certificate request and request the certificate as shown below.

  • Once certificate is requested select Base 64 and download the certificate – Rename it to psc-ha-vip.crt
  • Click on Home and download the ROOT certificate – Rename it to RootCA.crt

Step 3: Upload Certificates and Create Certificate Chaining

Using WINSCP upload server certificate psc-ha-vip.crt and Root certificate RootCA.crt to /certs folder in PSC appliance.

This command will create psc-ha-vip-chain.crt file, which contains all the certificates in chain from server certificate , then intermediate and ROOT certificates. Our case no intermediate certifiacate authorities are present.

cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/RootCA.crt >> /certs/psc-ha-vip-chain.crt

This command will create cachain.crt file, which includes the ROOT and all intermediate CA certificates.

cat /certs/RootCA.crt >> /certs/cachain.crt

If in case there are intermediate certificates are present then below will help.

cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/CustomInterCA1.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/CustomInterCA2.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/CustomRootCA.crt >> /certs/psc-ha-vip-chain.crt

If there is intermediate certificates, run these commands to create a cachain.crt of the intermediate certificates and the root certificate.

cat /certs/CustomInterCA1.crt >> /certs/cachain.crt
cat /certs/CustomInterCA2.crt >> /certs/cachain.crt
cat /certs/CustomRootCA.crt >> /certs/cachain.crt

Step 4: Replace Current SSL certificates in First PSC

verify using ls command under /certs folder  for psc-ha-vip-chain.crt , psc-ha-vip.key and cachain.crt files are present.

To replace the SSL Certificate SSH to the PSC node, login to shell and run below command as shown.

/usr/lib/vmware-vmca/bin/certificate-manager

Select First Option 1 – Then Option 2

When Prompted for file path provide below information as shown.

  • custom certificate file : /certs/psc-ha-vip-chain.crt
  • custom key file : /certs/psc-ha-vip.key
  • signing certificate (CA) file : /certs/cachain.crt

Note: If getting any path errors remove the / before certs, as we are running it under root as shown below.

It will update all the services, stop and start them as shown below.

Restart the PSC appliance after this.

Step 5: Replace SSL certificates in Second PSC & Verify

Copy the complete certs folder in First PSC to your computer  using WINSCP , then copy the complete certs folder to Second PSC appliance.

Login to Second PSC appliance using putty or terminal and repeat Step 4 for the second PSC.

Once the certificate assigning is completed and PSC is restarted, open the fqdn of both psc from browser and verify that certificate is in place and without any errors.

Note: if the CA root certificate is not installed on the machine from which you are opening in browser you might get cert error. in that case verify cert and ignore warning.

Next Load balancer configuration needs to be completed.

Quick Links for vCenter 6.7 Installation Series

Links to all the posts in vCenter 6.7 VCHA installation with External load balanced PSC

Part 1 : VMWare VCenter 6.7 : External PSC for LB Step-By-Step Installation

Part 2 : VMWare VCenter 6.7 : PSC External Certificate Installation

Part 3 : VMWare VCenter 6.7 : PSC loadBalancing with NetScaler

Part 4 : VMWare VCenter 6.7 : VCenter 6.7 Installation with External PSC

Part 5 : VMWare VCenter 6.7 : VCenter 6.7 VCHA configuration

Siva Sankar

Siva Sankar works as Solution Architect in Abu Dhabi with primary focus on SDDC, Automation,Network Virtualization, Digital Workspace, VDI, HCI and Virtualization products from VMWare, Citrix and Microsoft.

3 thoughts on “Part 2 : VMWare VCenter 6.7 : PSC External Certificate Installation

  • April 5, 2020 at 11:08 pm
    Permalink

    Hi Siva. Nice Post.

    Are these certificates necessary for PSCs?

    Reply
  • May 18, 2021 at 9:18 pm
    Permalink

    Hi Siva,
    Nice article overall.. Could you please let me know what is the impact of changing self signed to custom CA certificate to other components being registered through vCenter and PSC ?

    Reply

Leave a Reply

Your email address will not be published.

Show Buttons
Hide Buttons