vCenter/vSphere Web Client SSL Certificate Requests (PFX vs JKS)

I was working to get certs for the vsphere web client.  Needless to say, I had worked w/ JKS (Java Keystore) before so I figured the process was the same for PFX (PKCS12 keystore) files, but I was dead wrong.  I'd highly recommend looking into the VMware SSL Certificate Automation Tool.  What follows is mainly a learning exercise for me.

For starters, if you have a mac, good for you, cause openssl is likely already installed and accessible via terminal which makes things much easier from the get go.  If you run Windows, download the windows binaries and install.  If you go to the openssl.org site like listed in VMware's docs as a Windows admin, lord help you.  When you install the openssl windows binaries w/ all defaults selected, openssl installs on C:\OpenSSL-Win32\bin.

Open a command prompt to that directory, then you can pretty much follow the instructions from VMware.

To read more about my trials and tribulations, click the link to continue below.



If you created a CSR by using keytool based on a key in a PFX file:
You cannot import the signed cert into the PFX because the PFX doesn't have a notion of trust.  You're likely going to get an error stating: "keytool error: java.lang.Exception: Failed to establish chain from reply"  If you try to import your root CA, your likely to get the following error: "keytool error: java.security.KeyStoreException: TrustedCertEntry not supported"
So you'll need to use openssl to recreate the PFX file using the RSA key (aka private key) created to generate the CSR.  To get that key you can use openssl.
To get the RSA/Private Key:

  • All cmd lines assume you copied files (rui.key | rui.pfx | rui.crt) to your working directory, otherwise, you'll need to provide a full path to them.
  • openssl pkcs12 -in rui.pfx -nocerts -nodes
    • default password is "testpassword" w/o the quotes
    • If you created a csr from rui.pfx using keytool, this command should return two keys.
    • The second key w/ your alias is likely the paired key and looks something like this:
      • -----BEGIN RSA PRIVATE KEY-----  or -----BEGIN PRIVATE KEY-----
      • ABUNCHOFCRAPINBETWEEN
      • MORECRAPTHATSUNREADABLE
      • -----END RSA PRIVATE KEY----- or -----END PRIVATE KEY-----
    • Copy the text returned like the example above and save it into a plain text file.  Save that file as rui.key
Now assuming you received your signed cert already, you are now ready to create a new pfx keystore.

  • Rename the signed cert you received to rui.crt
  • openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
    • testpassword is recommended from vmware as changing it seems to introduce some stability problems.
    • This should output a usable pfx file now.
    • After running this command, you should now have 3 files: rui.crt, rui.pfx, rui.key
Now w/ the 3 files needed in hand, you can replace the self-signed certs of your vsphere web client server:

  • Default location: C:\Program Files\VMware\Infrastructure\vSphereWebClient\DMServer\config\ssl
  • Restart the "vSphere Web Client Service"
The easier way using OpenSSL
At this point, I'm assuming you already installed OpenSSL, if not do so.
  1. Generate your certificate request(CSR)
    • This generates a CSR w/ your existing private key.  Recommended for existing deployments.
      • openssl req -out C:\somedirectory\nameyourCSR.csr -key \\yourvcenterserver\c$\programdata\VMware\VMware VirtualCenter\SSL\rui.key -new
    • This generates a CSR w/ a new private key.  Fine for new deployments.
      • openssl req -out rui.csr -new -newkey rsa:2048 -nodes -keyout rui.key
        • add "-config openssl.cfg" w/o quotes to the above command line if working from Windows.  
        • Mac and I believe Linux will reference /usr/local/ssl/openssl.cnf.
        • Or you can make your own .cnf file w/ all your cert request fields pre-populated.  It might even be a good idea to make one per cert you plan on requesting.
          • Here is a good KB from VMware on what to copy and paste into that cnf file.
  2. A 'wizard' will prompt you for various bits of information.
    • The most important one is the common name.  This is where you enter your server's name.  The name that you want to be 'certified'.
  3. Submit your generated CSR to your CA (Certificate Authority) of your choice.
  4. When you receive your signed cert, rename the file to 'rui.crt'
  5. Now time to generate the pfx file
    • openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
    • Look familiar?  It should if you read above.
  6. Now you have all 3 files needed to replace the self-signed certs for the web client.
    • Default location: C:\Program Files\VMware\Infrastructure\vSphereWebClient\DMServer\config\ssl
  7. Restart the "vSphere Web Client Service"
Additional Notes:

  • These same steps can be applied to vCenter as well.  I'd recommend viewing any updated VMware documentation before going through these steps, but these should prove helpful (I hope) to Windows/Operationally focused peoples.
  • This line generates a new CSR using an existing private key.  Recommend using this if replacing a currently in use system default cert:
    • openssl req -out C:\somedirectory\nameyourCSR.csr -key \\yourvcenterserver\c$\programdata\VMware\VMware VirtualCenter\SSL\rui.key -new






No comments: