I was contacted recently by Maish Saidel-Keesing (@maishsk), who is a vExpert, fellow tweeter and top 50 virtualization blogger at technodrone.blogspot.com asking if I had updated the SSL Certs in vShield Manager at all. At this point I have updated quite a lot of certs for customers and in my lab but vShield wasn’t one of them and it was still firmly on my To Do list. He challenged me to see if I could get it working, so I set about updating my vShield Manager SSL Certs and helped Maish do the same in his environment. It wasn’t quite as hard as some of the other tools when it comes to changing SSL Certs, but it wasn’t entirely straight forward either. If you want to know how to do it the easy way, read on.
The first place you should go when trying to update SSL Certificates in any of the VMware products is the product documentation. At least for an overview of how the process might work. As you are probably aware by now (If you’ve read my previous posts on the SSL Cert Topic – Updating CA SSL Certs in vSphere 5) there have been a number of examples where the documentation isn’t quite complete or easy to follow. This is also the case with the vShield 5.0 Admin Guide. This article will outline the steps necessary to update the SSL Certs on vShield Manager 5.0 and give you an insight into some of the differences with 5.0.1 that we discovered along the way.
If you want a way to fully manage the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere environments.
Prerequisites and Assumptions
This article assumes you the following:
- You already have an Organisational CA and PKI Infrastructure.
- vShield Manager is already deployed in the environment with configured with a valid IP address on the management network.
- You have validated connectivity to your vShield Manager prior to executing this process.
- Your vShield Manager must have a fully qualified domain name in your DNS.
- If you are using a Windows 2003 CA you have applied Microsoft KB 931351 to allow the SAN attribute to be specified as part of the certificate request. This will require a restart of the CA services.
- Your CA certificate template supports the Subject Alternative Name (SAN) attribute in certificate requests. Your chosen CA Certificate Template should be verified before you start this process.
- You have a copy of your Root CA and Intermediate CA (if applicable) Certificates available for use during this process.
- You are using Internet Explorer as your browser. Note: Other browsers will work for some parts of this process, however they may not work with the CA certsrv web site and root certificates may need to be pre-trusted in the non-IE browsers.
You will be required to log in as admin to perform all the tasks outlined and will require access to the CA to request and download the certificate.
Updating SSL Certificate in vShield Manager 5.0 High Level Steps
Here I will give you an overview of the high level process steps and then dig into the detail including screenshots in the next section. I hope this makes your process of updating the vShield Manager SSL Certs as painless as possible. This process was tested using vShield 5.0 and 5.0.1 and a Windows 2003 CA, but will also work with Windows 2008 and above.
- Generate the Certificate Signing Request (CSR) from the vShield Manager SSL Certificates GUI with the correct details for your organization and CA.
- Download the generated CSR from vShield Manager and Submit it to your CA.
- Download the CA signed SSL Certificate generated in Step 2.
- Download or export the Root CA Certificate and Intermediate CA Certificate if applicable.
- Import the Root CA Certificate to vShield Manager.
- Import the Intermedia CA Certificate to vShield Manager (if applicable).
- Import the CA signed x.509 SSL Certificate for vShield Manager.
- When the new CA signed SSL Certificate in Step 7 is applied the vShield Manager will reboot, when this is complete log back into vShield Manager.
So only 8 steps, seems easy right? Well it is fairly easy, but there are some catches, which I’ll explain in detail below.
Updating SSL Certificate in vShield Manager 5.0 Detailed Steps
Now we will dive into the detailed steps required to update the SSL Certificates for vShield Manager. As I take you through this I will point out the gotcha’s and inconsistencies with the existing product documentation you need to be aware of as we come to the relevant steps. Screenshots are included to make the process easier to follow. Bare in mind as you are going through this process that vShield Manager is registered with vCenter using it’s IP address and accessed from within vCenter Server using your browser. This is an important aspect when it comes to certificates and validity checks.
- Log into vShield Manager as admin.
- Click Settings and Reports in the left hand navigation window.
- Click SSL Certificate.
- You will find yourself presented with a form allowing you to enter the information required to generate a Certificate Signing Request (CSR). I suggest using RSA 2048bit key. At this point you need to use the fully qualified domain name (FQDN) of the vShield Manager as the Common Name. Failure to use the FQDN will result in an error in vShield Manager 5.0 and you will not be able to generate the CSR. This is the first inconsistency with the product documentation as it advises you to use the IP address of the vShield Manager, which doesn’t work. Using the IP address as the Common Name is possible in vShield Manager 5.0.1. Fill in the CSR information similar to the following image with your relevant organization details.
- Click the Generate Button.
- When the CSR is generated you should see a message displayed in a yellow bar at the top of the screen saying “Certificate Signing Request is generated successfully”, Click the Download generated certificate link on the right hand side of the screen. Save the file somewhere easily accessible.
- Submit the CSR to your CA using either the certreq command or the certsrv web site on your CA. The step-by-step instructions for using the certsrv web site are as follows:
- Browse to http:// or https:// <yourca>/certsrv from a supported Guest OS and a supported browser (refer to Microsoft for this information for your specific CA).
- Click Request a certificate Link.
- Click advanced certificate request Link.
- Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. Link.
- Copy and paste the text from your CSR into the base-64-encoded certificate request box, making sure to remove any erroneous carriage returns, select the correct certificate template, and enter the SAN information in the Additional Attributes Field (similar format to the diagram below).
- Click Submit button.
- Click Base 64 encoded radio button and click Download certificate, save the certificate in an easily accessible location.
- Be sure that you specify the Subject Alternative Name (SAN) of your vShield Manager using it’s IP address as an additional attribute during your request. If you fail to specify the IP address in the SAN you will be prompted with a warning dialog each time you access vShield Manager via vCenter Server. This is because vShield is registered with vCenter Server and accessed using it’s IP address and the IP address won’t match the Common Name specified in the certificate. To specify the SAN use the additional attribute SAN:dns=xxx.xxx.xxx.xxx, where the x’s are replaced with your vShield Manager IP address, as shown in the example image.
- Open your newly generated certificate and verify the attributes are as you expect and the Subject Alternative Name is correctly showing the IP address of your vShield Manager.
- In vShield Manager on the SSL Certificate Tab ensure Import Signed Certificate is expanded and visible. At this point the Product Documentation advises you to import your CA signed certificate, however this will not work. If you attempt this you will see a message displayed saying that importing the certificate failed. This is because you have not yet imported the Root CA certificate or Intermediate CA certificate (if applicable).
- Select Certificate Type Root CA. You will see something similar to the following displayed.
- Browse and find your Root CA certificate and use that as the Certificate File, then click Apply button. A yellow bar containing the message “Successfully imported certificate.” should be displayed at the top of the screen.
- If you used an Intermediate CA to generate your certificate then repeat steps 9 and 10 for the Intermediate CA certificate as the Certificate File being sure to select Intermediate CA for the Certificate Type as per the image below.
- Repeat steps 9 and 10 and using the CA-signed X.509 Cert as the Certificate Type and using your CA signed vShield Manager certificate for the Certificate File, similar to the image below.
- When the certificate is imported successfully you will see an Apply Signed Certificate box at the top of the screen. Click Apply Certificate. If you see an error displayed in the yellow box stating “Error: Importing certificate failed. Please retry the operation” either the root or intermediate CA certificates are missing or not imported correctly, or there is a problem with your CA certificate. You may have to start the process again. You may with to refer to VMware KB 1035387 – Importing SSL certificates in vShield Manager.
- vShield Manger will be restarted to apply the certificate, once it has restarted, log in again as admin by accessing vShield Manager using it’s IP address. You should not be prompted or warned that you are accessing an untrusted site and the vShield Manager login screen should be immediately visible. To verify the certificate click the padlock icon in the address bar.
- Congratulations you have now completed the update of your vShield Manager SSL Certificate Successfully!
Please Note: I have received reports that the SSL Certificate is lost when an upgrade from vShield Manager 5.0 to 5.0.1 is performed. I have not yet been able to verify this with VMware or tested it myself. I would suggest that a backup of vShield Manager is taken prior to any upgrade process. I will investigate these reports and update this post. I would like to hear from you if you have experienced this yourself, or if you have any feedback on this process.
Big thanks to Maish for being the inspiration for this article and for help with some of the detail included in this article.
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.
[…] Updating SSL Certificate in vShield Manager Made Easy […]
I was working on trying to do this process and when I tried to generate a CSR in vShield manager 5.0.1 using an FQDN it throws an error that the common name is not in a valid format. I am entering the fqdn for the vShield Manager VM as something like: server_name.sub_domain.company.com in the common name field. I was wondering if you or anyone else had seen this message? I've successfully been able to generate CSRs for other vSphere components so I like to hope I should know how to fill out the CSR fields but maybe I missed something.
Hi Mike, I would recommend using the IP address in the common name field for vShield Manager 5.0.1. The FQDN should go into the SAN only.
Do you know if using CSRs generated by openssl etc work? Or is it mandatory to use the CSR generated by the vShield web page?
It is mandatory to use the CSR that is generated by the vShield Manager web page. Else you have no way of generating and uploading the key.
Thanks Michael.
I am not successful adding the SAN attribute to the cert. I am trying to determine if this is a security issue of our PKI not allowing the SAN attribute to be added. I noticed this article, http://windowsitpro.com/security/q-how-can-i-enab… . Did anyone else run into this issue?
Nate,
I had the same issue and it proved that i had to set that setting on my CA in the article you posted a link to. Apparently if the SAN value is part of the CSR its not an issue but when its supplied as "additional attributes" on the certsrv web-form SAN has to be allowed as per the article you reference.
[…] A great procedure for updating vShield Manager Appliance SSL is here: http://longwhiteclouds.com/2012/03/31/updating-ssl-certificate-in-vshield-manager-made-easy/ […]
Was very helpful. Thank you!
Good afternoon. Is there a way to implement wildcard ssl to vShield Manager 5.5? Previous version does not have this feature.
As far as I'm aware there is no way to implement wildcard SSL certificate with vCloud Networking and Security Manager, even in version 5.5.
[…] Michael Webster has already made a blog post on configuring CA signed certificates for vShield Manager which you can find here […]