During my VMworld session presentation INF-SEC1282 Automating Security and Compliance with DR (VMworld account required to access recording) I gave a world premier glimpse of a prototype solution that will allow completely automated management of SSL Certificates in a vSphere environment. The solution is still under development. But if you’d like to peak into the future of an easy and completely automated SSL management world for vSphere then this article is for you.
[Updated 14/09/2013] vCert Manager is now Generally Available! This was announced at VMworld USA 2013 in San Francisco. If you’d like to see how the prototype changed into the full product please check out my article VMworld USA 2013 By The Numbers. You can obtain an evaluation version of vCert Manager by visiting VSS Labs.
The session was an outstanding success, we received a massive response from the audience and subsequent to the session. As a result of this positive feedback we’ve decided to make the demo video available to the public on YouTube here and displayed below. I’m the lead architect of the solution and I’m working with VSS Labs based in Singapore and Philippines. If after reviewing the demo you’d like to become part of the early adopter / beta program please visit the VSS Labs web site and register your expression of interest by filling in the Early Adopter Form.
Some things you should know about the demo before you watch it:
- This is a very early prototype and is a stand alone .net application in this demo. The full version will be web based and we will likely have .net or Java / Virtual Appliance options. We’d appreciate feedback on which varient would be the highest priority.
- In the demo we are only showing the replacement of ESXi certs, but the intention is to support ESX/ESXi 4.x and 5.x out of the gate, in addition to vCenter, vSphere Web Client and selected integrated components and management tools, such as VMware View, vCloud Director, SRM, vShield, vCOps. Your feedback on the most critical components to support upon GA would be valuable.
- We will be supporting multiple Certificate Authorities, both private and public. We will support stand alone and enterprise / AD integrated Windows CA’s (2003 and 2008 version). Public CA support if API’s are not available may still require some manual steps, but the creation of CSR and the applying of the certs and managing the lifecycle of the cert will be automated.
- The minimum key length supported will be 1024 bits, with maximum of 4096bits and default of 2048bits.
- In the demo we use a stand alone Windows CA, this is the reason for the message in IE being displayed towards the end of the demo. The CA’s cert was not pre-trusted in the system where the browser is being run. This message would not be displayed had an AD Integrated Enterprise CA been used.
Once you have watched the demo please complete the brief survey below.
Please let us know what your thoughts are on the most critical components we should support when we release vCert Manager 1.0.
Final Word
Managing SSL Certs in a VMware environment is a very complicated, time consuming, error prone, and costly task. My hope is that vCert Manager will revolutionize SSL Management in VMware environments, make it simple, easy, and cost effective to change and maintain SSL certificates throughout their lifecycle, for all customers. Providing a more secure platform to many customers that wouldn’t or couldn’t currently change their SSL certificates. If after reading this article and seeing the demo you still want to do your certificates manually then please feel free to check out my article on Updating SSL Certificates in vSphere 5. I look forward to receiving some good feedback and comments.
—
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.
[…] the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere environments. This will […]
[…] the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere […]
[…] William Lam at virtuallyGhetto has written a couple of very useful blogs on the topic of SSL Certificates that you may like to review. I hope that the recommendation to check expiry makes it into the final version of the hardening guide. If you want a way to fully manage the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. […]
[…] I would like to draw your attention to the vCenter SSL Certificate recommendations in particular. Additional recommendations are made to check the validity of certificates and also to remove any expired or revoked certificates from your environment. These are very important administrative tasks that should be done if you are using custom SSL certs in place of the default self-signed certs. In my previous post I have linked to William Lam’s blogthat contains scripts to help you automate this task. If you want a way to fully manage the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. […]
[…] the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere […]
[…] the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere […]
[…] the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere […]
[…] the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere […]
[…] the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere […]
[…] the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere […]
[…] the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere […]
[…] vCert Manager – Changing VMware SSL Certs Made Easy […]
[…] vCert Manager – Changing VMware SSL Certs Made Easy […]
this is really a great idea! I hope that this project will be integrated into vSphere sooner than later! Especially changing SSL certs for vCenter is really time consuming and painful as you have to copy the certs to five different directories, run some CLI commands, etc. btw: is it planned that SAN's (Subject Alternate Names) are also supported by vCert Manager (used by SRM)?
Hi Ronny,
Yes SAN's are supported and the intelligence is built into vCert Manager for the CSR's to request them. Some Pre req's exist on the CA's however that'll be in the docs. Cert Templates need to support them properly. For SRM the SAN will be FQDN, ShortName and IP. Common Name will be user defined.
[…] the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. When released this aims to support vSphere 5.1 and will make the process as easy as clicking a […]
I can't wait for this tool! SSL configuration with VMware products is extremely, extremely, highly frustrating! It's even worse in vSphere 5.1. The tool will negate the need for some of my blog posts, but I'll gladly trade that for not pulling out my hair when trying to properly configure certificates.
The tool should also manage the SSL certificates needed for the SSO Service installer to establish a SSL connection to the back-end MS SQL server. The process of configuring the JDBC URL and keystore for trusted SSL is very tedious and not documented anywhere in VMware docs that I know of. I had to figure it out for myself.
http://derek858.blogspot.com/2012/09/vmware-vcent…
Great idea. I am in the process of creating a plan to update 200+ host with signed certifictes. This willy time consuming. This may adjust some of the design times. Hopefully this is out sooner than later. Good work.
This is going to be one of the best solution. I don't know why vmware didn't include such kind of certificate management as default when they introduced SSO, Inventory, vCenter, Web Client in 5.1. Its really painful to manage certificates. Hope to see this tool in market soon.
Thanks to Derek Seaman, he has put lots of efforts in documenting the procedure.
[…] SSL Management – vCert Manager: My demo of the vCert Manager prototype was very well received and everyone in the audience of the Automating Security and Compliance with DR session agreed it would greatly simplify the process of managing SSL Certificates in VMware environments. I have published the Demo online and written about it in article vCert Manager – Changing VMware SSL Certs Made Easy. […]
[…] contribution to the effort. I will be making sure the process is automated for you as part of the vCert Manager project that I’m working on. My goal would be to automate both the Windows Installable and […]
Really Super Great idea !! Looking forward to this solution!! Tnx Michael!
Good luck for this great project… You are right when you discuss about the pain to work with these certificates! I wish you much success
Awesome work Michael!
Regards
@pshearduk
Any idea, when this tool will be released ?
We're expecting vCert Manager to be generally available this quarter (Q1 2013). It will be in Beta shortly.
Thanks for the quick update. Can we still sign for the Beta ?
You sure can. Just complete the early adopter form that I've linked through to in the article and you'll be contacted as soon as the general beta is available.
I've tried access the program but got no response. Does anyone have a working download link or know if the program is still going?
At this stage there is no download link. The beta will be sent out to those registered on the early adopter program. Once the product is GA an eval version is likely to be available.
[…] wrote an article regarding a few months ago titled vCert Manager – Changing VMware SSL Certs Made Easy, which included a demo of a very early prototype that I presented at VMworld USA in August 2012. […]
[…] Suite. On this second point I was made away of the “vCert Manager” project over on LongWhiteClouds.com which I’ve signed up for the beta that’s been pilotted by Virtual Systems Solutions. […]
[…] vCert Manager – Changing VMware SSL Certs Made Easy by Michael Webster […]
Same for me. I filled the early adopter in Q4/2012 but got no response until now.
There are no news for that?
Hi Constey, I'll follow up why you've not been contacted. But I know there are a number of customers evaluating the beta and the RC will shortly be available.
VMware have released their own tool. I haven't used it but it might be worth a shot. http://kb.vmware.com/kb/2041600
I'd recommend you take a look at the new VMware Tool. It will help with vCenter 5.1 certificates.
Yep, i just wrote about it – and noticed that there was some kind of tool i was still waiting for 🙂
I found this post today while doing some research on changing certificates in vSphere 5.1. When will this toll be available? Can we still sign up for the early adopter program?
This would be perfect! We just implemented a new vSphere 5.1 environment with Heartbeat and to properly replace the certificates takes hours. I hope this is available in the next 2 years before these certificates expire.
Hi Andrew, General availability of vCert Manager was announced at VMworld. You can find some of the latest info by reviewing my VMworld article –
Thanks, I'll take a look for it. I was disappointed to find that after spending a few hours updating the environment with CA SSL certificates, the Heartbeat install on my vCenter Server reverted to a self-signed certificate.
Hi Andrew, Heartbeat itself doesn't use the same certificate as vCenter. So there is a separate process to change out the HeartBeat certificates. I have an article on this site with guidance around that. SSL Certificate Management is quite difficult, thats why I helped VSS Labs with technical advice to create vCert Manager. It's really the only tool that provides complete lifecycle management of SSL Certificates for vSphere environments. The GA 1.0 version allows for management of ESX/ESXi Hosts and vCenter Certificates. It doesn't manage any of the other certificates. I understand that future versions will manage other types of certificates based on customer demand and feedback. They tried to take away the vast majority of the pain which was around vCenter, SSO, and Host Certificates. Check it out and have a look at getting an evaluation version.
Michael,
Do you know where I could obtain license costs for vCert Manager for vSphere 5.1? Are you saying in the above article that it only caters for ESXi Hosts & vCenter i.e. not SSO or Inventory Services?
Hi Harry, it does SSO and inventory service as well. You can find out more at VSSLabs.com, VSS Labs is the developer of the solution.
Hi Michael,
I want to change the bits from 2048 to 4096 but I wonder why I cannot edit the generate-certificate script because it's readonly, eventhough I have used x! to save it.
I found the workarond by copying it first to /tmp, edit, and copy back to /sbin. But I'm just curious why cannot edit in /sbin.