vCert Manager – Changing VMware SSL Certs Made Easy
During my VMworld session presentation INF-SEC1282 Automating Security and Compliance with DR (VMworld account required to access recording) I gave a world premier glimpse of a prototype solution that will allow completely automated management of SSL Certificates in a vSphere environment. The solution is still under development. But if you’d like to peak into the future of an easy and completely automated SSL management world for vSphere then this article is for you.
The session was an outstanding success, we received a massive response from the audience and subsequent to the session. As a result of this positive feedback we’ve decided to make the demo video available to the public on YouTube here and displayed below. I’m the lead architect of the solution and I’m working with VSS Labs based in Singapore and Philippines. If after reviewing the demo you’d like to become part of the early adopter / beta program please visit the VSS Labs web site and register your expression of interest by filling in the Early Adopter Form.
Some things you should know about the demo before you watch it:
- This is a very early prototype and is a stand alone .net application in this demo. The full version will be web based and we will likely have .net or Java / Virtual Appliance options. We’d appreciate feedback on which varient would be the highest priority.
- In the demo we are only showing the replacement of ESXi certs, but the intention is to support ESX/ESXi 4.x and 5.x out of the gate, in addition to vCenter, vSphere Web Client and selected integrated components and management tools, such as VMware View, vCloud Director, SRM, vShield, vCOps. Your feedback on the most critical components to support upon GA would be valuable.
- We will be supporting multiple Certificate Authorities, both private and public. We will support stand alone and enterprise / AD integrated Windows CA’s (2003 and 2008 version). Public CA support if API’s are not available may still require some manual steps, but the creation of CSR and the applying of the certs and managing the lifecycle of the cert will be automated.
- The minimum key length supported will be 1024 bits, with maximum of 4096bits and default of 2048bits.
- In the demo we use a stand alone Windows CA, this is the reason for the message in IE being displayed towards the end of the demo. The CA’s cert was not pre-trusted in the system where the browser is being run. This message would not be displayed had an AD Integrated Enterprise CA been used.
Once you have watched the demo please complete the brief survey below.
Please let us know what your thoughts are on the most critical components we should support when we release vCert Manager 1.0.
Final Word
Managing SSL Certs in a VMware environment is a very complicated, time consuming, error prone, and costly task. My hope is that vCert Manager will revolutionize SSL Management in VMware environments, make it simple, easy, and cost effective to change and maintain SSL certificates throughout their lifecycle, for all customers. Providing a more secure platform to many customers that wouldn’t or couldn’t currently change their SSL certificates. If after reading this article and seeing the demo you still want to do your certificates manually then please feel free to check out my article on Updating SSL Certificates in vSphere 5. I look forward to receiving some good feedback and comments.
—
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.
Leave a Reply
Mako Networks
Mako Networks
Your Author: Michael Webster, VCDX-066, vExpert 2012
IT Solutions 2000 Ltd
More sponsors welcomed. Contact me directly via the Author Page.
this is really a great idea! I hope that this project will be integrated into vSphere sooner than later! Especially changing SSL certs for vCenter is really time consuming and painful as you have to copy the certs to five different directories, run some CLI commands, etc. btw: is it planned that SAN’s (Subject Alternate Names) are also supported by vCert Manager (used by SRM)?
Hi Ronny,
Yes SAN’s are supported and the intelligence is built into vCert Manager for the CSR’s to request them. Some Pre req’s exist on the CA’s however that’ll be in the docs. Cert Templates need to support them properly. For SRM the SAN will be FQDN, ShortName and IP. Common Name will be user defined.
I can’t wait for this tool! SSL configuration with VMware products is extremely, extremely, highly frustrating! It’s even worse in vSphere 5.1. The tool will negate the need for some of my blog posts, but I’ll gladly trade that for not pulling out my hair when trying to properly configure certificates.
The tool should also manage the SSL certificates needed for the SSO Service installer to establish a SSL connection to the back-end MS SQL server. The process of configuring the JDBC URL and keystore for trusted SSL is very tedious and not documented anywhere in VMware docs that I know of. I had to figure it out for myself.
http://derek858.blogspot.com/2012/09/vmware-vcenter-51-installation-part-1.html
Great idea. I am in the process of creating a plan to update 200+ host with signed certifictes. This willy time consuming. This may adjust some of the design times. Hopefully this is out sooner than later. Good work.
This is going to be one of the best solution. I don’t know why vmware didn’t include such kind of certificate management as default when they introduced SSO, Inventory, vCenter, Web Client in 5.1. Its really painful to manage certificates. Hope to see this tool in market soon.
Thanks to Derek Seaman, he has put lots of efforts in documenting the procedure.
Really Super Great idea !! Looking forward to this solution!! Tnx Michael!
Good luck for this great project… You are right when you discuss about the pain to work with these certificates! I wish you much success
Awesome work Michael!
Regards
@pshearduk
Any idea, when this tool will be released ?
We’re expecting vCert Manager to be generally available this quarter (Q1 2013). It will be in Beta shortly.
Thanks for the quick update. Can we still sign for the Beta ?
You sure can. Just complete the early adopter form that I’ve linked through to in the article and you’ll be contacted as soon as the general beta is available.
I’ve tried access the program but got no response. Does anyone have a working download link or know if the program is still going?
At this stage there is no download link. The beta will be sent out to those registered on the early adopter program. Once the product is GA an eval version is likely to be available.
Same for me. I filled the early adopter in Q4/2012 but got no response until now.
There are no news for that?
Hi Constey, I’ll follow up why you’ve not been contacted. But I know there are a number of customers evaluating the beta and the RC will shortly be available.
VMware have released their own tool. I haven’t used it but it might be worth a shot. http://kb.vmware.com/kb/2041600
I’d recommend you take a look at the new VMware Tool. It will help with vCenter 5.1 certificates.
Yep, i just wrote about it – and noticed that there was some kind of tool i was still waiting for