Home > Business Critical Applications, CA SSL Certificates, Security, VMware > vCert Manager – Changing VMware SSL Certs Made Easy

vCert Manager – Changing VMware SSL Certs Made Easy

During my VMworld session presentation INF-SEC1282 Automating Security and Compliance with DR (VMworld account required to access recording) I gave a world premier glimpse of a prototype solution that will allow completely automated management of SSL Certificates in a vSphere environment. The solution is still under development. But if you’d like to peak into the future of an easy and completely automated SSL management world for vSphere then this article is for you.

[Updated 14/09/2013] vCert Manager is now Generally Available! This was announced at VMworld USA 2013 in San Francisco. If you’d like to see how the prototype changed into the full product please check out my article VMworld USA 2013 By The Numbers. You can obtain an evaluation version of vCert Manager by visiting VSS Labs

 

The session was an outstanding success, we received a massive response from the audience and subsequent to the session. As a result of this positive feedback we’ve decided to make the demo video available to the public on YouTube here and displayed below. I’m the lead architect of the solution and I’m working with VSS Labs based in Singapore and Philippines. If after reviewing the demo you’d like to become part of the early adopter / beta program please visit the VSS Labs web site and register your expression of interest by filling in the Early Adopter Form.

Some things you should know about the demo before you watch it:

  1. This is a very early prototype and is a stand alone .net application in this demo. The full version will be web based and we will likely have .net or Java / Virtual Appliance options. We’d appreciate feedback on which varient would be the highest priority.
  2. In the demo we are only showing the replacement of ESXi certs, but the intention is to support ESX/ESXi 4.x and 5.x out of the gate, in addition to vCenter, vSphere Web Client and selected integrated components and management tools, such as VMware View, vCloud Director, SRM, vShield, vCOps. Your feedback on the most critical components to support upon GA would be valuable.
  3. We will be supporting multiple Certificate Authorities, both private and public. We will support stand alone and enterprise / AD integrated Windows CA’s (2003 and 2008 version). Public CA support if API’s are not available may still require some manual steps, but the creation of CSR and the applying of the certs and managing the lifecycle of the cert will be automated.
  4. The minimum key length supported will be 1024 bits, with maximum of 4096bits and default of 2048bits.
  5. In the demo we use a stand alone Windows CA, this is the reason for the message in IE being displayed towards the end of the demo. The CA’s cert was not pre-trusted in the system where the browser is being run. This message would not be displayed had an AD Integrated Enterprise CA been used.

Once you have watched the demo please complete the brief survey below.

Please let us know what your thoughts are on the most critical components we should support when we release vCert Manager 1.0.

Final Word

Managing SSL Certs in a VMware environment is a very complicated, time consuming, error prone, and costly task. My hope is that vCert Manager will revolutionize SSL Management in VMware environments, make it simple, easy, and cost effective to change and maintain SSL certificates throughout their lifecycle, for all customers. Providing a more secure platform to many customers that wouldn’t or couldn’t currently change their SSL certificates. If after reading this article and seeing the demo you still want to do your certificates manually then please feel free to check out my article on Updating SSL Certificates in vSphere 5. I look forward to receiving some good feedback and comments.

This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.comby Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.

  1. Ronny
    September 17, 2012 at 8:46 am | #1

    this is really a great idea! I hope that this project will be integrated into vSphere sooner than later! Especially changing SSL certs for vCenter is really time consuming and painful as you have to copy the certs to five different directories, run some CLI commands, etc. btw: is it planned that SAN's (Subject Alternate Names) are also supported by vCert Manager (used by SRM)?

    • September 17, 2012 at 8:56 am | #2

      Hi Ronny,

      Yes SAN's are supported and the intelligence is built into vCert Manager for the CSR's to request them. Some Pre req's exist on the CA's however that'll be in the docs. Cert Templates need to support them properly. For SRM the SAN will be FQDN, ShortName and IP. Common Name will be user defined.

  2. September 17, 2012 at 10:58 pm | #3

    I can't wait for this tool! SSL configuration with VMware products is extremely, extremely, highly frustrating! It's even worse in vSphere 5.1. The tool will negate the need for some of my blog posts, but I'll gladly trade that for not pulling out my hair when trying to properly configure certificates.

    The tool should also manage the SSL certificates needed for the SSO Service installer to establish a SSL connection to the back-end MS SQL server. The process of configuring the JDBC URL and keystore for trusted SSL is very tedious and not documented anywhere in VMware docs that I know of. I had to figure it out for myself.

    http://derek858.blogspot.com/2012/09/vmware-vcent

  3. Mike J
    September 18, 2012 at 6:00 pm | #4

    Great idea. I am in the process of creating a plan to update 200+ host with signed certifictes. This willy time consuming. This may adjust some of the design times. Hopefully this is out sooner than later. Good work.

  4. September 23, 2012 at 7:58 pm | #5

    This is going to be one of the best solution. I don't know why vmware didn't include such kind of certificate management as default when they introduced SSO, Inventory, vCenter, Web Client in 5.1. Its really painful to manage certificates. Hope to see this tool in market soon.

  5. September 23, 2012 at 8:00 pm | #6

    Thanks to Derek Seaman, he has put lots of efforts in documenting the procedure.

  6. Peter Van Geem
    October 31, 2012 at 7:16 pm | #7

    Really Super Great idea !! Looking forward to this solution!! Tnx Michael!

  7. Nicolas Dassy
    October 31, 2012 at 9:43 pm | #8

    Good luck for this great project… You are right when you discuss about the pain to work with these certificates! I wish you much success

  8. Paul Sheard
    December 7, 2012 at 12:01 pm | #9

    Awesome work Michael!

    Regards

    @pshearduk

  9. January 7, 2013 at 10:27 pm | #10

    Any idea, when this tool will be released ?

    • January 7, 2013 at 10:30 pm | #11

      We're expecting vCert Manager to be generally available this quarter (Q1 2013). It will be in Beta shortly.

  10. January 7, 2013 at 10:40 pm | #12

    Thanks for the quick update. Can we still sign for the Beta ?

    • January 7, 2013 at 10:43 pm | #13

      You sure can. Just complete the early adopter form that I've linked through to in the article and you'll be contacted as soon as the general beta is available.

  11. January 18, 2013 at 12:30 pm | #14

    I've tried access the program but got no response. Does anyone have a working download link or know if the program is still going?

    • @vcdxnz001
      January 18, 2013 at 8:07 pm | #15

      At this stage there is no download link. The beta will be sent out to those registered on the early adopter program. Once the product is GA an eval version is likely to be available.

  12. April 6, 2013 at 8:02 am | #16

    Same for me. I filled the early adopter in Q4/2012 but got no response until now.

    There are no news for that?

    • @vcdxnz001
      April 6, 2013 at 8:08 am | #17

      Hi Constey, I'll follow up why you've not been contacted. But I know there are a number of customers evaluating the beta and the RC will shortly be available.

  13. April 6, 2013 at 8:06 am | #18

    VMware have released their own tool. I haven't used it but it might be worth a shot. http://kb.vmware.com/kb/2041600

    • @vcdxnz001
      April 6, 2013 at 8:11 am | #19

      I'd recommend you take a look at the new VMware Tool. It will help with vCenter 5.1 certificates.

  14. April 6, 2013 at 8:19 am | #20

    Yep, i just wrote about it – and noticed that there was some kind of tool i was still waiting for :)

  15. July 23, 2013 at 6:59 pm | #21

    I found this post today while doing some research on changing certificates in vSphere 5.1. When will this toll be available? Can we still sign up for the early adopter program?

  16. September 14, 2013 at 11:11 pm | #22

    This would be perfect! We just implemented a new vSphere 5.1 environment with Heartbeat and to properly replace the certificates takes hours. I hope this is available in the next 2 years before these certificates expire.

    • @vcdxnz001
      September 14, 2013 at 11:18 pm | #23

      Hi Andrew, General availability of vCert Manager was announced at VMworld. You can find some of the latest info by reviewing my VMworld article –

      • September 14, 2013 at 11:24 pm | #24

        Thanks, I'll take a look for it. I was disappointed to find that after spending a few hours updating the environment with CA SSL certificates, the Heartbeat install on my vCenter Server reverted to a self-signed certificate.

      • @vcdxnz001
        September 14, 2013 at 11:28 pm | #25

        Hi Andrew, Heartbeat itself doesn't use the same certificate as vCenter. So there is a separate process to change out the HeartBeat certificates. I have an article on this site with guidance around that. SSL Certificate Management is quite difficult, thats why I helped VSS Labs with technical advice to create vCert Manager. It's really the only tool that provides complete lifecycle management of SSL Certificates for vSphere environments. The GA 1.0 version allows for management of ESX/ESXi Hosts and vCenter Certificates. It doesn't manage any of the other certificates. I understand that future versions will manage other types of certificates based on customer demand and feedback. They tried to take away the vast majority of the pain which was around vCenter, SSO, and Host Certificates. Check it out and have a look at getting an evaluation version.

  17. June 9, 2014 at 2:58 pm | #26

    Hi Michael,
    I want to change the bits from 2048 to 4096 but I wonder why I cannot edit the generate-certificate script because it's readonly, eventhough I have used x! to save it.
    I found the workarond by copying it first to /tmp, edit, and copy back to /sbin. But I'm just curious why cannot edit in /sbin.

  1. No trackbacks yet.

Leave a Reply

%d bloggers like this: