I was contacted recently by Maish Saidel-Keesing (@maishsk), who is a vExpert, fellow tweeter and top 50 virtualization blogger at technodrone.blogspot.com asking if I had updated the SSL Certs in vShield Manager at all. At this point I have updated quite a lot of certs for customers and in my lab but vShield wasn’t one of them and it was still firmly on my To Do list. He challenged me to see if I could get it working, so I set about updating my vShield Manager SSL Certs and helped Maish do the same in his environment. It wasn’t quite as hard as some of the other tools when it comes to changing SSL Certs, but it wasn’t entirely straight forward either. If you want to know how to do it the easy way, read on.
The first place you should go when trying to update SSL Certificates in any of the VMware products is the product documentation. At least for an overview of how the process might work. As you are probably aware by now (If you’ve read my previous posts on the SSL Cert Topic – Updating CA SSL Certs in vSphere 5) there have been a number of examples where the documentation isn’t quite complete or easy to follow. This is also the case with the vShield 5.0 Admin Guide. This article will outline the steps necessary to update the SSL Certs on vShield Manager 5.0 and give you an insight into some of the differences with 5.0.1 that we discovered along the way.
If you want a way to fully manage the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere environments.
Prerequisites and Assumptions
This article assumes you the following:
- You already have an Organisational CA and PKI Infrastructure.
- vShield Manager is already deployed in the environment with configured with a valid IP address on the management network.
- You have validated connectivity to your vShield Manager prior to executing this process.
- Your vShield Manager must have a fully qualified domain name in your DNS.
- If you are using a Windows 2003 CA you have applied Microsoft KB 931351 to allow the SAN attribute to be specified as part of the certificate request. This will require a restart of the CA services.
- Your CA certificate template supports the Subject Alternative Name (SAN) attribute in certificate requests. Your chosen CA Certificate Template should be verified before you start this process.
- You have a copy of your Root CA and Intermediate CA (if applicable) Certificates available for use during this process.
- You are using Internet Explorer as your browser. Note: Other browsers will work for some parts of this process, however they may not work with the CA certsrv web site and root certificates may need to be pre-trusted in the non-IE browsers.
You will be required to log in as admin to perform all the tasks outlined and will require access to the CA to request and download the certificate.
Updating SSL Certificate in vShield Manager 5.0 High Level Steps
Here I will give you an overview of the high level process steps and then dig into the detail including screenshots in the next section. I hope this makes your process of updating the vShield Manager SSL Certs as painless as possible. This process was tested using vShield 5.0 and 5.0.1 and a Windows 2003 CA, but will also work with Windows 2008 and above.
- Generate the Certificate Signing Request (CSR) from the vShield Manager SSL Certificates GUI with the correct details for your organization and CA.
- Download the generated CSR from vShield Manager and Submit it to your CA.
- Download the CA signed SSL Certificate generated in Step 2.
- Download or export the Root CA Certificate and Intermediate CA Certificate if applicable.
- Import the Root CA Certificate to vShield Manager.
- Import the Intermedia CA Certificate to vShield Manager (if applicable).
- Import the CA signed x.509 SSL Certificate for vShield Manager.
- When the new CA signed SSL Certificate in Step 7 is applied the vShield Manager will reboot, when this is complete log back into vShield Manager.
So only 8 steps, seems easy right? Well it is fairly easy, but there are some catches, which I’ll explain in detail below.
Updating SSL Certificate in vShield Manager 5.0 Detailed Steps
Now we will dive into the detailed steps required to update the SSL Certificates for vShield Manager. As I take you through this I will point out the gotcha’s and inconsistencies with the existing product documentation you need to be aware of as we come to the relevant steps. Screenshots are included to make the process easier to follow. Bare in mind as you are going through this process that vShield Manager is registered with vCenter using it’s IP address and accessed from within vCenter Server using your browser. This is an important aspect when it comes to certificates and validity checks.
- Log into vShield Manager as admin.
- Click Settings and Reports in the left hand navigation window.
- Click SSL Certificate.
- You will find yourself presented with a form allowing you to enter the information required to generate a Certificate Signing Request (CSR). I suggest using RSA 2048bit key. At this point you need to use the fully qualified domain name (FQDN) of the vShield Manager as the Common Name. Failure to use the FQDN will result in an error in vShield Manager 5.0 and you will not be able to generate the CSR. This is the first inconsistency with the product documentation as it advises you to use the IP address of the vShield Manager, which doesn’t work. Using the IP address as the Common Name is possible in vShield Manager 5.0.1. Fill in the CSR information similar to the following image with your relevant organization details.