The document discusses SSL certificate usage with vSphere 5.1/5.5. It provides an overview of SSL and certificate concepts, VMware's certificate requirements, and the SSL Automation Tool. Common issues with certificate replacement are also covered, such as failures due to incorrect certificate chains, non-unique certificates, and SSO connection problems.
4. What is SSL?
• SSL stands for “Secure Sockets Layer”
– The security is two-fold:
• Encryption
• Trust
• SSL creates an encrypted “tunnel” between client and server
• Other protocols – e.g. HTTP, LDAP – use the tunnel
• Typical SSL Clients: Web Browsers, vSphere Client
• Typical SSL Servers: Web servers, ESXi, vCenter Server
• An application can act as both server and client
– vCenter is a client to ESXi
– vCenter is a server to the vSphere Client
4
5. X.509 structure
• An X.509 certificate is a binary encoded file. It is not human-readable.
5
6. Distinguished Names used by x.509
• A Distinguished Name (DN) in X.509 is similar to an FQDN in DNS
• A DN can contain:
– Country (C), Organisation (O), Organisational Unit (OU), State (ST), Common Name (CN), among
others
• The CN value generally used for FQDN in server certificates, and to identify the CA authority in
CA certificates
• See RFC 5280 for more details
6
7. Subject Alternative Names
• X.509 v3 added Subject Alternate Name to certificates
• subjectAltName can contain multiple host names (DNS name) and IP addresses
• FQDN, short-name and IP address can all be listed in one subjectAltName value
• The SSL client has to be subjectAltName aware
7
8. vCenter certificate usage examples
• SSL Connections are used to connect and trust
– vCenter to ESXi
– vCenter to SSO
– vSphere Web Client to vCenter
– vSphere Client to ESXi
– vSphere Client connections to the vCenter Tomcat server
• SSL Certificates are also involved in protecting data in vCenter Server
– The vCenter Database Password
– Any passwords stored in customization profiles
– The randomly generated vpxuser passwords for each managed ESXi
8
10. Certificate requirements
• Generating certificates for use with the VMware SSL Certificate Automation Tool(2044696)
• Implementing CA signed SSL certificates with vSphere 5.x (2034833)
• A unique Subject Distinguished Name encoded within the certificate
– A unique OU is not mandatory.
– Having a unique OU is one way to achieve unique DN, but is certainly not the only way
• Include a subjectAlternateName field
• Include digitalSignature, keyEncipherment, and dataEncipherment components for Key Usage
• Wildcard certificates are not supported
10
11. Private key requirements
• After upgrading to vCenter Server 5.5 Update 1, logging in to vCenter Server reports the error:
Failed to verify the SSL certificate for one or more vCenter Server systems (2074942)
• The certificates and private keys must meet these requirements:
– Private key algorithm: RSA
– Private key length: >= 1024, max 2048
– Private key standard: PKCS#1 or PKCS#8
– Private key storage: PEM
• Recommended certificate signature algorithm are:
– sha256WithRSAEncryption 1.2.840.113549.1.1.11
– sha384WithRSAEncryption 1.2.840.113549.1.1.12
– sha512WithRSAEncryption 1.2.840.113549.1.1.13
11
12. Certificate chain requirements
• Single PEM file containing a sequence of PEM (base64) encoded X.509 certificates ordered
from the leaf certificate to and including the self-signed authority certificate
• No comments, spaces and tabs, before, between and after certificates
• Each certificate begins with -----BEGIN CERTIFICATE------ and ends with -----END
CERTIFICATE------, on a new line with no spaces before or after
• No extra certificates are in the file
• The certificate chain is complete.
– File contains all certificates
– Chain can be completed from Windows trust store
12
14. Getting the SSL Automation Tool
• Download in the My VMware portal
• Also included on the 5.5 U1 ISO
14
15. Requirements for using the SSL Automation Tool
• Access to each server and administrative privileges
• Components need to be already installed
• New certificates and private keys pre-created
• Scheduled downtime for all components (1-2 hours minimum)
• Windows version of vCenter Server 5.1 or higher
• All components on the same build level
• The path or file name for certificates and keys does not contain special characters
• Supported platforms:
– Windows 2008 R2 SP1
– Windows 2012 Standard
• Deploying and using the SSL Certificate Automation Tool 5.5 (2057340)
15
16. Preparations before using the SSL Automation Tool
• Take a snapshot or backup of the affected components to expedite recovery times in case of
failure.
• Updating certificates for third-party components such as load balancers is still a manual
process
• Shut down any dependent solutions
– VMware Site Recovery Manager
– vSphere Data Recovery
– vCloud Director
– Any third-party solution which may be connecting to vCenter Server
• Prepare passwords for
– vCenter Server Admin
– SSO Admin
– vCenter Server database
16
27. Common Issues
• Symptom
– Certificate update fails with “The certificate chain file does not contain a valid certification path”
• Resolution
– Check for correct certificate chain
– Check for comments, whitespaces, special characters
27
29. Common Issues
• Symptom
– Replacing vCenter Server certificates fails with “Different certificates are used for SSL and Solution
user”
• Resolution
– Find the certificate with the duplicate Subject DN
– Replace this certificate
– Validating and correcting errors for an upgraded VMware vCenter Server using the SSL Certificate
Automation Tool (2048202)
29
31. Common Issues
• Symptom
– Updating vCenter Server certificate fails with “The certificate might not be unique”
• Resolution
– Certificate Subject DN is not unique
– Service ID in vpxd.cfg has multiple entry, is empty or contains the word “vCenterService”
31
SSL is an acronym for “Secure Sockets Layer”
Cryptographic protocol to encrypt data
Build a chain of trust
Encrypted tunnel between a client and a server component
Tunnel then is leveraged by other protocols
Typical Clients and Servers
Strict hierarchical system of certificate authorities to issue the certificates
Binary file, not human readable
Serial number, Issuer, Validity, Subject, Public Key
Constraints, Key Usage, Subject Alternative Name
Let’s look at the Subject (next slide)
Logon name for SSO!
Described as distinguished name as in AD
Contains: Country, Org, Org Unit, Location, State
General use as FQDN or identify CA in signing certs
Excruciating detail in RFC 5280
Next up Subject Alt Name extension (next slide)
Extension added in version 3
Contains multiple host names and IPs
Everything can be listed in one extension field
Circumvents the limitation of validity for only 1 host name
Heavily used since 5.0 for internal tomcat communication, without it HW status, Perf Overview and several plugins break
SSL client has to be aware (case for VMware software)
Some examples of certificate usage (next slide)
Used for connection and trust
VC to ESXi + SSO
NGC to VC
C# to ESXi and tomcat
Also protect sensitive data
Database password in registry (host disconnects after replacement or reinstall)
Password in customization profiles
Vpxuser password
VMware requirements (next slide)
All details listed in these 2 KBs
Unique Subject DN to register in SSO
Include Subject Alt Name for tomcat
Include digitalSignature, keyEncipherment, dataEncipherment for Key Usage
No Wildcard cert support
Private key requirements (next slide)
Anyone knows this yellow banner?
Java 7 Update 40 needs keys > 512 bit
RSA format, minimum length 1024 bit
PKCS1 or PKCS8 standard depending on Windows or VCSA
PEM format as storage
If sha1 deemed insecure take different algorithm
Certificate chain requirements (next slide)
Single PEM file
Contain all certificates ordered from leaf to root certificate
No comments, spaces or escape characters
Specific start and termination string
Put chain together with notepad++ (or similar, avoid notepad)
No additional certificates
Chain needs to be complete in file or from Windows Trust store
SSL Automation tool (next slide)
Download by selection correct version
Drivers & Tools
Automation Tools and SDKs section
Included on 5.5 U1 ISO as well
Installation is a simple unzip, no large footprint on the system needed
Admin access to each server
Components preinstalled
Otherwise pre-staging install by copying certs, keys and an additional pfx file into the correct folders
Pre-stage works for everything except SSO
Certs and Keys are needed
Downtime!
Windows vCenter
Same build
No special characters in path names
Details in KB
Take snapshot / backup prior to doing anything
Update of 3rd party, load balancer or upper stack products and VCSA still manual
Shut down dependent solutions
Prepare VC, SSO admin PW + VC DB PW
2 Part tool
Ssl-environment.bat to prepare variables and file paths
Ssl-updater.bat to run the command line tool
If not done prior menu option 2 to go into Cert Request mode
Saved to Install folder into “requests” sub directory
Probably most important step of all
Menu option 1, then each option for service
Most common customer use cases: VC only, or admin facing certs: VC, IS, NGC
update-planner.log saved into “logs” Directory
Follow the steps from planner
If services are distributed tool and certs need to be on every machine
Display cert request
Display cert
Verify password for pfx
Get domain controller cert
Export certs and key from pfx
Subject
Extensions
Match Subject to request
Version
Extensions
Validity
Cannot validate lookupservice connection
SSO could not be running correctly (try logging in to VC)
Check credentials for typos
Try cmd.exe due to escape character handling ($ sign as example)
Avoid escape chars in passwords (“ or \)
Certificate chain is not valid
Check for correct order of chain, missing or additional certificates
Check for whitespaces, comments etc.
Different certs used for SSL and solution user
Find the offending cert and replace it
Follow KB to reregister VC to SSO
Certificate might not be unique
Could be true
Could be misleading, check vpxd.cfg for correct serviceID