Home > SSL > Replacing SSL certificates in a 5.1 and 5.5 mixed mode install

Replacing SSL certificates in a 5.1 and 5.5 mixed mode install

After setting up those CAs in the last two posts it would be a shame to have them just sitting around. As I am quite often getting the question how to replace certificates in an environment that is leveraging SSO 5.5 with vCenter 5.1 still in place the CA will be the perfect opportunity to demonstrate the process.

As the CA was also the domain controller I quickly spun off another VM, joined it to the domain and created a reverse lookup zone in DNS for SSO not to complain during the installation.

Capture3I used the defaults for the whole installation and also installed VUM to have all the components on the system.

Capture5The last piece in the puzzle is a vMA to actually track our progress for the process.

CaptureWe can see that the issuer for all certificates right now is VMware, Inc. and the validity is 10 years which means they are still default certificates. In case you need the skeleton for the script to fetch the certificate data you can find this below (inspired by an example from http://www.madboa.com/geek/openssl/).

#!/bin/sh
#
for CERT in \
172.16.100.30:443 \
172.16.100.30:10443 \
172.16.100.30:9443 \
172.16.100.30:7444 \
172.16.100.30:12443 \
172.16.100.30:8084
do
echo |\
openssl s_client -connect ${CERT} 2>/dev/null |\
sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ |\
openssl x509 -noout -dates -issuer
echo
done

Since this is a mixed mode install I downloaded the SSL Automation Tool for both 5.5 and 5.1U1.

Thanks to the SSL toolkit I used to test both CAs in the lasts two posts I already have the SSL certificates in place and just needed to unzip the 2 tools and then edit the ssl-environment.bat to include the proper paths. As an additional step I have given administrator@vsphere.local vCenter permissions for convenience.

Capture2Next up we need 2 admin shells for each tool.

Capture3The whole process will consist of the following 18 steps.

1. Go to the machine with Single Sign-On installed and – Update the Single Sign-On SSL certificate.
2. Go to the machine with Inventory Service installed and – Update Inventory Service trust to Single Sign-On.
3. Go to the machine with Inventory Service installed and – Update the Inventory Service SSL certificate.
4. Go to the machine with vCenter Server installed and – Update vCenter Server trust to Single Sign-On.
5. Go to the machine with vCenter Server installed and – Update the vCenter Server SSL certificate.
6. Go to the machine with vCenter Server installed and – Update vCenter Server trust to Inventory Service.
7. Go to the machine with Inventory Service installed and – Update the Inventory Service trust to vCenter Server.
8. Go to the machine with vCenter Orchestrator installed and – Update vCenter Orchestrator trust to Single Sign-On.
9. Go to the machine with vCenter Orchestrator installed and – Update vCenter Orchestrator trust to vCenter Server.
10. Go to the machine with vCenter Orchestrator installed and – Update the vCenter Orchestrator SSL certificate.
11. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to Single Sign-On.
12. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to Inventory Service.
13. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to vCenter Server.
14. Go to the machine with vSphere Web Client installed and – Update the vSphere Web Client SSL certificate.
15. Go to the machine with Log Browser installed and – Update the Log Browser trust to Single Sign-On.
16. Go to the machine with Log Browser installed and – Update the Log Browser SSL certificate.
17. Go to the machine with vSphere Update Manager installed and – Update the vSphere Update Manager SSL certificate.
18. Go to the machine with vSphere Update Manager installed and – Update vSphere Update Manager trust to vCenter Server.

 

Single Sign-On and the vSphere Web Client (which includes the Log Browser) are 5.5 components, meaning we need to use the 5.5 version of the tools for those when they are in the first part of the instructions. Update Manager, Inventory Service, vCenter Orchestrator and vCenter Server are 5.1 which in turn means that we will be using the 1.0.1 version of the SSL automtion tool when they are in the first part of the instruction.

The SSL automation tool will do a preliminary check of the certificates, for example looking if the name in the Subject Alternate Name extension does match the system name you want to replace the certificate with. It does so by querying the primary DNS server. I had to disconnect my second internet NIC of that system for the check to go through as my local router DNS server cannot resolve my internal host names. At that point the DNS server on the domain controller took over and everything went smoothly.

Capture41 SSL certificate down (you can see that own issuer certificate changed and also the validity changed to 2 years), 6 to go. Steps 2 to 10 will be done in the 1.0.1 version of the tool. Prior to replacing the vCenter Server certificates I have made it a personal habit to check the vCenter Server SSL directory for the sso.crt and the vpxd.cfg for the correct service ID entry.

Capture5After step 3 the Inventory Service certificate is replaced successfully which my little script quickly determines as well by now displaying 2 certificates being signed by the mixed CA.

Capture6The steps continue in the left admin shell until step 5 on which we can see that the vCenter Server SSL certificate also was replaced successfully. 3 done, 4 to go.

Capture7I usually do not configure Orchestrator in my labs, that is why I simply just do the steps in the wizard which did not return any errors which means that 4 services are done and 3 are left of which the Web Client and Log Browser are actually the time eaters for the whole process. They need to be done in the 5.5 version of the SSL Automation tool (steps 11 to 16 in the process mentioned above) in the right hand admin shell and completed successfully without any issues which means only Update Manager is left at that point.

Capture8The last two steps were done in the admin shell on the left and as suspected did not prove to be a challenge as well. I have added the subject names to the scripts output to show all replaced certificates again and being able to properly distinguish them as well. If the binaries had been spread out across several boxes the VMs which house SSO and Web Client would need the 5.5 version of the tool while the other VMs with VUM, IS+VC and vCO would need the 5.1 version. You would at least need the service certificate and the SSO certificate on all the different VMs then.

Capture9

 

 

 

Categories: SSL Tags:
  1. No comments yet.
  1. No trackbacks yet.