Setup 2: after the installation of OpenSSL Utility, go to bin folder and take the backup of openssl.cfg file and edit it and delete all the content from openssl.cfg file and replace with below commands
below screenshots shows before delete the content
replace it with below commands and change the necessary info where red colored text and save it
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vc50, IP:10.0.0.10, DNS:vc50.vmware.com
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = NY
localityName = New York
0.organizationName = VMWare
organizationalUnitName = vCenterInventoryService
commonName = vc50.vmware.com
example: I'm going to create csr and key for my vcenter server
below screenshots shows after delete the original content and copied above commands
save it and open the notepade with admin rights and execute below commands to create .csr and .key file
openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg
Note: There are no prompts because all information was provided in the openssl.cfg file, as configured in the previous article.
after that you can see it is generated both rui.csr , rui.key keys on bin folder
even you can verify this csr contains the right info that u have given on openssl.cfg file by executing below command
openssl req -in rui.csr -noout -text
copy this two key to separate folder and generate rui.csr , rui.key keys for your number of ESXis by no of times by following the same steps
once you created for all the vcenter and ESXi, send the csr file to your security team for the CA signature. or else if you have Microsoft CA server, you can follow up below KB and generate rui.cert for each servers, hosts.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2057223
below screenshots shows before delete the content
replace it with below commands and change the necessary info where red colored text and save it
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vc50, IP:10.0.0.10, DNS:vc50.vmware.com
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = NY
localityName = New York
0.organizationName = VMWare
organizationalUnitName = vCenterInventoryService
commonName = vc50.vmware.com
example: I'm going to create csr and key for my vcenter server
below screenshots shows after delete the original content and copied above commands
save it and open the notepade with admin rights and execute below commands to create .csr and .key file
openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg
Note: There are no prompts because all information was provided in the openssl.cfg file, as configured in the previous article.
after that you can see it is generated both rui.csr , rui.key keys on bin folder
even you can verify this csr contains the right info that u have given on openssl.cfg file by executing below command
openssl req -in rui.csr -noout -text
copy this two key to separate folder and generate rui.csr , rui.key keys for your number of ESXis by no of times by following the same steps
once you created for all the vcenter and ESXi, send the csr file to your security team for the CA signature. or else if you have Microsoft CA server, you can follow up below KB and generate rui.cert for each servers, hosts.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2057223
If you are using a Microsoft CA:
Note: Before proceeding, confirm that the three key usages are present on the
Note: Before proceeding, confirm that the three key usages are present on the
.crt file by viewing its properties. This can be found by opening the rui.crt, clicking the Details tab, and locating the Key Usage row under Field. The default install of Windows Server 2008 with the CA role will not create *.crt files. You must first modify the digitalSignature, keyEncipherment, and dataEncipherment fields on the CA server's Web Server template before continuing.
For more information, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108).
- Log in to the Microsoft CA certificate authority web interface. By default, it is:
http://servername/CertSrv/ - Click the Request a certificate link.
- Click advanced certificate request.
- Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
- Open the certificate request (
rui_service.csr, as generated above for each component) in a plain text editor and paste this text into the Saved Request box:-----BEGIN CERTIFICATE REQUEST-----to-----END CERTIFICATE REQUEST----- - Select the Certificate Template as Web Server.
Note: VMware recommends that you create a copy of the Web Server Certificate and add the Subject Alternative Name field to it. This allows you to specify more than a single name to be valid on the certificate, such asvcenter.domain.comandvcenter. Users can connect to more than one name and communication will still be valid.
For more information on creating a Certificate Template, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108). - Click Submit to submit the request.
- Click Base 64 encoded on the Certificate issued screen.
- Click the Download Certificate link.
- Save the certificate as
rui_service.crt, in the appropriate c:\certs\<service>\ folder.
For example:
rui_vpxd.crt
Note:- By default, Microsoft CA certificates are generated with the
.cerformat. Either use Save As or change it to.crtbefore continuing with this procedure.
- By default, Microsoft CA certificates are generated with the
- Repeat Steps 2 to 10 for each of the additional service.
- Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
- Click the Base 64 option.
- Click the Download CA Certificate chain link.
- Save the certificate chain as
cachain.p7b in the c:\certs\ directory.
No comments:
Post a Comment