Install CA Signed SSL Certificate on ESXi 5.5 Host

While I was upgrading our vSphere to 5.5 I was put to the task of going the extra step to replace the self generated SSL certificates on our ESXi hosts with certificates  generated by our internal CA.  This was going to help us pass various security audit requirements so I wanted to put it into the upgrade plan. I found various posts about it and this VMware KB2015499. I followed the KB article and when I tried to restart the services the host would not connect back to vCenter.  After a little more research I found that the KB was missing a very important step that converted the certificate issued by our CA into a x509 certificate.  Here are the steps that I used to finally get the certificates to work.  Some of these steps are taken directly from the VMware KB.

You must have OpenSSL installed on your computer to complete these steps.

Launch a command prompt and navigate into the OpenSSL directory.  Mine is C:\OpenSSL\bin>

Execute the command:
C:\OpenSSL\bin>openssl genrsa 2048 > rui.key

Answer all of the prompts and at the Common Name prompt make sure you enter the fqdn of the host you are configuring the certificate request for. (hostname.company.com) Note: You can change the 2048 to whatever size certificate you want, I wanted 2048 bit.

Execute the command:
C:\OpenSSL\bin>openssl req -new -key rui.key > rui.csr

Now that you have your certificate request you will need to log into your Microsoft CA server and get the certificate.
1.    Log in to the Microsoft CA certificate authority web interface. By default, it is http://<servername>/CertSrv/
2.    Click Request a certificate.
3.    Click advanced certificate request.
4.    Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
5.    Open the certificate request in a plain text editor. This is the rui.csr file.
6.    Copy from —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– into the Saved Request box.
7.    Click Web Server when selecting the Certificate Template.
8.    Click Submit to submit the request.
9.    Click Base 64 encoded on the Certificate issued screen.
10.    Click Download Certificate.

Now for the important part that the KB is missing.

Copy the certificate file that you downloaded, to your openssl directory that you have been working in. The file is usually certnew.cer and run the following command.
C:\OpenSSL\bin>openssl x509 -in certnew.cer -out rui.crt

Now the final step is to copy the certificate and the key to the ESXi host.  I prefer using WinSCP but you can use any method you like to get the files to /etc/vmware/ssl.
1.    Log in to vCenter Server
2.    Put the host into Maintenance Mode.
3.    Enable SSH on the host from the host configuration tab.
4.    Log in to the host with WinSCP and navigate to the /etc/vmware/ssl.
5.    Rename the existing rui.crt and rui.key to .old
6.    Copy the newly created rui.crt and rui.key to the directory.
7.    Log onto the host with Putty and restart the management agents. (services.sh restart)
8.    Reconnect the host in vCenter. You will need to use the root password and accept the new certificate.
9.    Exit the host from Maintenance Mode.

Advertisements

Steps to resolve HA firewall issues in vCenter 2.5

HA

If after enabling HA on a vCenter cluster you get the above configuration error, check in event log. if error is “Could not enable firewall ruleset:vim.fault.NotFound”

a.Disconnect host from vCenter
b. Log into host with PuTTy
c. Run the command esxcfg-firewall -e aam
d. service mgmt-vmware restart
e. Wait about 5 minutes
f. Connect host in vCenter
g. Open the configuration tab for the host in the VIC and go to “Licensed Features”
h. Edit License Source
i. Configure license server on host to Your license server
j. Right click on the host in the VIC and select “Reconfigure for VMware HA”

My Home Lab N40L

I just recently got a good working home lab up and running to help me with study for the VCP5 and VCAP5 VMware certifications. I have found it extremely helpful with studying as well as testing some theories for the production environment at work since they will not give me a good lab to play with there.

So I started with a HP N40l Micro Server.  It shipped as HP ProLiant N40L MicroServer Server System AMD Turion II Neo N40L 1.5GHz 2-Core 2GB (1 x 2GB) 1 x 250GB LFF SATA 658553-001.  I knew that the 2gb memory was  not going to be enough so I followed this great post by Chris Wahl and changed the memory to 16gb. The server has 2 CPU and one onboard NIC.  I am sure that I will be needing to add another host soon.

N40L_Summary

I installed ESXi 5.1 to get started then installed Autolab 1.0.  I am having trouble installing ver 1.1 so I will leave that for another post.

As I started working with the lab I found that storage was keeping me from doing some of the things that I wanted to do so I got a 1TB Western Digital Green HD to add to the server.  Now I am finding that I have the storage to do what I wanted to do but the IO is horrible! So the next step is to start rounding up some stuff to build a cheap NAS.  Hmmm another post.  The more I work with my new lab the more things I start thinking about to post.

Till next time.