A number of blogs and a VMware kb article out there tell you how to install a custom SSL so I’m not going to recreate the wheel here. Instead I’ll add in the way I did it and my observations during the process.
What does the certificate need?
From the above requirements,
- If you get your SSL certificate in the .pem format, great! You can just install it, if you don’t read on.
- The certificate needs to do Server Authentication, this you’d define in the OpenSSL.cfg file.
- If you have a multi-tier PKI hierarchy, you’ll need to obtain either your certificate in the .p7b format or get the entire CA chain cert along with the issued cert (which may be in the .cer format).
- Private key you’ll generate when you generate the Certificate Signing Request (.csr).
- My OpenSSL.cfg file looked like this, you should change the file to suit your PKI’s requirements:
You need a machine with OpenSSL installed to begin with, this is a given, just putting it out there. Or you could web-enroll if your CA allows it. We’ll discuss the use of OpenSSL here.
- First, you need to ensure you have OpenSSL set to use your .cfg file. Basically, this means you need to point OpenSSL to its .cfg file. Usually this file sits in the \bin folder. You run D:\OpenSSL-Win32\bin>set OPENSSL_CONF=d:\OpenSSL-win32\bin\openssl.cfg. In my instance, I have OpenSSL installed in the D:\OpenSSL-Win32 directory (see the screenshot above)
- Next, generate the .csr file (called the Certificate Signing Request) and the .key file. The .csr file needs to be given to whoever handles SSL certs in your organization. The .key file is important to the creation of the .pem file vROps needs, dont lose it. If you did though, the sky wont come crashing down, just generate these 2 files again. The exact commands are the following (screenshot from the VMware kb article I linked to at the top):
- Send the .csr file off to your SSL team and get them to issue a certificate for you. If they grant you a certificate in the .pem format, great. If not, get them to give you a .p7b certificate as this will contain the full certificate chain and won’t require you to provide other levels of your PKI hierarchy when generating the .pem file. In my case, I was able to get the certificate in the .p7b format.
- Now convert the p7b format to pfx by running 2 commands. 1st command is openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
- 2nd command is openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx
- Finally, convert the resulting .pfx certificate to .pem using either https://www.sslshopper.com/ssl-converter.html or by running openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes. You may need to rename the file to .pem if you ran the openssl command. Check the resulting .pem certificate in notepad and delete any “bag attributes” that may have been appended (details in the VMware kb article I linked to in the beginning).
All you now got to do is install the .pem certificate in your vROps instance’s /admin console. Note: you aren’t explicitly told if the custom certificate was accepted but it does tell you if it isn’t good enough. If you don’t get an error message, all’s well, log off the console, close the window, re-open and you should now see the machine use the new certificate.