I just upgraded VCT to version 0.1.6 to support vCops. So I give you a little tutorial on the implementation of CA signed certificates on vCops 5.7 using VCT or not.
You can see in many tutorials on the net and in VMware KB articles that you need to create PFX files and convert them back to pem for vCAC and vCops but you actually don’t need PFX. vCops and vCAC doesn’t seem to read the Bag attributes of a PFX file, and without the bag attributes, the chain file is equal to the concatenation of Certificate + Intermediate Certificate + Root Certificate + RSA key. I assume the PFX step is to avoid errors in the concatenation of the different files.
Anyway, using VCT you don’t need OpenSSL, everything is done for you.
- A working vCops platform
- A certificate authority
- VMware Certificate Toolkit v0.1.6 or OpenSSL v0.9.8y
Part 1: Creating the certificate requests
1) This is exactly the same process than vSphere. Start VMware Certificate Toolkit, go to the PKCS10 section and click on the “Options” tab to specify a destination directory:
2) Go back to the “Request Customization” tab. You need to create a certificate request for the vCops UI server, enter all the information for that server:
- The common name has to be specified also in the “SubjectAltName” field
- Select “vCopsUI” for the OrganizationalUnitName
Then click on generate:
If you don’t want to use VCT, you can use the following OpenSSL command:
Create the certificate request and private key: >openssl req -new -nodes -out C:\vCops\rui.csr -keyout C:\vCops\rui-orig.key Convert private key to RSA 2048 bits private key: >openssl rsa -in C:\vCops\rui-orig.key -out C:\vCops\rui.key
You can see in the log area of VCT that multiple files have been created. The VCTcerts folder should contain a « rui.csr » and « rui.key »
Part 2: Create CA Signed Certificates
4) Next step is to create the certificate. You need to connect to your certificate authority. I used Microsoft Active Directory Certificate Services:
5) Click on “Request a certificate”
6) Click on “Advanced certificate request”
7) Select the VMware Template
If you don’t have the template you can follow the KB2062108: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2062108
8) Go to the vCops folder in the VCTcerts folder and copy the content of the rui.csr
9) Paste the content of the request in the “Saved Request” text area:
10) Click on the “Submit” button
11) Select “Base 64 encoded”
12) Click on “Download certificate”
13) Put the downloaded certificate in the vCops folder on VCTcerts and rename it to rui.crt
Part 3: Creating the chain files
This part replace the PFX creation with OpenSSL, you don’t even need VCT to do this part, the file you will upload to vCops to update the certificate is just the concatenation of the vCopsUI certificate you got from your certificate authority + the CA certificates of your infrastructure + the RSA key associated to the vCopsUI certificate.
14) Download the intermediate and the root certificate of the authority by using Microsoft Active Directory Certificate Services, click on “Download a CA certificate, certificate chain, or CRL”
15) In my case, I don’t have intermediate certificate authority. Select a Base 64 certificate and click on “Download CA certificate”. Place this certificate in the VCTcerts folder and rename it if you want.
16) Open VCT and click on the “Chain .pem” button, click on the vCops tab, then specify a path for the different files as shown in the picture below:
17) Click on “Generate Chain”
VCT created two chain files, the vCops folders should contain now four files:
Part 4: Import the certificates to vCops
18) Connect to the vCops UI server using this URL: https://vcops_ui/admin
20) Login to the appliance
21) Click on the SSL tab
22) Browse to the chain file you created on step 18
23) Click install
It will take few seconds. You might have an error message saying « General error occured », this is because Apache cannot resolve the CommonName of the certificate. Don’t worry if the chain file you uploaded is correct, the certificate will be implemented and it will not cause any problem. This error is well explained here: http://www.bussink.ch/?p=458
24) Start a new session to vCops and it’s done!
Hope you like this article, don’t forget to leave me a comment 😉