VMware Cloud Foundation components certificates replacement
search cancel

VMware Cloud Foundation components certificates replacement

book

Article ID: 324024

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

You can replace the certificates for the following externally accessible VMware Cloud Foundation components.
  • SDDC Manager
  • vCenter Server
  • Platform Services Controllers
  • NSX Manager
  • vRealize Log Insight
  • vRealize Operations
 


Environment

VMware Cloud Foundation 2.x

Resolution

It is recommended that you replace all components right after deploying Cloud Foundation. After you create workload domains, you can replace certificates for the appropriate components.

Prerequisites

  • You must have a Windows host with PowerShell installed on it.
  • For a Microsoft Windows signed certificate, the Windows host must be in the same domain as the Windows CA.
  • The account that you use to log in must have administrative privileges. Although non-administrator users can download and launch the tool, all operations fail if you do not have the proper permissions.
  • You must have created a Microsoft CA template. See Microsoft Certificate Authority Template in VMware Validated Design for Software-Designed Data Center.
  • You must have downloaded and installed OpenSSL for Windows. You can obtain the binary file from here. It can be extracted anywhere in the Windows path.

 


Create the Configuration File Package for the Certificate Generation Tool

Create a configuration file that contains certificate information for your organization. Using this configuration file, the tool generates a file package that contains a configuration file for the VMs in each Cloud Foundation component.

You can specify the components for which you want to replace certificates in the configuration file. It is recommended that you replace all certificates immediately after you deploy Cloud Foundation. Subsequently, you can replace certificates for a subset of components, as appropriate.

Note: For information on creating a configuration file, please see the "Example Configuration File for Certificate Replacement After Deployment" in the VMware Cloud Foundation Admin Guide.

To create the configuration file package:

  1. Using the root credentials, SSH in to the SDDC Manager Controller VM.

  2. If you have not already done so, copy the configuration file to a directory on the SDDC Manager Controller VM, for example; /tmp/cert-config.json.

  3. Navigate to /opt/vmware/cert-mgmt/bin.

  4. Run the following command:  

./vcfcerthelper  --config_file config.json  --cert_dir cert-output  --action build-certgen-config

The file package for the Certificate Generation Tool is created in the specified directory. The tool also creates a zip file of the directory contents in the parent directory.

Generate Key Pairs and Certificates

With the Certificate Generation utility, you can either create certificates signed by Microsoft Windows, or create a certificate signing request for a third-party CA.

Note: There is a known security risk when copying key pairs and certificates to the /root/certs directory because it is not FIPS compliant.

  1. Use a file transfer utility to copy the file package zip file from the SDDC Manager Controller VM to the Windows host.

  2. Extract the contents of the zip file on the Windows host. The CertGenVVD-*.ps1 file is included in the extracted files.

  3. Navigate to the directory where you extracted the contents of the zip file.

  4. Run one of the following commands in PowerShell: 

    • To create a Microsoft Windows signed certificate, run the following command:

CertGenVVD-3.0.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware' -inter

  • To create a certificate signing request for a third-party CA, run the following command.

CertGenVVD-3.0.1.ps1 -CSR

  1. Type a password for the key file. A folder named SignedByMSCACerts is created.

  2. Zip the contents of the SignedByMSCACerts folder.

  3. Use a file transfer utility to copy the SignedByMSCACerts zipped folder to the SDDC Manager Controller VM in the /opt/vmware/cert-mgmt/bin directory.

  4. Navigate to the /opt/vmware/cert-mgmt/bin directory and unzip the SignedByMSCACerts folder.

 

Build the File Package for Certificate Replacement Tool

Package the generated key pairs, CA-signed certificates, and CA chain to prepare them for the certificate replacement tool. 

Note: If the key files are password protected, you must have the password. All password-protected key files must have the same password.

Please follow these step to build the file package:

  1. Using the root credentials, SSH in to the SDDC Manager Controller VM.

  2. In the /opt/vmware/cert-mgmt/bin directory of the SDDC Manager Controller VM, type the following command.

./vcfcerthelper --config_file config.json --cert_dir SignedByMSCACerts --password 'psswd' --action build-certrepl-config --enable_ssl_passthrough

The file package is created in the same directory that contains the CA signed certificates. 

Backup TrustStores

Complete the following to backup the TrustStores for vCenter Server, Platform Services Controllers, and SDDC Manager Controller VM.

  1. In the /opt/vmware/cert-mgmt/bin directory of the SDDC Manager Controller VM, type the following command.

./vcfcerthelper --action list-ca --cert_dir truststore-backup-day-1

Take Snapshots of Cloud Foundation Components

Take a snapshot of Cloud Foundation components, the certificate configuration tool has a built-in feature to create these snapshots.

  1. In the /opt/vmware/cert-mgmt/bin directory of the SDDC Manager Controller VM, type the following command.

./vcfcerthelper --config_file config.json --action create-snapshot

Replace Certificates

Note: This requires that the certificate have a valid date of at least 24 hours prior.

After the snapshots have been taken, replace the certificates with the signed certificates you generated.

  1. Navigate to the /opt/vmware/cert-mgmt/bin directory of the SDDC Manager Controller VM.

  2. Run the following command.

/usr/java/jre-vmware/bin/java -Djsse.enableSNIExtension=false -jar /opt/vmware/cert-mgmt/lib/certreplace-0.0.1-SNAPSHOT.jar -config SignedByMSCACerts/config-vcf.json

 

Verify that the System Works with the New Certificates

​Note: If there are any VDI workload domains in the environment, see ​the "Re-trust VDI Workload Domains" section in the VMware Cloud Foundation Admin Guide.
Access the SDDC Manager Dashboard to verify that the new certificates work.

  1. In a web browser, login to the SDDC Manager Dashboard to verify that it displays correctly: https://IP-FQDN:8443/vrm-ui.

  2. Launch vCenter Server Web Client to verify that it displays correctly.

  3. If vRealize Operations is deployed, login to vRealize Operations and verify that all adapters are collecting data. Some adapters may display an error until the next collection cycle.

 

Verify Trust for Replaced Certificates

If you replaced certificates for specific components, you must verify trust. To do so:

  1. SSH in to the SDDC Manager Controller VM.

  2. Navigate to the /opt/vmware/cert-mgmt/bin/vcfcerthelper directory.

  3. Type the following command:

./vcfcerthelper --action verify-trust --cert_dir dir

Delete Snapshots of Cloud Foundation Components

After certificates have been replaced successfully, delete the snapshots.
Note: Only delete the Cloud Foundation snapshots after certificates have been successfully replaced.

  1. In the /opt/vmware/cert-mgmt/bin/vcfcerthelper directory of the SDDC Manager Controller VM, type the following command.

./vcfcerthelper --config_file config.json --action remove-snapshot

 


Additional Information

 VMware Cloud Foundation Admin Guide.

Impact/Risks:

 



    Powered by Wolken Software