Important: OpenSSL Version 0.9.8 must be used for this process. The use of other versions may cause the SSL certificate implementation to fail.
There are several different processes required for the implementation of custom CA signed SSL certificates for the vSphere Authentication Proxy. The following steps must be followed in order to ensure a successful implementation:
Before attempting these steps, ensure that:
- You have a vSphere 5.x environment
- You have reviewed the Key Usage Extensions for the Web Server template on your Certificate Authority server and made sure it has digitalSignature, keyEncipherment, and dataEncipherment enabled for certificate generation.
- OpenSSL v0.9.8 has been downloaded from http://slproweb.com/products/Win32OpenSSL.html and has been installed in the default directory.
Note: This article assumes OpenSSL has been installed to C:\OpenSSL-Win32. If it has been installed elsewhere, substitute the alternative location appropriately.
Note: The preceding link was correct as of February 11, 2015. If you find the link is broken, please provide feedback and a VMware employee will update the link - You are not using wild card certificates.
Create the OpenSSL configuration file
The OpenSSL configuration when generating requests must:
- Have the subject alternative name field included in them
- Have unique OrganizationalUnitNames for the components
- Ensure that the case of the DNS entries in the subject alternate name field matches with the case for the hostname and domain when running the hostname or ipconfig /all commands
- Include digitalSignature, keyEncipherment, dataEncipherment components for Key Usage
To create the OpenSSL configuration files for creating the certificate requests:
- On the system where you will be generating the certificates, create a folder in which you can store the certificates for the different components. These steps use the C:\certs folder as an example.
- In the C:\certs folder, create a new folder with the name authproxy.
- Within a text editor, create the file C:\certs\authproxy\authproxy.cfg. Paste the text below into the file, changing the elements in Red:
Note: - Each SSL Certificate needs a unique Distinguished Name (DN). The examples in this article use the OrganizationalUnitName (OU) field to achieve this uniqueness, based on a configuration where all components are installed on the same server. If the services are all on separate servers, they have a unique DN by default.
- The use of an IP address in the subjectAltName for each SSL certificate is recommended by VMware. When using a commercial CA for certificate signing, the IP address can be left out of the certificate if the DNS resolves properly for the short name, the fully-qualified domain, and reverse lookup.
default_keyfile = rui.key
distinguished_name = req_distinguished_name
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: hostname_of_vsphere_auth_proxy, IP:ipaddress_of_vsphere_auth_proxy,
DNS:fqdn_of_vsphere_auth_proxy
[ req_distinguished_name ]
stateOrProvinceName = State
0.organizationName = OrganizationName
organizationalUnitName = unique_name_for_vsphere_auth_proxy
commonName = fqdn_of_vsphere_auth_proxy
- Save the file and proceed to Create the certificate request.
Generating certificate requests
After creating the OpenSSL configuration file, you must generate a certificate request to submit to the Certificate Authority to generate the new certificates for the vSphere Authentication Proxy.
To generate the certificate request:
- Open an administrative command prompt on the machine in which you installed OpenSSL and created the OpenSSL configuration file.
- Type the following command to change directories to the OpenSSL installation directory.
Note: In this example, OpenSSL has been installed to C:\OpenSSL-Win32
cd C:\OpenSSL-Win32
- Type the following command to create the vSphere Authentication Proxy certificate and export the private key:
openssl req -new -nodes -out C:\certs\authproxy\rui.csr -keyout c:\certs\authproxy\rui-orig.key -config C:\certs\authproxy\authproxy.cfg
- Type the following command to convert the private key to the proper format for the vSphere Authentication Proxy service to use:
openssl rsa -in C:\certs\authproxy\rui-orig.key -out C:\certs\authproxy\rui.key
- Verify the output and confirm that all of the parameters that were set in the authproxy.cfg file are properly set in the certificate request.
- Proceed to to Obtain the certificate step.
Obtaining the certificate
After generating the certificate request successfully, you must submit the request to a certificate authority in order to generate the certificate for the vSphere Authentication Proxy. The certificate authority will present back the final certificate generated from the certificate requests as well as a copy of the certificate authority's root certificate. In order for the vSphere Authentication Proxy certificate chain to be trusted, the root certificate must be installed on the server in which the vSphere Authentication Proxy is installed.
Follow the appropriate section based upon the certificate authority used in your environment.
For Commercial certificate authorities, follow these steps for each certificate request:
- Take the certificate request (rui.csr, as generated in the previous process) and submit it to the authority in question.
- The authority will send back the generated certificate.
For Microsoft CA certificate authorities, follow these steps for each certificate request:
Note: Based on the requirements of the key, ensure that the WebServer Template has been copied to allow for encryption of user data. This can be normally found in Certificate Manager > Extensions > Key Usage > Allow encryption of user data.
- Log into the Microsoft CA certificate authority web interface. By default, the address is http://servername/CertSrv/.
- Click the Request a certificate link.
- Click advanced certificate request.
- Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
- Open the certificate request (rui.csr, as generated in the previous process) in a plain text editor and paste this text into the Saved Request box:
-----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----
- Select the Certificate Template as the appropriate Web Server template. This is generally a copy of the Web Server Template with the Allow encryption of user data setting set.
- Click Submit to submit the request.
- Click Base 64 encoded on the Certificate issued screen.
- Click the Download Certificate link.
- Save the certificate as rui.crt in the C:\certs\authproxy folder.
Note: Before proceeding, confirm that the three key usages are present on the .crt file by viewing its properties. This can be found by opening the rui.crt, clicking the Details tab, and locating the Key Usage row under Field. The default install of Windows Server 2008 with the CA role will not create *.crt files properly. You must first modify the digitalSignature, keyEncipherment, and dataEncipherment fields on the CA server's Web Server template before continuing. For more information, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108).
- Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
- Click the Base 64 option.
- Click the Download CA Certificate chain link.
- Save the certificate chain as cachain.p7b in the c:\certs folder.
- Double-click the cachain.p7b file and navigate to C:\certs\cachain.p7b > Certificates.
- Right-click the certificate listed and click All Actions > Export.
- Click Next.
- Select Base-64 encoded X.509 (.CER), and then click Next.
- Save the export to C:\certs\Root64.cer and click Next.
Note: This assumes there are no intermediate certificates in the Certificate Authority. If there are two or more levels in the Certificate Authorities, before exporting the certificate into Base-64 encoded X.509 (.CER), if you have multiple certificates on the .p7b file, you will not be able to export them to Base64 at the same time; you must export each intermediate certificate to a separate file.
For example, create files named C:\certs\interm64-1.cer, C:\certs\interm64-2.cer, etc. Once complete, concatenate the certificates into a single file named chain.cer.
The chain.cer file is used in place of the Root64.cer file, as outlined in the Implement the certificates section below.
To concatenate the two files on Windows, open a Windows command prompt, navigate to the certificates directory, then run this command:
copy interm64-1.cer+interm64-2.cer+Root64.cer chain.cer
If this is not correctly done before the PFX and JKS files are created below, the vSphere Authentication Proxy will fail.
- Click Finish.
To verify that all of the settings are correct, double-click on the rui.crt file and validate that the proper alternative names and subjects are in each certificate. When complete, the certificates are generated and you now have the rui.key and rui.crt files for the vSphere Authentication Proxy and theRoot64.cerroot certificate.
Implement the certificates
When you have the certificate created, you can generate the PKCS#12 PFX file for use with the vSphere Authentication Proxy service.
To create the PKCS#12 PFX file for use with the vSphere Authentication Proxy service:
- On the system where you have saved the certificates, Type the following command to convert the .cer or .crt file to a PKCS#12 PFX bundle:
openssl pkcs12 -export -in c:\certs\authproxy\rui.crt -inkey c:\certs\authproxy\rui.key -out c:\certs\authproxy\bundle.p12
Note:In this command, we are using rui.crt stored in C:\certs\authproxy. In some cases, your certificate may end in .cer, substitute rui.crt in the command with rui.cer if this is the case.
To implement the new certificate for use with the vSphere Authentication Proxy service:
- On the machine running the vSphere Authentication Proxy service, open an administrative command prompt and type the following command to unregister the vSphere Authentication Proxy service from vCenter Server:
Installation_Directory\cam-register.exe -n -s Path_To_vSphere_Authentication_Proxy_Configuration_File
Note: The following command is an example if the vSphere Authentication Proxy has been installed using the default installation paths and settings:
"C:\Program Files (x86)\VMware\vSphere Authentication Proxy\cam-register.exe" -n -s "C:\ProgramData\VMware\vSphere Authentication Proxy\vmconfig-cam.xml"
- Navigate to C:\ProgramData\VMware\vSphere Authentication Proxy\ssl.
- Copy the original rui.key and rui.crt to another location to preserve the original certificate and private key as a backup.
- Copy the rui.key and rui.crt obtained from the Obtaining the certificate section to C:\ProgramData\VMware\vSphere Authentication Proxy\ssl to replace the certificate and private key with the new ones.
- Type the following command to register the vSphere Authentication Proxy back to vCenter Server:
Installation_Directory\cam-register.exe -r -a vCenter_Server_IP_Address-u vCenter_username -p password -s Path_To_vSphere_Authentication_Proxy_Configuration_File
Note: The user specified must have administrator privileges to vCenter Server.
- Restart the VMware vSphere Authentication Proxy Adapter service and VMware vSphere Authentication Proxy service.
- Import the Root CA certificates on the vSphere Authentication Proxy Machine.
- Open Certificate Manager. In a Run dialog box and type:
certmgr.msc
- Click OK.
- Navigate to Trusted Root Certification Authorities>Certificates.
- Right-click on Certificates and select All Tasks>Import...
- Navigate to the location of the Root64.cer from the Obtaining the certificate section.
- Select the Trusted Root Certification Authorities certificate store.
- Click Next.
- Click Finish.
- Repeat this process and add the certificate to the Trusted Publishers store.
- Export the certificate in IIS. Select Server Manager>Roles>Web Server (IIS)>Internet Information Services(IIS) Manager.
- Select the server name in right-side pane and select Server Certificates in the next right-side pane.
- Select Import in Actions list and select the path to .p12 file created you created in Step 1 for the location for Certificate file (.pfx) field.
- Type the following for the password:
testpassword
- Check the Allow this certificate to be exported checkbox.
- Click Finish.
- In Server Manager, select Roles>Webserver (IIS)>IIS Manager>Sites>Computer Account Management.
- Click on Bindings on the right side and select https in the list.
- Click on Edit and select the appropriate certificate in the drop down and click on View to confirm the certificate.
- The configuration of CA signed SSL certificates is now complete for vSphere Authentication Proxy.