Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment
search cancel

Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment

book

Article ID: 344117

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

This article provides steps for the installation and configuration of OpenSSL.  OpenSSL may be used to create custom certificates for vSphere environments. It also helps to eliminate common causes for problems and ensure that the requests generated are appropriate for vSphere environments.

Environment

VMware ESXi
VMware vSphere
VMware vCenter Server

Resolution

Overview

OpenSSL can be used for creating certificate requests and also as a certificate authority. Although the steps that are used to generate the certificate are different, the setup and configuration steps are the same as the certificates that vSphere uses are X.509 v3 SSL certificates. Only the way in which the actual certificate is generated is different.

Setup

Important: OpenSSL version 0.9.8 or newer must be used otherwise the SSL implementation will fail.

To setup OpenSSL:
  1. Ensure that the Microsoft Visual C++ 2008 Redistributable Package (x86) is installed on the system used to generate the requests.
  2. Download the Shining Light Productions installer for OpenSSL x86 selecting the current version of 0.98, available at Shining Light Productions. This is a software developed from the OpenSSL Project.
  3. Launch the installer and proceed through the installation and note the appropriate directory for later use. By default, it is located at c:\OpenSSL-Win32.

Configuration

To configure OpenSSL, follow these steps:
  1. Take a backup of the openssl.cfg file. By default, this file is located at the c:\OpenSSL-Win32\bin directory.
  2. Delete the contents of the file and replace with:

    Note: Replace the code in Red with the details of the system requiring the SSL certificates: 

    [ req ]
    default_bits = 2048
    default_keyfile = rui.key
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req

    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName = DNS:vcenter, IP:10.0.0.10, DNS:vcenter.domain.com

    [ req_distinguished_name ]
    countryName = US
    stateOrProvinceName = NY
    localityName = New York
    0.organizationName = Domain
    organizationalUnitName = vCenterInventoryService
    commonName = vcenter.domain.com

  3. Save and close the file.

    The installation is now set to configure a certificate for the system configured in the file.  This operation can be repeated by creating separate files for each server request or by not specifying a value. If a value is not specified, OpenSSL prompts you for the information.

    Note: The preceding modified file will not prompt for information because all information is configured within the file.



Additional Information

Powered by Wolken Software