By default Cloud Builder is deployed using a self signed certificate
The purpose of this article is to document the steps for replacing the default self signed certificate with a CA signed certificate.
Cloud Builder is an appliance that automates the bring-up of the management infrastructure and SDDC Manager.
The KB scope documents replacing a certificate generated by a Microsoft CA authority
VMware Cloud Foundation 5.2
Cloud Builder appliance
The purpose of this article is to document the steps for replacing the default self signed certificate with a CA signed certificate on the Cloud Builder appliance
This procedure has been validated on VMware Cloud Foundation Cloud Builder appliance version 5.2.0.0-24059269
Backup Existing configuration
cp /etc/ssl/certs/vcf_https.crt /etc/ssl/certs/vcf_https.bak
cp /etc/ssl/private/vcf_https.key /etc/ssl/private/vcf_https.bak
Generate Signing Request
mkdir /tmp/ssl
cd /tmp/ssl/
cloudbuilder.cfg
with the following contents—---------------------------------------------------------------------
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: <Cloud builder short name> , IP: <IP address of Cloudbuilder> , DNS: <fully qualified domain name of cloudbuilder>
[ req_distinguished_name ]
countryName = <your Country>
stateOrProvinceName = <Your State>
localityName = <Your locality>
0.organizationName = <Organization Name>
organizationalUnitName = <Organization Unit Name>
commonName = <Fully qualified domain name of Cloud builder appliance>
—---------------------------------------------------------------------
openssl req -new -nodes -out clouldbuilder-ssl.csr -keyout cloudbuilder-orig.key -config cloudbuilder.cfg
clouldbuilder-ssl.csr is the signing request for submission to certificate-authority
cloudbuilder-orig.key is the PEM formatted file containing the private-key of the certificate
cloudbuilder.cfg is the configuration file from step 2
openssl rsa -in cloudbuilder-orig.key -out cloudbuilder-orig_ssl.key
Requesting a certificate from a Microsoft CA authority
The configuration of Microsoft CA authority and template are out of scope in this article.
However Microsoft CA configuration guidance is documented on the VMware Cloud Foundation Administration Guide : Prepare Your Microsoft Certificate Authority to Allow SDDC Manger to Manage Certificates
We will use the procedure documented on Knowledge base "Obtaining vSphere certificates from a Microsoft Certificate Authority" to request a signed certificate
http://CA_server_FQDN/CertSrv/clouldbuilder-ssl.csr
in a plain text editor copy the contents into the clipboard from cloudbuilder.cer
Additionally Download the Root certificate from the Microsoft CA
Follow steps (12 through 20) on KB Obtaining vSphere certificates from a Microsoft Certificate Authority save the Root certificate as rootca.cer (as an example)
Using WinScp or scp , copy the certificate and root cert to the CB appliance
/tmp/ssl/cloudbulder.cer
/tmp/ssl/rootca.cer
Combine both files to create a certificate chain. Using the redirect operator append '>>'
We will concatenate the rootca.cer cert to end of clouldbuilder.cer cert : cat /tmp/ssl/rootca.cer >> /tmp/ssl/cloudbuilder.cer
Replace the certificate
cp cloudbuilder-orig_ssl.key /etc/ssl/private/vcf_https.key
The default file permission is 755 (-rwxr-xr-x)
The group/ownership is root:root
To change file permission issue : chmod 755 /etc/ssl/private/vcf_https.key
To change file ownership issue: chown root:root /etc/ssl/private/vcf_https.key
Verify
ls -la /etc/ssl/certs/vcf_https.crt
-rwxr-xr-x 1 root root 1371 Sep 24 08:46 /etc/ssl/certs/vcf_https.crt
cp cloudbuilder.cer /etc/ssl/certs/vcf_https.crt
To change file permission issue :chmod 755 /etc/ssl/certs/vcf_https.crt
To change file ownership issue : chown root:root /etc/ssl/certs/vcf_https.crt
Verify
ls -la /etc/ssl/certs/vcf_https.crt
-rwxr-xr-x 1 root root 1371 Sep 24 08:46 /etc/ssl/certs/vcf_https.crt
systemctl restart nginx.service
Verify if the nginx service is running by checking : systemctl status nginx.service
Verification
WebBrowser : Open a web browser to the cloudbuilder appliance fqdn name i.e. https://<<cloudbuilder-fqdn> and inspect the certificate
OpenSSL : Use openssl to check the certificate as follows
openssl s_client -showcerts -servername <cloudbuilder-fqdn> -connect <cloudbuilder fqdn>:443 </dev/null
Inspect the certificate
Note: Remove any vSphere snapshots once verification is complete.