Replace certificate on VCF Cloud Builder with signed certificate
search cancel

Replace certificate on VCF Cloud Builder with signed certificate

book

Article ID: 382234

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

By default Cloud Builder is deployed using a self signed certificate

The purpose of this article is to document the steps for replacing the default self signed certificate with a CA signed certificate.

Cloud Builder is an appliance that automates the bring-up of the management infrastructure and SDDC Manager.

The KB scope documents replacing a certificate generated by a Microsoft CA authority

Environment

VMware Cloud Foundation 5.2
Cloud Builder appliance

Resolution

The purpose of this article is to document the steps for replacing the default self signed certificate with a CA signed certificate on the Cloud Builder appliance

This procedure has been validated on VMware Cloud Foundation Cloud Builder appliance version 5.2.0.0-24059269

Backup Existing configuration

  1. Using the vSphere client , create a snapshot of existing Cloud builder appliance

  2. Additionally make a back up a copy of the original certificates
    1.  Use Putty or ssh to connect to  Cloud builder appliance with admin  username and password
    2. Issue 'su - ' to switch to root user
    3. Take a backup of the original certificate and private key

                 cp /etc/ssl/certs/vcf_https.crt /etc/ssl/certs/vcf_https.bak
                 cp /etc/ssl/private/vcf_https.key /etc/ssl/private/vcf_https.bak

Generate Signing Request 

  1. SSH to cloudbuilder as admin, and issue 'su -' to switch to root
  2. Using OpenSSL on the Cloud Builder appliance
  • Create a temporary directory to store config, signing requests and associated certificates
    mkdir /tmp/ssl
    cd /tmp/ssl/
  • Using nano or vi editor , create an OpenSSL configuration file called,  for example
    cloudbuilder.cfg
    with the following contents

    Replace entries starting and ending with < >  with site specific requirements

 —---------------------------------------------------------------------

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: <Cloud builder short name> , IP: <IP address of Cloudbuilder> , DNS: <fully qualified domain name of cloudbuilder>

[ req_distinguished_name ]

countryName = <your Country>
stateOrProvinceName = <Your State>
localityName = <Your locality> 
0.organizationName = <Organization Name>
organizationalUnitName = <Organization Unit Name>
commonName = <Fully qualified domain name of Cloud builder appliance>
 —---------------------------------------------------------------------

 

  • Generate a Signing request as follows using the above config file  : openssl req -new -nodes -out clouldbuilder-ssl.csr -keyout cloudbuilder-orig.key -config cloudbuilder.cfg

             clouldbuilder-ssl.csr is the signing request  for submission to certificate-authority

              cloudbuilder-orig.key is the PEM formatted file containing the private-key of the certificate

             cloudbuilder.cfg is the configuration file from step 2

  • Convert the private key returned by the command to the RSA format  : openssl rsa -in cloudbuilder-orig.key  -out cloudbuilder-orig_ssl.key
  • Copy the signing request file , e.g. clouldbuilder-ssl.csr off the Cloud builder appliance using scp or Winscp. This file will be used for submitting a signing request

Requesting a certificate from a Microsoft CA authority

The configuration of Microsoft CA authority and template are out of scope in this article.  

However Microsoft CA configuration guidance is documented on the VMware Cloud Foundation  Administration Guide : Prepare Your Microsoft Certificate Authority to Allow SDDC Manger to Manage Certificates

We will use the procedure documented on Knowledge base "Obtaining vSphere certificates from a Microsoft Certificate Authority" to request a signed certificate

  • Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv/
  • Click the Request a certificate (.csr ) link.
  • Click advanced certificate request.
  • Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file.
  • Open the CSR file from previous steps, e.g. clouldbuilder-ssl.csr in a plain text editor copy the contents into the clipboard from
    -----BEGIN CERTIFICATE REQUEST-----
    to
    -----END CERTIFICATE REQUEST-----

    Paste contents into the Saved Request box

  • Select the appropriate Certificate Template.
  • Click Submit to submit the request.
  • Click Base 64 encoded on the Certificate issued screen.
  • Click the Download Certificate link.
  • Download and save the certificate with an appropriate name , e.g. cloudbuilder.cer

Additionally Download the Root certificate from the Microsoft CA

Follow steps (12 through 20) on KB Obtaining vSphere certificates from a Microsoft Certificate Authority save the Root certificate as rootca.cer (as an example)

Using WinScp or scp , copy the certificate and root cert to the CB appliance

/tmp/ssl/cloudbulder.cer
/tmp/ssl/rootca.cer

Combine both files to create a certificate chain. Using the redirect operator append '>>'
We will concatenate the rootca.cer cert to end of clouldbuilder.cer cert   :  cat /tmp/ssl/rootca.cer >> /tmp/ssl/cloudbuilder.cer

Replace the certificate

  • Replace the private key with the new RSA private key  :
    cp cloudbuilder-orig_ssl.key /etc/ssl/private/vcf_https.key

          The default file permission is 755 (-rwxr-xr-x) 
          The group/ownership is root:root

          To change file permission issue :  chmod 755 /etc/ssl/private/vcf_https.key

         To  change file ownership issue:  chown root:root /etc/ssl/private/vcf_https.key

          Verify 

     ls -la /etc/ssl/certs/vcf_https.crt 
          -rwxr-xr-x 1 root root 1371 Sep 24 08:46 /etc/ssl/certs/vcf_https.crt

  • Replace the newly signed certificate as follows  :
    cp cloudbuilder.cer /etc/ssl/certs/vcf_https.crt

    The default file permission is 755 (-rwxr-xr-x)
    The group/ownership is root:root 

    To change file permission issue :chmod 755 /etc/ssl/certs/vcf_https.crt

    To change file ownership issue : chown root:root /etc/ssl/certs/vcf_https.crt

     Verify

     ls -la /etc/ssl/certs/vcf_https.crt
    -rwxr-xr-x 1 root root 1371 Sep 24 08:46 /etc/ssl/certs/vcf_https.crt

  • Restart the web service   :  systemctl restart nginx.service
  • Verify if the nginx service is running by checking  : systemctl status nginx.service

Verification

WebBrowser  :  Open a web browser to the cloudbuilder appliance fqdn name i.e. https://<<cloudbuilder-fqdn>  and inspect the certificate

OpenSSL :  Use openssl to check the certificate as follows
openssl s_client -showcerts -servername <cloudbuilder-fqdn>  -connect  <cloudbuilder fqdn>:443 </dev/null

Inspect the certificate


Note: Remove any vSphere snapshots once verification is complete.

Additional Information