SSL - 运维篇
第三章 vCenter6.7使用自建SSL证书
- SSL - 运维篇
- 系列文章回顾
- vCenter6.7使用自建SSL证书
- vCenter 6.7 上传文件到Shell
- vCenter 6.7 Shell 替换SSL证书全流程
- 测试&验证
- 参考链接
系列文章回顾
第二章 FortiGate防火墙使用自建SSL证书
vCenter6.7使用自建SSL证书
本文仅实验过VMware vCenter 6.7版本
vCenter 6.7 上传文件到Shell
# VCSA默认情况下, root用户使用的shell是appliancesh, 因此无法通过WinSCP来登录VCSA和上传文件
# 需要更改root用户的shell为bash, 如下所示.
chsh -s /bin/bash root
# 上传文件后,再改回appliancesh.
chsh -s /bin/appliancesh root
vCenter 6.7 Shell 替换SSL证书全流程
/var/lib/vmware/vmca/root.cer # vCenter默认ROOT存放路径
/var/lib/vmware/vmca/privatekey.pem # vCenter默认存放私钥路径
/usr/lib/vmware-vmca/share/config/vmca.reg # vCenter VMCA的reg配置
/usr/lib/vmware-vmca/share/config/certool.cfg # vCenter 生成CSR证书签名请求的默认配置参数
### 新增自定义SSL证书存储的路径
root@vCenter [ ~ ]# mkdir -p /opt/vmware/etc/ssl/cert-backup/
### 使用vCenter自带的证书管理工具为vCenter生成csr证书签名请求和密钥
root@vCenter [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager # vCenter 证书管理工具
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.7 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]:
--> 1 # Replace Machine SSL certificate with Custom Certificate 用自定义证书替换计算机SSL证书
--> administrator@xxx.com
--> <password>
--> 1 # Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate 为机器SSL证书生成证书签名请求和密钥
--> /opt/vmware/etc/ssl/cert-backup/ # 输出CSR和KEY的目录
--> CN # Country [C]
--> vCenter.xxx.com # Name [CN]
--> xxx Technology Co., Ltd. # Organization [O]
--> [部门] # OrgUnit [OU]
--> [省] # State [ST]
--> [市] # Locality [L]
--> [vCenter的ip地址] # IPAddress
--> [邮箱] # Email
--> [vCenter的FQDN] # Hostname
--> [vCenter内置的CA名称] # VMCA Name
--> 2 # Exit certificate-manager 退出证书管理工具
### 通过vCenter自带的证书管理工具导出csr和key文件
root@vCenter [ ~ ]# ls /opt/vmware/etc/ssl/cert-backup/
vmca_issued_csr.csr vmca_issued_key.key ca.cer
参考 【转】VMware使用自签名证书替换vSphere各组件自带SSL证书 完成 Windows Server 2016 CA 的证书模板颁发过程
mmc.exe --> 添加/删除管理单元 --> 证书模板
### 上传ca根证书文件和ssl证书, 重命名csr文件和key文件
root@vCenter [ ~ ]# chsh -s /bin/bash root
root@vCenter [ ~ ]# scp root@ca.xxx.com:/tmp/ca.cer /opt/vmware/etc/ssl/cert-backup/
root@vCenter [ ~ ]# scp root@ca.xxx.com:/tmp/vcenter.cer /opt/vmware/etc/ssl/cert-backup/
root@vCenter [ ~ ]# chsh -s /bin/appliancesh root # 切换回appliancesh
root@vCenter [ ~ ]# mv /opt/vmware/etc/ssl/cert-backup/vmca_issued_csr.csr /opt/vmware/etc/ssl/cert-backup/vcenter.csr
root@vCenter [ ~ ]# mv /opt/vmware/etc/ssl/cert-backup/vmca_issued_csr.key /opt/vmware/etc/ssl/cert-backup/vcenter.key
root@vCenter [ ~ ]# ls /opt/vmware/etc/ssl/cert-backup/
vcenter.cer vcenter.csr vcenter.key ca.cer
### 通过vCenter自带的证书管理工具开始导入SSL证书
root@vCenter [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager # vCenter 证书管理工具
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.7 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]:
--> 1 # Replace Machine SSL certificate with Custom Certificate 用自定义证书替换计算机SSL证书
--> administrator@xxx.com
--> <password>
--> 2 # Import custom certificate(s) and key(s) to replace existing Machine SSL certificate 导入自定义证书和密钥以替换现有的计算机SSL证书
Please provide valid custom certificate for Machine SSL.
File : /opt/vmware/etc/ssl/cert-backup/vcenter.cer # SSL证书签发文件
Please provide valid custom key for Machine SSL.
File : /opt/vmware/etc/ssl/cert-backup/vcenter.key # SSL证书私钥
Please provide the signing certificate of the Machine SSL certificate
File : /opt/vmware/etc/ssl/cert-backup/ca.cer # ROOTCA证书链
You are going to replace Root Certificate with custom certificate and regenerate all other certificates
Continue operation : Option[Y/N] ? : Y # 开始执行导入SSL证书, 等待vCenter进度条执行完毕
### 查看vCenter的所有证书store信息
root@vCenter [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli store list
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vsphere-webclient
vpxd
vpxd-extension
APPLMGMT_PASSWORD
data-encipherment
SMS
vcenter.xxx.com # 自定义SSL证书的store
BACKUP_STORE_H5C
BACKUP_STORE
# 查看指定store证书链(密文)
root@vCenter [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vcenter.xxx.com
Number of entries in store : 1
Alias : vcenter.xxx.com
Entry type : Private Key
Certificate : ...
# 查看指定store证书链解析(明文)
root@vCenter [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vcenter.xxx.com --text
Number of entries in store : 1
Alias : vcenter.xxx.com
Entry type : Private Key
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
Signature Algorithm: sha256WithRSAEncryption
...
# 查看指定store证书链的指定alias证书信息解析(明文)
root@vCenter [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias <alias> --text
测试&验证
浏览器打开vCenter的WebUI,提示HTTPS连接是安全的。
参考链接
- 【转】VMware使用自签名证书替换vSphere各组件自带SSL证书
- vecs-cli 命令参考
