vRealize Operations (vROps) SSL Certificates

By | August 20, 2015
  • Step 1 – Setup\Configure OpenSSL
  • Step 2 – Generate\Install Certificates for vRealize Operations Manager

Install

  • Download and install OpenSSL from here
    • Example – Win64 OpenSSL v1.0.0s Light
  • vROps Certificate Requirements:-
    • File encoded in PEM format
    • Certificate is valid for Server Authentication
    • All certificates in the chain are included
    • The private key is included (2048 bit RSA)
    • The private key is not secured with a password

OpenSSL Configuration

You may stumble across the following error….

‘Warning – Cannot open config file openssl-cnf’

  • Download example configuration file ‘openssl-dem-server-cert-thvs.cnf’ from
  • Save it in C:\OpenSSL-Win32\ or C:\OpenSSL-Win64
  • Rename it to “openssl.cnf”
  • Open CMD and enter this command within C:\OpenSSL-Win64
    • set OPENSSL_CONF=c:\OpenSSL-Win64\openssl.cnf

Configuration File

Copy and paste the following into a text file and rename to vrops.cfg

[ req ]
default_bits = 2048
default_keyfile = vrops.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vrops-lb.domain.com, DNS:172.16.1.2, DNS:vrops-lb, DNS:vrops.lab.local.com, DNS:172.16.1.3, DNS:vrops, DNS:vrops-1.domain.com, DNS:172.16.1.4, DNS:vrops-1

[ req_distinguished_name ]
countryName = UK
stateOrProvinceName = UK
localityName = UK
0.organizationName = domain.com
organizationalUnitName = Lab
commonName = vrops-lb.domain.com

Note:  Depending on your CA, you may not require some of the above fields for the req_distinguished_name

Certificate Generation

  • Create a folder for certificates within C:\OpenSSL-Win64\
  • CMD to C:\OpenSSL-Win64\Certs\
  • Run the next two commands, one after the other. Remember to replace with your own directories and file names (see italics)

C:\OpenSSL-Win64\bin\openssl req -new -nodes -out C:\OpenSSL-Win64\Certs\vrops.csr -keyout C:\OpenSSL-Win64\Certs\vrops-orig.key -config C:\OpenSSL-Win64\Certs\vrops.cfg

C:\OpenSSL-Win64\bin\openssl rsa -in C:\OpenSSL-Win64\Certs\vrops-orig.key -out C:\OpenSSL-Win64\Certs\vrops.key

OpenSSL

Submit to CA for approval

  • Ensure certificate template is created correctly and enabled for
    • SAN entries (I followed this post in the past
    • Server Authentication
    • Client Authentication
  • Submit CSR to CA
  • Once approved, download:-
    • Base64 – New Certificate
    • Base64 – Root CA certificate or full certificate chain (i.e. intermediate cert as well).  In my lab, I just downloaded the Root CA cert.
  • Tip – If you receive the certificate from the CA, in DER encoded binary (.der), you need to convert the certificate to Base-64 encoded. Open up the certificate in Windows (right-click>open), go to Details>Copy to File and then select Base-64 encoded and export to a new file format.

certs1

Convert Certificate to PEM format

  • Make sure that your certificate file includes the entire certificate chain and private key
    • New signed cert, private key, root CA cert and intermediate cert (if required)
  • cd C:\OpenSSL-Win64\Certs
  • type vrops.cer vrops.key rootca.cer > vrops.pem
    • This uses the new signed certificate, the key file generated earlier and the root certificate, and outputs this to the required PEM format.
  • Full Chain Example
    • This uses the new signed certificate, the key file, the 1st intermediate server, the 2nd intermediate server and the root certificate. Finally, this outputs to the required PEM format.

certs

 

Import Certificate into vROps

  • Login into vROps Admin UI and click on the certificate icon (top right)
  • Install new certificate
  • Select certificate (PEM file) and import
  • Refresh browser (or close). Ensure client machine(s) trust the certificate, and have the root CA certificate installed on the client machine(s).

Other Tips

  • Use Notepad++ to open the certificates and view the format is correct.  Notepad doesn’t like ACSII characters.  You should see similar to:-

—–BEGIN CERTIFICATE—–
MIID7DCCAtSgAwIBAgILAQAAAAABF5zCvx0wDQYJKoZIhvcNAQEFBQAwSzELMAkG
A1UEBhMCVUsxFzAVBgNVBAoTDlZvZGFmb25lIEdyb3VwMSMwIQYDVQQDExpERVZW
b2RhZm9uZSAoU2VjdXJlIFNpdGVzKTAeFw0xNTA4MTkxMjM1MjhaFw0xODA4MTgx

  • Use the new issued certificate to view the full certificate chain, this will help figure out the various certificates you need to build the chain.

chain

Resources

Also, if your current CA is generating certificates based on SHA1 signature algorithm, browsers such as Google Chrome now complain about this as being weak and outdated.

ChromeHere’s a decent post from Microsoft for further reading regarding your Microsoft CA, for example to support the new requirements.

Leave a Reply