dewyser.net

solutions, scripting and more

Tag: ssl

Certificates (in the home lab) made easy – renewing esxi certificates — 25th Aug 2023

Certificates (in the home lab) made easy – renewing esxi certificates

/Stefaan/Leave a comment

You could do this manually using vCenter GUI:

Select a Host and go to Configure > Certificate. There you have the option to first refresh and then renew the certificate. Now that your vCenter is an issuing certificate authority with our custom certificates it would issue certificate with the template we configured 2 steps back.

Another option, and certainly the preferred one if you have several hosts is to do this with PowerCLI:

$CertificateManager = Get-View -id (Get-View ServiceInstance).Content.CertificateManager

Get-VMHost | ForEach-Object -Process {$CertificateManager.CertMgrRefreshCACertificatesAndCRLs($_.id)}

Get-VMHost | ForEach-Object -Process {$CertificateManager.CertMgrRefreshCertificates($_.id)}

Now you’ll see that if you visit the esxi servers, they also have a valid certificate.

Certificates (in the home lab) made easy – running vCenter Certificate Manager — 24th Aug 2023

Certificates (in the home lab) made easy – running vCenter Certificate Manager

/Stefaan/Leave a comment

Next is running vCenter Certificate Manager to replace the certificates. Log into vCenter Appliance using ssh and run the following command and select option 2 to replace VMCA root certificate with custom signing certificate and replace all certificates.

/usr/lib/vmware-vmca/bin/certificate-manager

Select Yes to generate all certificates using configuration file. Supply credentials and input values:

Use option 2 to import custom certificate(s) and key(s). Provide the file location of the two files:

Continue the operation using the option Y and wait for completion:

Certificates (in the home lab) made easy – vCenter preparation —

Certificates (in the home lab) made easy – vCenter preparation

/Stefaan/Leave a comment

Next we will set some advance parameters in our vCenter appliance using PowerCli. Below are the parameters that need to be changed:

  • vpxd.certmgmt.certs.cn.country
  • vpxd.certmgmt.certs.cn.email
  • vpxd.certmgmt.certs.cn.localityName
  • vpxd.certmgmt.certs.cn.organizationalUnitName
  • vpxd.certmgmt.certs.cn.organizationName
  • vpxd.certmgmt.certs.cn.state
  • vpxd.certmgmt.certs.daysValid
  • vpxd.certmgmt.certs.minutesBefore

If the vCenter appliance currently has a untrusted certificate we need to change the certificate action so that we can connect to the vCenter.

Set-PowerCLIConfiguration -InvalidCertificateAction:Ignore -Confirm:$false

Next we can connection to the vCenter using the following PowerCLI command:

connect-VIServer vc-01.dewyser.lab

You will receive output name, port and username if the connection is successful.

With the following command you can retrieve the current values for the parameters specified above:

Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.*

Next set the parameters to the correct values:

Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.cn.country | Set-AdvancedSetting -Value 'BE' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.cn.email | Set-AdvancedSetting -Value 'info@dewyser.lab' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.cn.localityName | Set-AdvancedSetting -Value 'Diksmuide' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.cn.organizationalUnitName | Set-AdvancedSetting -Value 'IT Infrastructure' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.cn.organizationName | Set-AdvancedSetting -Value 'dewyser.lab' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.cn.state | Set-AdvancedSetting -Value 'West-Vlaanderen' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.daysValid | Set-AdvancedSetting -Value '397' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.minutesBefore | Set-AdvancedSetting -Value '5' -Confirm:$false

Check the values again using the asterisk command to check if the changes are applied. The output should look like this:

If the values are set we are ready for the next part.

Certificates (in the home lab) made easy – creating the (full)chain —

Certificates (in the home lab) made easy – creating the (full)chain

/Stefaan/Leave a comment

The next part is copying and pasting in a text editor. We want to create a text file consisting of all the relevant certificate authorities certificates, chained together.

Important: The order of the certificates in the file. First comes the issuing, then the intermediate and last the root certificate authority.

If you need to create a full chain file for an appliance where the certificate was issued by the issuing certificate authority, that certificate would come before the issuing authority.

The result would look something like the example below:

-----BEGIN CERTIFICATE-----
MIIGpTCCBI2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnDEtMCsGA1UEAxMkZGV3
eXNlci5sYWIgaW50ZXJuYWwgaW50ZXJtZWRpYXRlIGNhMQswCQYDVQQGEwJCRTEY
MBYGA1UECBMPV2VzdC1WbGFhbmRlcmVuMRIwEAYDVQQHEwlEaWtzbXVpZGUxFDAS
/teZKPvfY0A+CFssJv7J1KMXW4ZalB/P/g==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGuDCCBKCgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDElMCMGA1UEAxMcZGV3
eXNlci5sYWIgaW50ZXJuYWwgcm9vdCBjYTELMAkGA1UEBhMCQkUxGDAWBgNVBAgT
D1dlc3QtVmxhYW5kZXJlbjESMBAGA1UEBxMJRGlrc211aWRlMRQwEgYDVQQKEwtk
8Pnnih0eCUNHTcEAbzUkS7M2PYfl0GSbmo+FrADNmiltv8+MJHgefYz2cmI=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGtzCCBJ+gAwIBAgIIXD+frbdXLCowDQYJKoZIhvcNAQELBQAwgZQxJTAjBgNV
BAMTHGRld3lzZXIubGFiIGludGVybmFsIHJvb3QgY2ExCzAJBgNVBAYTAkJFMRgw
FgYDVQQIEw9XZXN0LVZsYWFuZGVyZW4xEjAQBgNVBAcTCURpa3NtdWlkZTEUMBIG
pNldtiW4TxAfR24faPQ5e0h9xC8MolGiXESI9OJNCepMGCnFBRznmmyFoA==
-----END CERTIFICATE-----

Save this as chain.pem for the next part(s).

Certificates (in the home lab) made easy – the intermediate CA —