![ESXi Hosts – OpenSSL.cfg
default_bits = 2048 (Change from 1024)
default_keyfile = rui.key (Change from privkey.pem)
req_extensions = v3_req (Remove # at start of line)
countryName_default = IE (Update to your Country Code)
stateOrProvinceName_default = Leinster (Update)
localityName_default = Dublin (Add & Update)
0.organizationName_default = Lab (Update to your Company Name)
organizationalUnitName_default = IT (Update & Remove # at start of line)
[ v3_req]
subjectAltName = @alt_names (Add this under “keyUsage =“ line)
[alt_names]
DNS.1 = iedubdc2esx01.lab.local (Use FQDN here)
DNS.2 = iedubdc2esx01 (Use Shorter Netbios Name here)](https://image.slidesharecdn.com/sslslides-130618124915-phpapp01/85/Ssl-slides-6-320.jpg)
![SRM – OpenSSL.cfg
OpenSSL Command to export certificate file for SRM:
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -
passout pass:testpassword -out rui.p12
OpenSSL.cfg changes:
[ v3_req]
extendedKeyUsage = serverAuth, clientAuth (Add under
“keyUsage =“ entry)
[alt_names]
DNS.1 = iedubdc2vc01.lab.local (Use FQDN of SRM Server
here)
DNS.2 = iedubdc2esx01 (Delete this line)](https://image.slidesharecdn.com/sslslides-130618124915-phpapp01/85/Ssl-slides-7-320.jpg)
Ssl slides
- 1. vCenter – SSL Automation Tool ESXi Host – OpenSSL SRM – OpenSSL vBrownbag – Michael Russell @kerryspring2 [email protected]
- 2. Resources #1 #vBrownBag US View SSL Certs with Shane Williford http://professionalvmware.com/2012/12/vbrownbag-us-view-ssl-certs-with- shane-williford-coolsportoo/ #vBrownBag Follow-up How I learned to love the CSR with Jim Millard http://professionalvmware.com/2013/05/vbrownbag-follow-up-how-i-learned- to-love-the-csr-with-jim-millard-millardjk/ vSphere 5.1 Hardening Guide - Official Release http://communities.vmware.com/docs/DOC-22981 Windows OpenSSL distribution (ver 0.9.8) http://slproweb.com/products/Win32OpenSSL.html How to use trusted certificates with VMware vCenter Site Recovery Manager http://communities.vmware.com/docs/DOC-11411
- 3. Resources #2 vCenter Certificate Automation Tool Download https://my.vmware.com/group/vmware/get-download?downloadGroup=SSL-TOOL-101 Generating certificates for use with the VMware SSL Certificate Automation Tool http://kb.vmware.com/kb/2044696 Deploying and using the SSL Certificate Automation Tool (& Known Issues) http://kb.vmware.com/kb/2041600 Process for Replacing SSL Certificates - vSphere 5 (7 Parts) - Julian Wood http://www.wooditwork.com/2011/11/30/vsphere-5-certificates-1-installing-a-root- certificate-authority-3/ vCenter 5.1 U1 installation including SSL replacement (15 Parts) - Derek Seaman http://www.derekseaman.com/2012/09/vmware-vcenter-51-installation-part-1.html
- 4. SSL Automation Tool Notes Microsoft Certificate Server SHA-1 vs SHA2-256 Duplicate Template – Windows Server 2003 Enterprise Windows Server 2003 CA Server must be Enterprise Edition Deploy Root Certificate to Servers with vCenter components Generate chain.pem files from root64.cer & rui.crt Add Extensions: Allow Encryption of User Data (vCenter/ESXi) /Client Authentication (SRM) OpenSSL v 0.9.8 – Copy OpenSSL DLLs to binaries (/bin) dir Certificate Tool vs vSphere Upgrades http://kb.vmware.com/kb/2048202 SSO user is admin@system-domain vCenter Database Password = ? Update Manager installation – Register FQDN, not IP Address
- 5. ESXi Hosts – SSL Notes ESXi Host HA Issues: http://kb.vmware.com/kb/2006210 perl HostReconnect.pl --server <ip address> --username [email protected] vMA permit Winscp: http://communities.vmware.com/message/2020784 sudo vi /etc/host.allow add the following line; sshd: ALL: ALLOW then save the file :WQ! OpenSSL Commands to generate CSR: openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg Drop rui.crt & rui.key into /etc/vmware/ssl
- 6. ESXi Hosts – OpenSSL.cfg default_bits = 2048 (Change from 1024) default_keyfile = rui.key (Change from privkey.pem) req_extensions = v3_req (Remove # at start of line) countryName_default = IE (Update to your Country Code) stateOrProvinceName_default = Leinster (Update) localityName_default = Dublin (Add & Update) 0.organizationName_default = Lab (Update to your Company Name) organizationalUnitName_default = IT (Update & Remove # at start of line) [ v3_req] subjectAltName = @alt_names (Add this under “keyUsage =“ line) [alt_names] DNS.1 = iedubdc2esx01.lab.local (Use FQDN here) DNS.2 = iedubdc2esx01 (Use Shorter Netbios Name here)
- 7. SRM – OpenSSL.cfg OpenSSL Command to export certificate file for SRM: openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui - passout pass:testpassword -out rui.p12 OpenSSL.cfg changes: [ v3_req] extendedKeyUsage = serverAuth, clientAuth (Add under “keyUsage =“ entry) [alt_names] DNS.1 = iedubdc2vc01.lab.local (Use FQDN of SRM Server here) DNS.2 = iedubdc2esx01 (Delete this line)