This week I’m doing the instructor readiness preparation for the vSphere Manage and Design for Security course, I’m due to teach it in Auckland later this month.
One of the labs is to replace the insecure self signed certificates that both ESX and vCenter create when they are installed with certificates that are issued by a trusted Certificate Authority. Naturally I am doing this in my lab rather than the carefully crafted VMware lab environment and so I have run in to a few little issues & thought they may be of use to others.
If you are still using vCenter 4.0 then you will need this TechNote, whereas if you are using vCenter 4.1 you will need to follow a different process, as shown in this TechNote as the process has changed.
The other trap I had was with the certificate type issued by the CA. My windows 2008 SBS server’s default certificate type is “Administrator”, it needs to be changed to “Web Server” as shown below.
Another trap to be aware of is that the SSL keys are used to encrypt the passwords stored in the vCenter Database, so changing them means re-entering the passwords. People often forget that this includes Guest OS Customization Specifications, any passwords used to join domains or set on local administrator accounts will need to be re-entered using the Customization Specifications Manager.
As always make sure you have a backup of your environment before you start making changes to critical infrastructure. This is a place where running vCenter in a VM is useful, a snapshot of the vCenter VM allows a quick backout if it all turns to custard. Do keep in mind that a snapshot is not a backup, you need one of those too.
In the Manage and Desoign for Security course we also replace ESX server certificates. A quick Google didn’t turn up the steps, but there is some discussion in this communities thread that may help.
© 2011, Alastair. All rights reserved.
RSS - Posts