vROps – Replace the default certificate

One of the things you might want to consider when done installing vROps is to replace the certificate. This will get rid of the warning page …

D7555AF7-7B1B-4573-8E4D-010F76E72559

…or the fact that you may be prevented to go to a page or that you have to go and add things to the hsts pages.

2BB0CC06-94DB-4DE0-813A-B36B9818FB26

 

Creating the files needed

So to start the process first we need to use openssl on the host to generate a csr request.

It is simple enough, you ssh into your vrops server, here you need to create a cfg file to include what is required for the certificate. this file should include something like the following, note it is important to know your host-names up front since you need to add them to the cfg file. You can modify the sample below to your environment.

[ req ]

default_bits = 2048

default-keyfile = vROps01.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS:aocops01.domain.local, IP:192.168.1.16, DNS:aocops01,

 

[ req_distinguished_name ]

countryName = US

stateOrProvinceName = NJ

localityName = City

organizationName = Company

organizationalUnitName = HQ

commonName = Company

For me the result looks similar to this, note I have several names in the subjectAltName:

crt-file

Secondly run two commands:

openssl genrsa -out <filename.key> 2048

then use that command to generate a csr:

openssl req -new -key aocops01.key -out certificate_request01.csr -config crt.cfg

run-result

After you complete this step you need to submit the csr to your Certiciate Authority (CA). This will give you a signed certificate.

To do this you need to scp the files out (csr and key). This can be done with WinSCP if you have Windows or if you use SecureCRT, you can start the sftp session and do a get.

53A4C0E9-6745-437E-BA71-F488EE22F122

Then you take these files and go to your CA, in my case it’s an AD Certificate authority:

certreq -submit -attrib “CertificateTemplate:<certificate>” <signingrequest>.csr

So in my case I run it like this (I already had a file so I omitted that part):

certreq -submit -attrib “CertificateTemplate:VMware” certificate_request01.csr

Cert-gen

You get to click OK one more time and then save the file as a cer file.

Next to go your server CA and download certificate and complete chain. This should be in Base64 Format.

CA

This may come down as a p7b file, no panic, just take this file to your certiticate authoriy, open the file, and then expand the cert and click on it and select export. then export it as a Base-64 encoded X.509 (.cer) and click next, follow the steps to save it as a .cer file. Copy it to where the other files are located.

Export_cert

Now we need to add the cer files and the key files into one pem file. (This is the file that goes into vrops at the end).

To do this do a cat of the three files into the pem file (if you have an official cert in your chain you will have an intermediate file also along with your root and server certificates.

cat server-cert.cer key-file.key cacerts.cer > final.pem

cat opsnew.cer aocops01.key server-cert.cer > ops.pem

You shold now have a file that includes the three files in a .pem file.

 

Uploading the files to vROps

For this step you need to login to the admin interface of vROps (https://fqdn/admin) and go to the top right corner, there is a button to SSL certificate. Click on that:

vrops-admin-cert

You get prompted with a window, select to install new certificate, note you have the server names listed as Sub-Alternate-names:

New-Cert

Browse to the location of your pem file. The file is checked and verified as being ok:

Installed-New-Cert

That should pretty much be that. As you can see now I can go to the webpage, where previously I could not, and it shows a valid certificate on each host:

Valid-Cert

valid-cert-02

 

If it does not show up straight away you may need to do a restart of your browser or even client. vROps should not need a reboot to do this.

A final couple of notes. If you have a cluster, like I have here. You should only need to do this for the first node. The cluster should distribute the certificates by itself. This I think was introduced in 6.2 of vROps.

Secondly, if you have a LB in front of your vROps cluster, you need to use the vROps LB name as the common name. You can read more about this here.

Last thought, is, I used the following kb article to do this for my cluster.