目录
- 5. 使用 Microsoft 证书颁发机构颁发自签名 CA 证书链
- 5.1 登录MADCS
- 5.2 申请证书
- 5.3 选择证书类型
- 5.4 提交CR
- 5.5 下载 Base 64 编码的证书
- 5.6 将证书链传入VC
- 6. 使用 企业CA签发的 VMCA 证书 替换 vSphere 默认 VMCA 证书
- 6.1 确认证书文件
- 6.2 替换默认 vSphere 证书
- 6.3 验证自签名证书
- 关联博文
- 参考资料
博文主要描述了如何在 Windows Server 2019 中使用 Microsoft 证书颁发机构颁发适用于 vSphere 7.x 和 8.x 版本的自签名 VMCA 证书以及在 vCenter Server 8 上通过实用工具 certificate-manager 将 vSphere 默认VMCA CA 证书替换为 企业 CA 自签名证书。适用的 vSphere 版本为 vSphere 7.0.x 和 vSphere 8.0.x。
5. 使用 Microsoft 证书颁发机构颁发自签名 CA 证书链
申请前确保Windows Server IIS服务正常开启80端口。
5.1 登录MADCS
打开并登录 Microsoft Active Directory Certificate Services 页面
5.2 申请证书
点击【Request a certificate】
5.3 选择证书类型
选择【advanced certificate request】
5.4 提交CR
将使用certificate-manager创建的CSR内容粘贴到Saved Request下。vmca_issued_csr.csr文件内容
-----BEGIN CERTIFICATE REQUEST-----
MIIEKTCCApECAQAwXTELMAkGA1UEAwwCQ0ExCzAJBgNVBAYTAkNOMRAwDgYDVQQI
DAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ8wDQYDVQQKDAZWTXdhcmUxDDAK
BgNVBAsMA0dTUzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJnz4p1/
Q1n9az3SjTfgCL6hZtk6cIGngJOtX6f/prqp9RUpucBQhSwt8GSwOqW5PtjqXrcs
6MgQRfqjGn8T6LsyCcZgxA5SaDgsncq2xgZs9VU9gLT/+pp65LrFerlZGHKE6wD1
B49GhnGFr4aJglLwQHxDz0b2dIdimsaLRt2ro70PX+xMEeZ4ZScjcooOHfSVY3oL
WGlxHhPgcAgah4wSXowKcPBmUPMccdzSHxTvakkJeDf80CW3GGb0dEKoyu9JKNQ0
4frHzM4XkSymo+X4rV1OIN4XinRhER6v4vQY70fQc5gdluYDUS2thAdGod0EQc3M
7wkN3xpAWLUM6w7Yxv0C8ZZbzaXv1q+E0HCdBEOxtaSHgfdSdPcU5ARtAsgBhxRY
6iqpl/ekD+5JGLesSGvVkn8r0W5FQkwJ2HaTu82HNevJyMX8Y6o87Kkb02BwzYki
W1XQpRq+7VTRbUwqGv3Q5xPK3TwDO2NPcfhWzjb9N4jux0nZHrHJuNhCGwIDAQAB
oIGGMIGDBgkqhkiG9w0BCQ4xdjB0MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0P
AQH/BAQDAgEGMC8GA1UdEQQoMCaBDmVtYWlsQGFjbWUuY29thwTAqAEDgg52Yzct
My55ei5sb2NhbDAdBgNVHQ4EFgQU/J/wuecPFCu5YDZvIQHjS/m0eRowDQYJKoZI
hvcNAQELBQADggGBADuCyfaqPu+S2z+CFPvaTDci5HOlBrYRktCNH1930eZpq66H
iXCgFXdndkzJ19NIOILj7b6SbqfDZo02zp6Cn7Z+7PrFDUxGBueboSE8D7SLyAej
4npdz0D9OQjoz0tGEISHJdon6bZmolEb2sOzOn/Ga31tfz8YTjM2+TGHLBAaDsaG
AGLfXWrnOFI6ExOc3qMtOkiBMTK8mSQJu57mkr5exmq5XlNwBrnpICL7ASTx3TXr
JOEj3WKkMrDl18v9ufZefhqVZsYKvvc1KL4S27gUnPANSQiKAN21qcyBn0cOq8uL
8oFX1zilJ9rWE12Wy27hz1b2WnPM656IPTFZ/habb0ncxVZzT9PZ5HX9yF5oomKX
eQ5I6fLaOh4xIfYsqZZTzPFVOoMH8Zy6S0yyVGGZGaPsPIDnQI2/KYIb9mABGEo0
F8UMOPaje6QB4EbPsXQDxbsvsgsls+1nkNBTfI7ytbO1j2bO8/goekdCkuq1cUaN
O9GDdQ0v+YF03+aJ3w==
-----END CERTIFICATE REQUEST-----
然后选择刚才创建的 vSphere 8.x for VMCA 模板,点击 Submit.
5.5 下载 Base 64 编码的证书
选中 Base 64 encoded,先点击 Download certificate chain,下载的文件名为 certnew.p7b,将其重命名为 cachain.p7b
上图p7b尚未修改名称。
5.6 将证书链传入VC
这里我们使用WinSCP进行传送。将cachain.p7b传入VC的 /root/vmca
6. 使用 企业CA签发的 VMCA 证书 替换 vSphere 默认 VMCA 证书
6.1 确认证书文件
SSH 到 VCSA 中,cd 到 /root/vmca 目录,此时该目录存在3个文件
将 cachain.p7b转换为 cachain.cer
openssl pkcs7 -print_certs -in cachain.p7b -out vmca_issued.cer
再次查看 /root/vmca 目录,此时该目录存在4个文件
需要用到的是
- 自签名根证书链:vmca_issued.cer
- 自定义密钥:vmca_issued_key.key
6.2 替换默认 vSphere 证书
再次使用certificate-manager工具替换默认证书
root@vc7-3 [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 8.0 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| NOTE: Solution user certs will be deprecated in a future |
| release of vCenter. Refer to release notes for more details.|
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 2
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : Y
Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:
certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : Y
Press Enter key to skip optional parameters or use Previous value.
Enter proper value for 'Country' [Previous value : CN] :
Enter proper value for 'Name' [Previous value : CA] :
Enter proper value for 'Organization' [Previous value : VMware] :
Enter proper value for 'OrgUnit' [optional] : GSS
Enter proper value for 'State' [Previous value : Beijing] :
Enter proper value for 'Locality' [Previous value : Beijing] :
Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 192.168.1.3
Enter proper value for 'Email' [Previous value : email@acme.com] :
Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vc7-3.yz.local
Enter proper value for VMCA 'Name' :vc7-3.yz.local
1. Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate
2. Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate
Option [1 or 2]: 2
Please provide valid custom certificate for Root.
File : /root/vmca/vmca_issued.cer
Please provide valid custom key for Root.
File : /root/vmca/vmca_issued_key.key
You are going to replace Root Certificate with custom certificate and regenerate all other certificates
Continue operation : Option[Y/N] ? : Y
Status : 100% Completed [All tasks completed successfully]
此时 VMCA 根证书的更新状态是100%成功完成。
6.3 验证自签名证书
登录 vSphere Client,Menu > Administration > Certificastes > Certificate Management,找到 VMware Certificate Authority,查看 VMCA_ROOT_CERT 的信息,点击VIEW DETAILS
同时 Machine SSL Certificate 证书也被刷新
关联博文
1.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅰ—— 生成 CSR
2.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅱ—— 创建和添加证书模板
3.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅲ—— 颁发自签名与替换 VMCA 证书
参考资料
博文封面图片来自: https://blogs.vmware.com/vsphere/2019/06/10-things-about-vsphere-certificate-management.html
