introduction
in first article of vSphere SEcurity : we will discuss how to secure vcenter with custom VMCA certificate
as we know : that vcenter create self signed certificate during setup , which is good with somehow to secure connection
BUT ,,,,
NOT secured enough since its only recognized by vcenter it’s self
network diagram
please have a look to network diagram above
we have :
- domain controller for AD DC101.pioneers.lab with IP address 172.16.100.101
- ESXI151 with IP address 172.16.100.151
- ESXI152 with IP address 172.16.100.152
- ESXI153 with IP address 172.16.100.153
- VCenter server VCSA161.pioneers.lab with IP address 172.16.100.161 and with the default self-signed certificate
- Suse Linux server SLES122.pioneers.lab with IP address 172.16.100.122 which will run CA by application openSSL
Configuration Steps
our steps to configure VCSA with customer VMCA certificate :
- Check VCSA self-signed certificate
- Configure vCenter server VCSA161.pioneers.lab to request new certificate
- Copy request file to CA server which is Suse Linux server called SLES122.pioneers.lab
- Install openSSL application on SLES122.pioneers.lab
- Setup CA Certificate Authority on SLES122.pioneers.lab
- Create customer certificate based on request
- Import new custom create certificate to VCSA161
- Replace default self-signed certificate by new custom certificate
- Verify certificate is installed
Check VCSA self-signed certificate
to Check VCSA self-signed certificate
open vcenter by using https://vcsa161.pioneers.lab
create certificate request on VCSA161
this first step is to configure VCSA to request for certificate
open SSH [putty] to VCSA161 with ip address 172.16.100.161
install openssl tool on SLES122
after we have created request > it’s time to setup certificate authority in linux server SLES122.pioneers.lab
the application responsible to CA setup is called openSSL
connect to SLES122 with SSH [ Putty] to install application openSSL
setup CA on SLES122
now we will setup certificate authority CA on SLES122
connec to to SLES122 with SSH [ putty ]
first create folder to store certificate
create custom certificate for VCSA161
now we will create certificate for VCSA161 based on request >>
using winSCP utility : copy request from from VCSA161 to SLES122
In the SSH connection Runcommand
openssl x509 -req -in vmca_issued_csr.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out vcsa161.pioneers.lab .crt -days 1024 -sha256 -extfile san.cnf
this command will create certificate for VSA161 based on request file and san.cnf file
import custom certificate to VCSA161
now it’s time import certificate into vcenter application
replace self signed certificate with custom certificate
certificate is imported to vcenter but this first certificate [self signed certificate [ still take effect
now we will replace self signed certificate with custom created
login to vcenter with https://vcsa161 > administration > certificate management
verify custom SSL certificate
to verify custom certificate is applied > open browser > https://vcsa61.pioneers.lab
we will notice that custom certificate is applied and valid for 3 years
without any error or warning
Conclusion
one of the best practice to secure vSphere environment is to secure web access with Certificate authority
we have discuss how to create microsoft ADCS [Active Directory security service ] and how to secure exchange and web server in course active directory please press here
you can configure VCSA or ESXI host to use SSL certificate from both microsoft ADCS or CA openSSL
in networks pioneers we believe in Diversity:so we provide you the the options and you decide which is the best for you microsoft ADCS or VMCA
