本文介绍: SSL – 运维篇 第三章 vCenter6.7使用自建SSL证书

SSL – 运维篇


系列文章回顾

第二章 FortiGate防火墙使用自建SSL证书


vCenter6.7使用自建SSL证书

本文仅实验过VMware vCenter 6.7版本

vCenter 6.7 上传文件到Shell

# VCSA默认情况下, root用户使用shellappliancesh, 因此无法通过WinSCP来登录VCSA和上传文件
# 需要更改root用户shellbash, 如下所示.
chsh -s /bin/bash root
# 上传文件后,再改回appliancesh.
chsh -s /bin/appliancesh root

vCenter 6.7 Shell 替换SSL证书流程

/var/lib/vmware/vmca/root.cer					# vCenter默认ROOT存放路径
/var/lib/vmware/vmca/privatekey.pem				# vCenter默认存放私钥路径
/usr/lib/vmware-vmca/share/config/vmca.reg		# vCenter VMCA的reg配置
/usr/lib/vmware-vmca/share/config/certool.cfg	# vCenter 生成CSR证书签名请求默认配置参数


### 新增自定义SSL证书存储的路径
root@vCenter [ ~ ]# mkdir -p /opt/vmware/etc/ssl/cert-backup/

### 使用vCenter自带的证书管理工具为vCenter生成csr证书签名请求密钥
root@vCenter [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager		# vCenter 证书管理工具
                 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
                |                                                                     |
                |      *** Welcome to the vSphere 6.7 Certificate Manager  ***        |
                |                                                                     |
                |                   -- Select Operation --                            |
                |                                                                     |
                |      1. Replace Machine SSL certificate with Custom Certificate     |
                |                                                                     |
                |      2. Replace VMCA Root certificate with Custom Signing           |
                |         Certificate and replace all Certificates                    |
                |                                                                     |
                |      3. Replace Machine SSL certificate with VMCA Certificate       |
                |                                                                     |
                |      4. Regenerate a new VMCA Root Certificate and                  |
                |         replace all certificates                                    |
                |                                                                     |
                |      5. Replace Solution user certificates with                     |
                |         Custom Certificate                                          |
                |                                                                     |
                |      6. Replace Solution user certificates with VMCA certificates   |
                |                                                                     |
                |      7. Revert last performed operation by re-publishing old        |
                |         certificates                                                |
                |                                                                     |
                |      8. Reset all Certificates                                      |
                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 
--> 1		# Replace Machine SSL certificate with Custom Certificate 用自定义证书替换计算机SSL证书
--> administrator@xxx.com
--> <password>
--> 1		# Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate 为机器SSL证书生成证书签名请求和密钥
--> /opt/vmware/etc/ssl/cert-backup/		# 输出CSR和KEY的目录
--> CN										# Country [C]
--> vCenter.xxx.com							# Name [CN]
--> xxx Technology Co., Ltd.				# Organization [O]
--> [部门]									# OrgUnit [OU]
--> []									# State [ST]
--> []									# Locality [L]
--> [vCenter的ip地址]						# IPAddress
--> [邮箱]									# Email
--> [vCenter的FQDN]							# Hostname
--> [vCenter内置的CA名称]					# VMCA Name
--> 2										# Exit certificate-manager 退出证书管理工具

### 通过vCenter自带的证书管理工具导出csr和key文件
root@vCenter [ ~ ]# ls /opt/vmware/etc/ssl/cert-backup/
vmca_issued_csr.csr  vmca_issued_key.key  ca.cer

参考 【转】VMware使用自签名证书替换vSphere各组件自带SSL证书 完成 Windows Server 2016 CA 的证书模板颁发过程

mmc.exe --> 添加/删除管理单元 --> 证书模板
0
1
2
3
4
5
6
7

### 上传ca根证书文件和ssl证书, 重命名csr文件和key文件
root@vCenter [ ~ ]# chsh -s /bin/bash root			
root@vCenter [ ~ ]# scp root@ca.xxx.com:/tmp/ca.cer /opt/vmware/etc/ssl/cert-backup/
root@vCenter [ ~ ]# scp root@ca.xxx.com:/tmp/vcenter.cer /opt/vmware/etc/ssl/cert-backup/
root@vCenter [ ~ ]# chsh -s /bin/appliancesh root	# 切换appliancesh
root@vCenter [ ~ ]# mv /opt/vmware/etc/ssl/cert-backup/vmca_issued_csr.csr /opt/vmware/etc/ssl/cert-backup/vcenter.csr
root@vCenter [ ~ ]# mv /opt/vmware/etc/ssl/cert-backup/vmca_issued_csr.key /opt/vmware/etc/ssl/cert-backup/vcenter.key
root@vCenter [ ~ ]# ls /opt/vmware/etc/ssl/cert-backup/
vcenter.cer  vcenter.csr  vcenter.key  ca.cer

### 通过vCenter自带的证书管理工具开始导入SSL证书
root@vCenter [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager		# vCenter 证书管理工具
                 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
                |                                                                     |
                |      *** Welcome to the vSphere 6.7 Certificate Manager  ***        |
                |                                                                     |
                |                   -- Select Operation --                            |
                |                                                                     |
                |      1. Replace Machine SSL certificate with Custom Certificate     |
                |                                                                     |
                |      2. Replace VMCA Root certificate with Custom Signing           |
                |         Certificate and replace all Certificates                    |
                |                                                                     |
                |      3. Replace Machine SSL certificate with VMCA Certificate       |
                |                                                                     |
                |      4. Regenerate a new VMCA Root Certificate and                  |
                |         replace all certificates                                    |
                |                                                                     |
                |      5. Replace Solution user certificates with                     |
                |         Custom Certificate                                          |
                |                                                                     |
                |      6. Replace Solution user certificates with VMCA certificates   |
                |                                                                     |
                |      7. Revert last performed operation by re-publishing old        |
                |         certificates                                                |
                |                                                                     |
                |      8. Reset all Certificates                                      |
                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 
--> 1		# Replace Machine SSL certificate with Custom Certificate 用自定义证书替换计算机SSL证书
--> administrator@xxx.com
--> <password>
--> 2		# Import custom certificate(s) and key(s) to replace existing Machine SSL certificate 导入自定义证书和密钥替换现有的计算机SSL证书
Please provide valid custom certificate for Machine SSL.
File : /opt/vmware/etc/ssl/cert-backup/vcenter.cer	# SSL证书签发文件

Please provide valid custom key for Machine SSL.
File : /opt/vmware/etc/ssl/cert-backup/vcenter.key	# SSL证书私钥

Please provide the signing certificate of the Machine SSL certificate
File : /opt/vmware/etc/ssl/cert-backup/ca.cer		# ROOTCA证书链

You are going to replace Root Certificate with custom certificate and regenerate all other certificates
Continue operation : Option[Y/N] ? : Y				# 开始执行导入SSL证书, 等待vCenter进度条执行完毕



### 查看vCenter的所有证书store信息
root@vCenter [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli store list
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vsphere-webclient
vpxd
vpxd-extension
APPLMGMT_PASSWORD
data-encipherment
SMS
vcenter.xxx.com		# 自定义SSL证书的store
BACKUP_STORE_H5C
BACKUP_STORE

# 查看指定store证书链(密文)
root@vCenter [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vcenter.xxx.com
Number of entries in store :    1
Alias : vcenter.xxx.com
Entry type :    Private Key
Certificate :   ...

# 查看指定store证书链解析(明文)
root@vCenter [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vcenter.xxx.com --text
Number of entries in store :    1
Alias : vcenter.xxx.com
Entry type :    Private Key
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ...
    Signature Algorithm: sha256WithRSAEncryption
        ...
         
# 查看指定store证书链的指定alias证书信息解析(明文)
root@vCenter [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias <alias> --text

测试&验证

浏览器打开vCenterWebUI提示HTTPS连接安全的。
1
2

参考链接

  1. 【转】VMware使用自签名证书替换vSphere各组件自带SSL证书
  2. vecs-cli 命令参考

原文地址:https://blog.csdn.net/m0_54768192/article/details/134659318

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。

如若转载,请注明出处:http://www.7code.cn/show_6271.html

如若内容造成侵权/违法违规/事实不符,请联系代码007邮箱:suwngjj01@126.com进行投诉反馈,一经查实,立即删除

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注