SSL - 运维篇
第三章 vCenter6.7和ESXi6.7使用自建SSL证书
系列文章回顾
vCenter6.7和ESXi6.7使用自建SSL证书
本文仅实验过VMware vCenter 6.7版本
vCenter 6.7 上传文件到Shell
# VCSA默认情况下, root用户使用的shell是appliancesh, 因此无法通过WinSCP来登录VCSA和上传文件
# 需要更改root用户的shell为bash, 如下所示.
chsh -s /bin/bash root
# 上传文件后,再改回appliancesh.
chsh -s /bin/appliancesh root
vCenter 6.7 Shell 替换SSL证书全流程
/var/lib/vmware/vmca/root.cer # vCenter默认ROOT存放路径
/var/lib/vmware/vmca/privatekey.pem # vCenter默认存放私钥路径
/usr/lib/vmware-vmca/share/config/vmca.reg # vCenter VMCA的reg配置
/usr/lib/vmware-vmca/share/config/certool.cfg # vCenter 生成CSR证书签名请求的默认配置参数
### 新增自定义SSL证书存储的路径
root@vCenter [ ~ ]# mkdir -p /opt/vmware/etc/ssl/cert-backup/
### 使用vCenter自带的证书管理工具为vCenter生成csr证书签名请求和密钥
root@vCenter [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager # vCenter 证书管理工具
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.7 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]:
--> 1 # Replace Machine SSL certificate with Custom Certificate 用自定义证书替换计算机SSL证书
--> administrator@xxx.com
--> <password>
--> 1 # Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate 为机器SSL证书生成证书签名请求和密钥
--> /opt/vmware/etc/ssl/cert-backup/ # 输出CSR和KEY的目录
--> CN # Country [C]
--> vCenter.xxx.com # Name [CN]
--> xxx Technology Co., Ltd. # Organization [O]
--> [部门] # OrgUnit [OU]
--> [省] # State [ST]
--> [市] # Locality [L]
--> [vCenter的ip地址] # IPAddress
--> [邮箱] # Email
--> [vCenter的FQDN] # Hostname
--> [vCenter内置的CA名称] # VMCA Name
--> 2 # Exit certificate-manager 退出证书管理工具
### 通过vCenter自带的证书管理工具导出csr和key文件
root@vCenter [ ~ ]# ls /opt/vmware/etc/ssl/cert-backup/
vmca_issued_csr.csr vmca_issued_key.key ca.cer
参考 【转】VMware使用自签名证书替换vSphere各组件自带SSL证书 完成 Windows Server 2016 CA 的证书模板颁发过程
mmc.exe --> 添加/删除管理单元 --> 证书模板
### 上传ca根证书文件和ssl证书, 重命名csr文件和key文件
root@vCenter [ ~ ]# chsh -s /bin/bash root
root@vCenter [ ~ ]# scp root@ca.xxx.com:/tmp/ca.cer /opt/vmware/etc/ssl/cert-backup/
root@vCenter [ ~ ]# scp root@ca.xxx.com:/tmp/vcenter.cer /opt/vmware/etc/ssl/cert-backup/
root@vCenter [ ~ ]# chsh -s /bin/appliancesh root # 切换回appliancesh
root@vCenter [ ~ ]# mv /opt/vmware/etc/ssl/cert-backup/vmca_issued_csr.csr /opt/vmware/etc/ssl/cert-backup/vcenter.csr
root@vCenter [ ~ ]# mv /opt/vmware/etc/ssl/cert-backup/vmca_issued_csr.key /opt/vmware/etc/ssl/cert-backup/vcenter.key
root@vCenter [ ~ ]# ls /opt/vmware/etc/ssl/cert-backup/
vcenter.cer vcenter.csr vcenter.key ca.cer
### 通过vCenter自带的证书管理工具开始导入SSL证书
root@vCenter [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager # vCenter 证书管理工具
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.7 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]:
--> 1 # Replace Machine SSL certificate with Custom Certificate 用自定义证书替换计算机SSL证书
--> administrator@xxx.com
--> <password>
--> 2 # Import custom certificate(s) and key(s) to replace existing Machine SSL certificate 导入自定义证书和密钥以替换现有的计算机SSL证书
Please provide valid custom certificate for Machine SSL.
File : /opt/vmware/etc/ssl/cert-backup/vcenter.cer # SSL证书签发文件
Please provide valid custom key for Machine SSL.
File : /opt/vmware/etc/ssl/cert-backup/vcenter.key # SSL证书私钥
Please provide the signing certificate of the Machine SSL certificate
File : /opt/vmware/etc/ssl/cert-backup/ca.cer # ROOTCA证书链
You are going to replace Root Certificate with custom certificate and regenerate all other certificates
Continue operation : Option[Y/N] ? : Y # 开始执行导入SSL证书, 等待vCenter进度条执行完毕
### 查看vCenter的所有证书store信息
root@vCenter [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli store list
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vsphere-webclient
vpxd
vpxd-extension
APPLMGMT_PASSWORD
data-encipherment
SMS
vcenter.xxx.com # 自定义SSL证书的store
BACKUP_STORE_H5C
BACKUP_STORE
# 查看指定store证书链(密文)
root@vCenter [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vcenter.xxx.com
Number of entries in store : 1
Alias : vcenter.xxx.com
Entry type : Private Key
Certificate : ...
# 查看指定store证书链解析(明文)
root@vCenter [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vcenter.xxx.com --text
Number of entries in store : 1
Alias : vcenter.xxx.com
Entry type : Private Key
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
Signature Algorithm: sha256WithRSAEncryption
...
# 查看指定store证书链的指定alias证书信息解析(明文)
root@vCenter [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias <alias> --text
使用管理员账号登录vCenter,系统管理-证书管理,添加可信根证书。
ESXi 6.7 替换SSL证书
[root@esxi:~] cd /etc/vmware/ssl/
[root@esxi:~] ls -l
-rw-r--r-- 1 root root 8665 Feb 22 08:00 castore.pem
-rw-r--r-- 1 root root 3222 Feb 22 08:00 iofiltervp.pem
-rw-r--r-- 1 root root 2104 Mar 18 2023 iofiltervp_castore.pem
-r--r--r-- 1 root root 229 Jun 23 2022 openssl.cnf
-r-------T 1 root root 0 Jun 23 2022 rui.bak
-rw-r--r-- 1 root root 1517 Feb 22 08:00 rui.crt # 使用自定义SSL证书替换该证书, 替换前建议先备份
-r-------- 1 root root 1704 Feb 22 08:00 rui.key # 使用自定义SSL证书key替换该证书key, 替换前建议先备份
-rw-r--r-- 1 root root 3300 Feb 22 08:00 rui.log
-rw-r--r-T 1 root root 0 May 18 2022 vsan_kms_castore.pem
-rw-r--r-T 1 root root 0 May 18 2022 vsan_kms_castore_old.pem
-rw-r--r-T 1 root root 0 May 18 2022 vsan_kms_client.crt
-r-------T 1 root root 0 May 18 2022 vsan_kms_client.key
-rw-r--r-T 1 root root 0 May 18 2022 vsan_kms_client_old.crt
-r-------T 1 root root 0 May 18 2022 vsan_kms_client_old.key
-rw-r--r-T 1 root root 0 May 18 2022 vsanvp_castore.pem
-rw-r--r-- 1 root root 64 Mar 25 2023 vsanvp_secret
替换自定义SSL证书后,执行/sbin/auto-backup.sh命令更新ESXi的配置,再执行/etc/init.d/hostd stop;/etc/init.d/hostd start重启Web服务,刷新SSL证书
vCenter重新添加更新过SSL证书的ESXi主机
vCenter Server的高级设置,将vpxd.certmgmt.mode的值从vmca 临时 修改成thumbprint,移除已添加的ESXi主机,再重新添加ESXi主机,添加完成后再将vpxd.certmgmt.mode的值修改到vmca。
使用自定义SSL证书的ESXi主机在vCenter管理的证书界面应显示如下
测试&验证
浏览器打开vCenter的WebUI,提示HTTPS连接是安全的。
使用管理员账号登录vCenter,系统管理-证书管理,查看 计算机SSL证书 的详细信息如下。
查看可信根证书,有自定义的SSL证书链和ESXi的泛域名SSL证书链
扫一扫
854
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
