VMware – Replace the ESXi Certificate

KB ID 0000974 

Problem

ESXi comes with a self signed certificate, and for most people thats fine, but some clients want to have a ‘Trusted’ certificate on theirs, and have their own PKI infrastructure for issuing them.

Below I will generate a new certificate for my ESXi server using the Active Directory Certificate Services role on Windows Server 2012. Then replace the self signed certificate with my new one.

Solution

Generating a Certificate Request From the ESXi Server

1. Before we start there are a couple of hoops to jump through, and a Windows machine (it does not mater which one), install the following tow pieces of software;

Microsoft Visual C++ 2008 Redistributable Package (x86) and Shining Light Productions installer for OpenSSL x86 version 0.98r (or later)

Accept all the defaults and it should install to C:OpenSSL-Win32 go there, and in the bin directory make a backup of the openssl.cfg file.

2. Open the original openssl.cfg file and delete everything out of it, then paste in the following text, replace the values in red with your own, and save the file.

[box]

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:PNL-ESX1, IP:10.254.254.12, DNS:PNL-ESX1.petenetlive.net

[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = Teesside
localityName = Middlesbrough
0.organizationName = PeteNetLive
organizationalUnitName = Technical Services
commonName = PNL-ESX1.petenetlive.net

[/box]

3. Open a command window and execute the following three commands;

[box]

cd C:OpenSSL-Win32Bin
openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg
openssl rsa -in rui-orig.key -out rui.key

[/box]

You will notice rui.csr has been created in the bin directory this is the file you need to request your certificate, if you open the file with Notepad you can copy the text.

Submit the Certificate Request and Get an ESX Certificate From a Windows CA

4. Open the web console of your certificate services server (it needs to be running the Certification Authority Web Enrollment role). The URL is usually http://{servers IP or Name}/Certsrv. Select ‘Request a certificate’.

5. Advanced certificate request.

6. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

7. Paste in the text from your csr file (with no extra spaces!). Set the Certificate Template to ‘Web Server’ (the default lifetime for the Web Server template is 2 years. If you require longer, I suggest you clone the Web Server Template, change the lifetime and republish it in Active Directory Certificate Services).

8. Base 64 encoded> Download certificate.

9. Save the file as rui.cer and put it in the bin directory.

10. ESX needs the certificate to be in x509 format, so open a command window and execute the following commands;

[box]

cd C:OpenSSL-Win32bin
openssl x509 -in rui.cer -out rui.crt

[/box]

11. Enable SSH on your ESX Host.

12. Connect to the ESX host via SSH, and make a backup of the current keys (just in case).

[box]

cd /etc/vmware/ssl
mv rui.crt backup.rui.crt

mv rui.key backup.rui.key

[/box]

13. Using WinSCP copy the rui.crt and the rui.key files from the bin directory, to the /etc/vmware/ssl directory on your ESX host. WARNING: Set the copy type to ‘Text’ or ASCII or you may get some strange results.

14. Then either restart the management agents, or from your SSH session execute the following command;

[box]/sbin/services.sh restart[/box]

15. The simplest way to check is browse to the FQDN or your ESX host (the same name you used as the common name in step 2), and take a look at the certificate.

Related Articles, References, Credits, or External Links

NA

Internet Explorer – ‘There is a problem with this website’s security certificate’

KB ID 0000994 

Problem

While browsing to a website with an https:// address you may come across the following error;

There is a problem with this website’s security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority

and/or

The security certificate presented by this website was issued for a different website address.

Security certificate problems may indicate an attempt to fool you or intercept data you send to the server.

We recommend that you close this webpage and do not continue to this Web site.

Solution

Before you proceed: Most of the time, if you see this error a LOT, the date and time are probably set incorrectly on your computer.

This may look like a very scary error and the default action, (from the little green tick option) is NOT to proceed. But let’s look at this error sensibly. If you are on a website and you have your credit card out ready to buy something, STOP! Or you are about to enter some personal details into something then again STOP!

However if you are going to a website that your IT department has told you to go to for something (email access, or a corporate website, etc) then click the RED option, Continue to this website (not recommended).

Why are you seeing this error?

Well it’s to do with the digital certificate this website is presenting to your browser. If you ever shopped online you may have been told to look for the small padlock to make sure the site is secure.

That’s because that website is presenting you with a certificate and you ‘TRUST’ that certificate. If there was a problem with the certificate, and you didn’t trust it you would be presented with the error above.

OK So What Is a Certificate?

As far as web browsing is concerned a Digital Certificate does two things;

1. Encryption: It makes sure the information exchanged between your browser, and the server you are talking to is encrypted. This will happen if you trust the certificate or not.

2. Identity: It is used to prove, that the server you are talking to is who they say they are.

The error you are seeing is related to Identity, this DOES NOT necessarily mean the site is a fake, (but if your unsure let’s tread carefully). On the original error above it’s telling us two things;

The security certificate presented by this website was not issued by a trusted certificate authority

This means your computer does not trust the CA (Certification Authority) that created and issued this certificate. Anyone can setup a CA, (have a search on this site I’ve set them up for Exchange Email server VPNs and a ton of other reasons). These certificates are usually referred to as ‘Self Signed’. So if I (or anyone else) sets up a CA, and issues a certificate your browser will not trust it. Without a lengthy and boring description of how PKI works, you trust every CA that you have a ‘Trusted CA Root Certificate’ for. Once you have this you will trust every certificate issued by that CA.

To prove it let’s inspect the PayPal example above, and take a look at the certificate it’s presenting.

This certificate is trusted because;

1. Issued to: This name MUST match the URL you typed in the browser.*

2. Issued By: The people who signed and issued it, we trust (VeriSign).

3. Valid From: It is in date, (certificates expire). So if the date and time are very wrong on your computer, you will see loads of these errors!

*Note: It is possible to add more names to a certificate in another section called Subject Alternative Name (SAN), but these are NOT generally used for web sites.

So Who Do We Trust?

Your PC comes ‘pre-loaded’ with a bunch of trusted CA certificates, which get updated and renewed periodically. If you want to see them do the following;

Note: You need to be a computer administrator to do this. If you are NOT, then in IE Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities. You will see the same thing.

1. Windows Key +R > mmc {Enter}.

2. File > Add/Remove Snap-in > Certificates > Add.

3. Computer Account > Next > Local Computer > Finish > OK.

4. Expand Certificates (Local Computer) > Trusted Root Certificates > Certificates > Down near the bottom you while see the VeriSign CA certificates that you trust.

To Summarise, The PayPal website works (without an error) because;

1. You Trust the CA that issued its certificate.

2. The ‘Name’ on the certificate matches the URL you typed in the browser. If it didn’t we would see, (as in our first error).

The security certificate presented by this website was issued for a different website address.

3. The certificate that the website presents is in date.

If any of these things were not correct you would see the error ‘There is a problem with this website’s security certificate’.

Related Articles, References, Credits, or External Links

NA