vSphere 6.5 vCenter Appliance – Replacing Certificates

KB ID 0001194

Problem

In vSphere 5 and earlier versions this was not a ‘fun’ job at all, many times I sat down to do it, and lost the will to live. Now there’s a nice new tool built into vCenter that does ‘most’ of the hard work for you. Here I’m using the vCenter appliance but the tool is also available on the Windows version.

For my certificates I’m using Microsoft Certificate Services. I’m going to issue a ‘Subordinate CA’ certificate to my vCenter Appliance, then it can issue signed certificates to each of its services.

Solution

Make sure you have published a ‘Subordinate Certification Authority’ certificate template.

Connect the the vCenter appliance using SSH and enable ‘shell’

[box]

shell.set --enabled True
shell

[/box]

Create a directory to store our certificates and requests in, then launch the certification-manager tool.

[box]

mkdir /root/SSLCerts
/usr/lib/vmware-vmca/bin/certificate-manager

[/box]

The app will launch, and present you with a bunch of options.

Select option 2 > No we don’t want to use the configuration file > enter your logon information, (administrator@vsphere.local and password)  > Enter all the items required for the certificate request.

Choose option 1 (Generate Certificate signing request)  > Specify the folder you created above, (/root/SSLCerts) > Two files will be generated > Enter ‘2’ to exit.

The files;

vCenter 6.5

  • vmca_issued_key.key (the private key)
  • vmca_issued_csr.csr (the request)

vCenter 6.0.0

  • root_signing_cert.key (the private key)
  • root_signing_cert.csr (the request)

Now we need to get the CSR (signing request).

[box]

cat /root/SSLCerts/vmca_issued_csr.csr
OR
cat /root/SSLCerts/root_signing_cert.csr

[/box]

Copy the certificate PEM file.

Open the web enrolment portal of your certificate services server, (https://server.domain.com/certsrv) > Request a certificate > Advanced Certificate Request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file > Paste in the PEM text  > Remember to use the Subordinate Certificate Authority template > Submit.

Base 64 Encoded > Download Certificate  > Save it somewhere you can find it, and give it a sensible name!

Now download the Base 64 version of your CA certificate from the main page of your certificate services website, (press ‘back’ a few times).

Now back in your SSH session, change to your SSLCerts directory, and create an ’empty’ file to paste our certificate information into.

[box]

cd /root/SSLCerts/
touch vmca_signing_cert.cer
vi vmca_signing_cert.cer

[/box]

Open the certificate for the vCenter Appliance in a text editor, and PASTE IN BELOW it, the text from the Root-CA certificate. Then copy ALL the text to the clipboard, and go back to the SSH session.

Paste the text you have coped into the open ‘vi editor’ page (Press I, then P) > Save and Exit (Press Esc > :wq {enter})

If you ‘ls’ (thats list short, or dir if you are a Windows type), you will see you now have a .CSR, a .KEY and a .CER file. (the names of which vary between version 6 and 6.5).

Version 6.5

Version 6.0


Launch the certificate-manager application again > Option 2 again > No (again) > Login (again) > ‘N’ > Option 2 (Import custom certificate(s))  > Give it the path to the certificate file > Then the path to the key file.

Yes we want to replace the certificates.

Go get a coffee, this will take a while.

Thats vCenter done.

Next we will concentrate on the ESX hosts

 VMware ESXi6 – Replacing the Default Certificates

Related Articles, References, Credits, or External Links

Original Article Written 25/05/16

Microsoft PKI Planning and Deploying Certificate Services Part 3

KB ID 0001312

Problem

Following on from Part Two, now we have an offline Root CA, and a CRL server, our next step is defined by our PKI design, are we three tier, or two tier? (Look in Part One for a definition).

Solution

As previously mentioned, Microsoft just treats Intermediate CAs and Issuing CA’s as the same thing (SubCAs). So the next step is identical for either. But I would suggest one difference, If I was deploying an Intermediate CA, I would have “LoadDefaultTemplates=0” in the CAPolicy.inf file, and for an Issuing server I would not, (that’s just my personal preference).

I’m going to continue this piece for a two tier PKI deployment. And my next SubCA will be an Issuing CA.

Create your SubCA CAPolicy.inf file and save it to C:\Windows

[box]

[Version]
Signature="$Windows NT$"
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://pki.cabench.com/pki/cps.txt
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=15
CRLPeriod=weeks
CRLPeriodUnits=1
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0

[/box]

Launch Server Manager > Manage > Add Roles and Features.

Role Based > Next > Select the Local Server >Next > Active Directory Certificate Services > Add Features > Next.

No additional Features are Needed > Next > Next > Select Certification Authority > Optional*: Select Certificate Authority Web Enrolment > Next.

*Note: This gives you the nice registration website for certificates.

Next > Install > Close.

Configure Active Directory Certificate Services.

Next > Select ‘Certification Authority’ and ‘ Certificate Authority Web Enrolment’, if you selected it above > Next > Enterprise CA > Next.

Subordinate CA > Next > Create New Private Key > Next > Change the Hash algorithm to SHA256 > Next.

Give the CA a sensible Name > Next > Select ‘Save certificate request to a file on the target machine’ > Next.

Next > Next > Install > Close.

Note: The warning is fine, we haven’t installed the certificate yet, that’s our next step

Copy your certificate request file, (ending .req) and put it on your floppy drive. 

Note: I’m aware we are in the 21st century! I’m using virtual floppy drives.

Present the floppy drive to your offline Root CA and execute the following command;

[box]certreq -submit “A:\filename.req“[/box]

When prompted with the CA name > OK > Take a note of the RequestID you need this in a moment. (Leave the command window open!)

Open the Certificate Services Management Console > Server-name > Pending Requests > Locate your request > Issue the certificate.

Back at command line issue the following command;

[box]certreq -retrieve {RequestID}A:\SubCA.crt“[/box]

When prompted with the CA name > OK.

Check the certificate has appeared on your floppy drive, and present that back to your SubCA server > Open the Certificate Services Management console > Server-name > All Tasks > Install CA Certificate > Locate the cert  > Open.

Start the Service (If it errors at this point you may have a problem with your CRL server see the following link for a temporary workaround until you can fix the CRL).

Certificate Services – Disable CRL Checking

Troubleshooting: Open an MMC Snap-in and Add the Enterprise PKI snap-in to point you towards problems.

At this point I like to copy the Sub CA Cert to C:\Windows\Sytem32\Certsrv\CertEnroll. You should see the CRL for the SubCA already there (and maybe a delta CRL like the image below).

Now we are going to publish those into AD, open an administrative command window and issue the following commands;

[box]

cd  C:\Windows\Sytem32\Certsrv\CertEnroll
certutil -dspublish -f SubCA.crt SubCA
certutil –addstore –f root SubCA.crt
certutil –addstore –f root SubCA.crl
certutil -dspublish  SubCA.crl

[/box]

 

Restart Certificate Services;

[box]

net stop certsvc
net start certsvc

[/box]

Back in Certificate Services > Properties > Extension > Remove the http and file entries. NOT the ldap or the one that’s pointing to C:\Windows.

With CRL Distribution Point showing > Add > Type in http://pki.{your-domain}/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl 

Note: You can add the variables in to avoid typing them, DON’T FORGET to put .crl on the end!

OK.

With your new URL selected, tick;

  • Include in CRLs. Clients use this to find DeltaCRL locations.
  • Include in the CDP extension of issued certificates.

Apply > OK > Services will Restart.

Once Again, click Add, this time type in the UNC path to your hidden PKI share on your CRL Server, e.g.

\\pki.{your-domain}\pki$\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

Note: You can add the variables in to avoid typing them, DON’T FORGET to put .crl on the end!

OK.

With your UNC path selected, tick;

  • Publish CRLs to this location.
  • Publish Delta CRLs to this location.

Apply  > OK > Services will restart.

That’s your PKI environment stood up and ready to go, you may also want to setup OCSP, see the following article;

Microsoft Certificate Services Configuring OCSP

You can now issue certificates, some of the things you might want to consider setting up are;

Windows Server 2012 – Enable LDAPS

Deploying Certificates via ‘Auto Enrollment’

Windows Server 2012 – Secure RDP Access with Certificates

Install and Configure Certificate Enrolment Policy Web Service

Related Articles, References, Credits, or External Links

NA

Microsoft PKI Planning and Deploying Certificate Services

KB ID 0001309

Problem

“I don’t know what it is about Certificates, I just don’t like them, I don’t understand them, and I don’t like working with them”

I hear this a lot, In fact I heard it this week, and as I’m usually the ‘go-to-guy’ for certificates and PKI, it winds me up! IT pros take the time to learn concepts like DNS, DHCP, Kerberos etc. But mention Certificate Services and heads disappear below monitors and silence decends.

OR WORSE: Someone adds the role, clicks Next > Next > Next > Job done! Lets have tea and medals!

So in typical PNL fashion lets simplify everything, get everyone on the same page. And most importantly, lay out how to do it so I don’t have to do it for you!

Solution

To design PKI well, you need to decide if you want a two or three tier PKI environment. 

What can’t I just have one CA Server? (Hmm your the Next > Next > Next > Job Done Person Eh?) Well you can! But if that one server breaks, (or get compromised.) Then you are in trouble. Plan you deployment properly and save yourself a headache.

Two Tier Or Three Tier PKI? That’s your call, The main advantage of three tier PKI is, if one of your issuing servers, is compromised, you don’t need to bring the offline Root CA back online to re-issue its certificate. I have a client who have an issuing server in their DMZ so this was a good fit for them. For most domains Two Tier is the best option.

So I can only have one issuing Server? No, I just put one on the diagram for simplicity, you can have 1, or 100, or 1000, it’s up to you.

Do I need CRL (Certificate Revocation List) and/or OCSP (Online Certificate Status Protocol) On a Separate Server? Strictly speaking No, but it’s considered good practice, and if you need to advertise a CRL externally, it is more secure. 

PKI Terminology Differences

You will notice I’ve mentioned a Root CA, an Intermediate CA, and an Issuing CA. This is to better explain the architecture and define a difference between an Intermediate CA, and an Issuing CA. Microsoft does not care,.Both of those servers are SubCA servers in Microsoft speak. 

Deploying an Offline Root CA

Whichever architecture you choose this will be your fist step. The offline Root CA is a non domain joined machine, its sole job is to issue SubCA certificates to your intermediate CAs (three tier PKI), or issuing CAs (two tier PKI). When you have finished you power off the Offline Root CA and keep it off.

Note: In my example I want my Root CA Cert to last 20 years

Before You Install Anything: Create a CAPolicy.inf file you can edit it with notepad. You may want to change the validity period, you certainly will need to change the legal notice URL (more on this later) to your own domain FQDN (Note: If you need people outside your organisation, (either at a partner, or just someone the public internet) to see that, ensure that URL is addressable.

Sample Offline Root CA CAPolicy.inf

[box]

[Version]
Signature="$Windows NT$"
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://pki.cabench.com/pki/cps.txt
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=weeks
CRLPeriodUnits=26
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0

[/box]

Save the CAPolicy.inf file to C:\Windows, Make sure it’s not called Capolicy.inf.txt, (or it wont work).

Launch Server Manager > Manage > Add Roles and Features.

Role Based >  Next > Select the local server > Next  > Select ‘Active Directory Certificate Services’ > Add Features  > Next.

No other features are required > Next > Next > Certification Authority > Next.

Next > Next > Close.

Configure Active Directory Certificate Services.

Accept the default (local administrator) > Next > Certification Authority > Next.

Stanalone CA > Next > Root CA > Next.

Create a new private key > Next > Make sure the hash algorithm is SHA 256 (NOT SHA1) > Next.

Give the CA a sensible name > Next > Set the validity period (as mentioned above I’m going for 20 years) > Next.

All the default can now be accepted > Next > Next > Close.

Launch the Certification Authority Management console and make sure we have a green tick.

Now we need to ‘Stamp’ Certificates issued by this CA Server with some domain information, but we have no connection to the domain, so we need to do it manually. Open an administrative command window and execute the following commands;

Note: I want my SubCA certificate to be valid for 15 years, if you want longer/shorter then adjust the figures below

[box]

Certutil –setreg CA\DSConfigDN “CN=Configuration,DC=cabench,DC=com”

Certutil –setreg CA\CACertPublicationURLs “1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.cabench.com/pki/%1_%3%4.crt”

Certutil –setreg CA\CRLPublicationURLs “1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.cabench.com/pki/%3%8%9.crl”

Certutil –setreg CA\CRLPeriodUnits 52 

Certutil –setreg CA\CRLPeriod “Weeks” 

Certutil –setreg CA\CRLOverlapPeriodUnits 12 

Certutil –setreg CA\CRLOverlapPeriod “Hours” 

Certutil –setreg CA\ValidityPeriodUnits 15 

Certutil –setreg CA\ValidityPeriod “Years” 

Certutil –setreg CA\AuditFilter 127

net stop certsvc

net start certsvc

Certutil –crl

[/box]

Now my Offline Root server is not connected to a network, (because that’s best practice,) and as it’s a virtual machine the only way to get files from it is to use a virtual floppy drive, Im going to copy both my Root CA Certificate and CRL file to my floppy drive.

[box]Copy C:\Windows\System32\Certsrv\CertEnroll\*.* A:\[/box]

Now TAKE THESE FILES TO A DOMAIN JOINED MACHINE, and execute the following commands.

[box]

cd a:\
certutil -dspublish -f 01-Root-CA_ROOT-CA.crt RootCA
certutil –addstore –f root 01-Root-CA_ROOT-CA.crt
certutil –addstore –f root ROOT-CA.crl
certutil -dspublish  ROOT-CA.crl

[/box]

Note: These command publish the CA Certificate, (and its CRL) into Active Directory. You can see where, if you open the path shown in the example in ADSIEdit.msc (CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain})

See Microsoft PKI Planning and Deploying Certificate Services Part 2

Related Articles, References, Credits, or External Links

NA

Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

KB ID 0001244 

Problem

This is pretty much PART TWO of two posts addressing the need to migrate away from SHA1 before February 2017. Back in PART ONE we looked at how to upgrade the ROOT CA. It does not matter if it’s an offline or online root CA the process is the same. In many organisations their PKI is multi tiered, they either have a RootCA <> SubCA, or a ROOTCA <> IntermediateCA <> IssuingCA. (which is actually two SubCA’s).

 

Below I’ll run though the process to upgrade the SubCA once the RootCA has already been done, Ill also look at how that’s going to affect things like NDES (Network Device Enrolment System).

Solution

Before we think about SubCA’s the RootCA needs to be upgraded first, if it’s offline bring it online and follow the steps outlined in the previous article.

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

So your RootCA will now look like this before we start;

Note: If it’s normally offline leave it on, (we need it to issue the SubCA certificate).

The command to change the CA from SHA1 to SHA256 is the same one we used on the RootCA, you will then need to restart the Certificate Services.

[box]

certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net stop certsvc
net start certsvc

[/box]

As with the RootCA, we need to re-generate the CA certificate.

 

If your RootCA is online, and an Enterprise CA, you can submit the request directly to it, and skip the next few steps, but let’s take the ‘worst case’ scenario, and assume our Root CA is offline, (and even when online has no network connections) we have to do the submission manually, (via floppy disk).

Floppy Disks? What Year Is This? Well moving files between virtual machines is simple using virtual floppy disks, if you have physical machines, then you need to go hunting in drawers and cupboards!

Either way, we are doing this manually so select CANCEL.

 

Copy your certificate request from the root of the system drive to your floppy drive.

Then present the floppy to your RootCA, and issue the following command;

[box]

certreq -submit "A:\02-SUB-CA.cabench.com_cabench-02-SUB-CA-CA.req"

[/box]

You will be given a ‘RequestID‘, write it down, (you will need it in a minute). Leave the command window open!

In the Certificate Services Management Console > Open ‘Pending Requests’ > Locate the RequestID number you noted above, and issue the certificate.

Back at your command window, retrieve the certificate with the following command, (use the RequestID again);

[box]

certreq -retrieve 4 “A:\02-SUB-CA.cabench.com_cabench-02-SUB-CA-CA.crt

[/box]

 Take your floppy back to the SubCA, and install the certificate. (Change file types to ‘All Files’).

Now your SubCA is using a SHA256 certificate.

Repeat the process for any further SubCA’s

 

I Use NDES How Will That Be Affected?

 

Having had problems with certificates and NDES before, I was concerned about this the most, because I have to look after a lot of Cisco equipment, that gets certs from NDES, (or SCEP if you prefer). I’m happy to say NDES worked fine with SHA256 certificates. Below I successfully issued certs to a Cisco ASA (Running 9.2(4)).

 

Related Articles, References, Credits, or External Links

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

Windows Server 2012 – Install and Configure NDES

Cisco ASA – Enrolling for Certificates with NDES

Cisco IOS – Enrolling for Certificates with NDES