vCenter HA: Replace Certificates for Platform Services Controllers

***UPDATED***

This post is part of a series on deploying Highly Available vCenter and Platform Services Controllers.

Part 1: vCenter HA: Deploy External Platform Services Controller

Part 2: vCenter HA: Configure NetScaler for External Platform Services Controllers

Part 3: vCenter HA: Replace Certificates for Platform Services Controllers

Part 4: vCenter HA: Connect Platform Services Controllers to Active Directory

Part 5: vCenter HA: Deploy vCenter

Part 6: vCenter HA: Replace Certificates for vCenter

Part 7: vCenter HA: License vCenter

Part 8: vCenter HA: Add and Configure Hosts and Clusters

Part 9: vCenter HA: Add and Configure Datastores and Datastore Clusters

Part 10: vCenter HA: Add and Configure Distributed Switches

Part 11: vCenter HA: Configure vCenter HA

Part 12+: Advanced Tasks (Coming soon)

 

In this section, we are going to be configuring CSRs, requesting certificates, and replacing them on our Platform Services Controllers. You will need to make sure that you have some kind of certificate authority available in your environment. We will be going over using a Microsoft CA to issue certificates. There is a KB article about how to configure this, but it doesn’t exactly work. Use this post:  Configure Microsoft CA Templates for VMware with SHA2-256

If you don’t have SHA2 then shame on you. You should get on it. Even if you replace your certificates with SHA1, you will still receive those pesky weak key errors in Chrome and Firefox. IE hasn’t deprecated SHA1, but its coming from what I understand.

You will need to download OpenSSL for Windows (unless you are using Linux).

Here is the link for Windows:  Win32 OpenSSL

Go ahead and download either the 32bit or 64bit Light version of 1.1.0e. Once it is downloaded, go ahead and install it.

Now that you have your Certificate Authority and OpenSSL ready to go, we will begin.

 

Here is an example config for OpenSSL:  psca.cfg

Download the example and modify it for your FQDNs for the servers and VIP.

Save the file to your OpenSSL\bin directory.

Open a command prompt and run the following command:

 

openssl req -new -nodes -out psca.csr -newkey rsa:2048 -keyout psca.key -config psca.cfg

This will generate the CSR and the unencrypted key file.

Submit this CSR to your CA and download the received certificate in Base64 format.

You will also need the Root/Intermediate Certificates in Base64 as well.

 

Use putty to SSH into your appliance. You can download it HERE.

Enter your root username/password.

You will be a special command shell for the appliance. You will need to type in shell to get to a bash shell.

At this point, you need to copy the files to the server, but there is a problem. The special command shell is the default shell for the root user.

Type this command:  chsh -s “/bin/bash” root

Create a new directory for the files using this command:  mkdir /certs

Now you can use WinSCP or another client to upload the files.

You should have three files in the directory now:

psca.crt

psca.key

rootca64.crt

Now you have to make a chain certificate for the server certificate.

cat /certs/psca.crt >> /certs/pscachain.crt
cat /certs/rootca64.cer >> /certs/pscachain.crt

Use this pscachain.crt instead of the psca.crt. This will prevent you from getting Server chain not verified messages.

***Note: Microsoft CAs export as a .CER. You just need to change the file extension. CER(Windows) and CRT(Linux) can be used interchangeably.

 

Once the files have been uploaded, run this command:

/usr/lib/vmware-vmca/bin/certificate-manager

Select Option 1.

You will be prompted for the SSO credentials.

Select Option 2.

This is what the process looks like at the command line:

At some point, this will finish and all of the services will have been restarted. Now you need to update the SSO config and the Endpoints.

I got the commands from here:  VMware KB: 2147384

Run these commands on both:

cd /usr/lib/vmware-sso/bin

python updateSSOConfig.py –lb-fqdn=psca.test.lab

 

Run this command on one and wait for synchronization:
python UpdateLsEndpoint.py –lb-fqdn=psca.test.lab –user=administrator@vsphere.local –password=Pa\$\$w0rd

***Note the KB says this should only be run on one, but that never worked for me. I had to do it on both.

No I do not have a funky password. The $ is how you declare a variable in Bash so you need to escape it so it passes correctly.

Or you can just leave off the –password option and it will prompt you.

Now you need to verify that the Endpoints has been successfully updated. You can do that by running these commands.

 

This command will return the site name:

python /usr/lib/vmidentity/tools/scripts/lstool.py get-site-id –url https://psc01.test.lab/lookupservice/sdk 2> /dev/null

 

Take that site name and plug it into this command:

python /usr/lib/vmidentity/tools/scripts/lstool.py list –url https://psc01.test.lab/lookupservice/sdk –site sitea –type cs.license | grep URL:

This command will return this output:

URL: https://psca02.test.lab:443/ls/ph/sdk
URL: https://psca02.test.lab:443/ls/sdk
URL: https://psca02.test.lab:443/ls/healthstatus
URL: https://psca02.test.lab:443/ls/resourcebundle
URL: https://psca.test.lab:443/ls/ph/sdk
URL: https://psca.test.lab:443/ls/sdk
URL: https://psca.test.lab:443/ls/healthstatus
URL: https://psca.test.lab:443/ls/resourcebundle

You can see that only half of the appliances have been updated. You will need to run this same process on the other one.

Now run this command:

python /usr/lib/vmidentity/tools/scripts/lstool.py list –url https://psc01.test.lab/lookupservice/sdk –site sitea –type cs.identity | grep URL:

This command will return this output

URL: https://psca02.test.lab/sts/STSService/vsphere.local
URL: https://psca02.test.lab/openidconnect/vsphere.local/.well-known/openid-configuration
URL: https://psca02.test.lab/websso/HealthStatus
URL: https://psca02.test.lab/websso/SAML2/Metadata/vsphere.local
URL: https://psca02.test.lab/sso-adminserver/idp
URL: https://psca02.test.lab/idm
URL: https://psca02.test.lab/sso-adminserver/sdk/vsphere.local
URL: https://psca02.test.lab/sso-adminserver/sdk/vsphere.local
URL: https://psca.test.lab/sts/STSService/vsphere.local
URL: https://psca.test.lab/openidconnect/vsphere.local/.well-known/openid-configuration
URL: https://psca.test.lab/websso/HealthStatus
URL: https://psca.test.lab/websso/SAML2/Metadata/vsphere.local
URL: https://psca.test.lab/sso-adminserver/idp
URL: https://psca.test.lab/idm
URL: https://psca.test.lab/sso-adminserver/sdk/vsphere.local
URL: https://psca.test.lab/sso-adminserver/sdk/vsphere.local

You can validate that the certificate has been successfully installed by pointing directly at the PSC01 in a browser.

Repeat these same steps on the second one. You new output should look like this:

python /usr/lib/vmidentity/tools/scripts/lstool.py list –url https://psc01.test.lab/lookupservice/sdk –site sitea –type cs.license | grep URL:

URL: https://psca.test.lab:443/ls/ph/sdk
URL: https://psca.test.lab:443/ls/sdk
URL: https://psca.test.lab:443/ls/healthstatus
URL: https://psca.test.lab:443/ls/resourcebundle
URL: https://psca.test.lab:443/ls/ph/sdk
URL: https://psca.test.lab:443/ls/sdk
URL: https://psca.test.lab:443/ls/healthstatus
URL: https://psca.test.lab:443/ls/resourcebundle

python /usr/lib/vmidentity/tools/scripts/lstool.py list –url https://psc01.test.lab/lookupservice/sdk –site sitea –type cs.identity | grep URL:

URL: https://psca.test.lab/sts/STSService/vsphere.local
URL: https://psca.test.lab/openidconnect/vsphere.local/.well-known/openid-configuration
URL: https://psca.test.lab/websso/HealthStatus
URL: https://psca.test.lab/websso/SAML2/Metadata/vsphere.local
URL: https://psca.test.lab/sso-adminserver/idp
URL: https://psca.test.lab/idm
URL: https://psca.test.lab/sso-adminserver/sdk/vsphere.local
URL: https://psca.test.lab/sso-adminserver/sdk/vsphere.local
URL: https://psca.test.lab/sts/STSService/vsphere.local
URL: https://psca.test.lab/openidconnect/vsphere.local/.well-known/openid-configuration
URL: https://psca.test.lab/websso/HealthStatus
URL: https://psca.test.lab/websso/SAML2/Metadata/vsphere.local
URL: https://psca.test.lab/sso-adminserver/idp
URL: https://psca.test.lab/idm
URL: https://psca.test.lab/sso-adminserver/sdk/vsphere.local
URL: https://psca.test.lab/sso-adminserver/sdk/vsphere.local

Now you should be able to hit both of your Platform Services Controllers as well as the VIP and show a successful certificate.

Next Post: vCenter HA: Connect Platform Services Controllers to Active Directory

 

 

Leave a Reply