A couple of weeks ago I was working on some audit internally, and I discovered we had some vSphere servers working with self generated certificates. While these servers were un-managed servers (esxi free license servers), they still needed certificates, as it is the case with such servers, they are “critical”, just not critical enough to warrant licenses :).
The “problem’ with vSphere certificates is that they have to be generated using OpenSSL and you cannot generate them using Windows tools like, certreq. With certreq you could potentially have done this process much easier. Also there is an issue with using the request files given out by OpenSSL as it does not have template information written in it, and the Windows CA cannot generate a certificate if it does not know which kind of certificate you want.
I trawled the internet for ways to automate this, and I didn’t find an end to end solution for certificate generation. I only found bits and pieces, and people were writing how to do each certificate one by one. This didn’t sit well with me, and looking at the workflows I discovered there was really no point not having a script that does “it” automatically. I will define what “it’ is, by making a short description of the steps required for generating a vSphere certificate:
- Generate CSR file and key file using OpenSSL
- Submit CSR file to certification authority
- Retrieve response from certification authority
- Rename certificate file and key file and upload to vSphere host
Some notes regarding the setup in which this would work:
- I used Powershell to automate this, so this won’t work on other platforms.
- I used a Windows 2008 R2 PKI CA with a “Web Server” Template.
- The CA also had automatic approval for this type of certificate (which made automating the response retrieval easier)
- User running this script needs to have the right to request/issue the given certificate template, also should be local admin on the box you are running the script, otherwise you would have to modify script to run some parts of the commands with “runas”
I used a preexisting script to get started, the one for certificate mass generation from valcolabs.com, found here.
What differs from the way they did it, is that I’ve changed the way variables are passed for building the “config file”, and the fact that each CSR has its own config file, specified on command line. This will help you track your work better for troubleshooting purposes. Something that should be noted is that their script, and also mine, use a special openssl config file, in the sense that the lines to be modified by the script are numbered, not searched in the file, so beware of making changes to the “custom_openssl.cfg” file. It could have probably been more elegant to search for the lines in the file, but I didn’t want to spend time getting it to work.
The download link for the script I built is this one; Generate-vSphere-Cert, below you will find some explanations on how it works.
The script takes some parameters as input (get some of them wrong and your script might not work as intended or quit)
a) vSphereHostFile – is a CSV file that must contain the host name and domain name in 2 separate columns.
b) CAMachineName_CAName is the name of your CA in the format (hostname\display name)
c) TemplateName is the name of the certificate template you want to use for certificate generation, as defined on your CA
Lines 32 – 44 you should change the variables there to match your requirements (different paths, different location, country, email, company, etc). There is room for improvement here, you can include this info in the csv file, useful for creating certificates for multiple companies, with different contact information.
Lines 49 – 73 – build out a folder structure, one folder per host where all host files will be stored. Also builds CN, SAN’s (Subject Alternate Names) – you may wish to customize what you add here. I added short name, FQDN, i left out IP address as that can change more easily than the name.
Lines 80-97 – use a temporary file from the original openssl config file containing the parameters we setup until now – this piece of code uses numbered lines, so if you make changes to the original file, change the line numbers here)
Lines 99-104 – build out the file/paths to generate a CSR with openssl. The command i used is slightly different than the ones on the internet, I needed a special length for the RSA, so I used:
"$openssldir\openssl.exe req -newkey rsa:2048 -out $csr -keyout $key -config $config"
Lines 109-114 – build paths for files to send/receive to/from the Windows CA. I also used something “unusual” (as in, not your first page results on google search) which is specifying the CAName and Template name.
The CA name is needed so you do not get a prompt each time certreq is invoked.
The certificate template is specified using the attrib parameter, the missing piece of my “how to automate” CSR submitting, see below:
$ConfigString = """$CAMachineName_CAName""" $attrib = "CertificateTemplate:$TemplateName" $issuecerts_cmd = "certreq -submit -attrib $attrib -config $ConfigString $csr $crt $p7b $rsp "
Lines 117-122 – Unless you use this script for automating creation of vCenter Certificates, you can comment these lines out. They generate a PFX certificate which is required with vCenter. PFX certificates are not not required for vSphere host certificates.
The next step to automation would be to upload these files to your vSphere host. I used this script here and changed some paths to suit my folder structure. You can also use SCP or other methods to upload the file. After the files are uploaded you need to reboot the host for the certificates to take effect.
As always with these scripts, do your best to try them in a test environment before unleashing them into production. You are dealing with Certification Authorities and your vSphere hosts. Failure to upload a correct certificate to the hosts will result in you not being able to connect with vSphere Client, and having to go to console (NOT SSH) and regenerate self signed certificate.
I hope this was a useful read, comments and critique are open, as always.