Installing Signed Certificates into vSpace Management Center Appliance

Installing Signed Certificates into vSpace Management Center Appliance

Some environments require specific certificate be installed on each server, by default the vSpace Management Center contains a self-signed certificate.  This guide will walk the user through installing a Signed Certificate on the vSpace Management Center appliance.

Verify the network and DNS configuration
In order to replace the default self-signed certificate, you mush have your networks settings configured correctly, and the appliance must have a proper host and DNS domain name.


Set a proper DNS domain name:


The specified host name must be registered in and resolvable through the configured DNS domain name servers.

On the text-based user interface (TUI) press Alt-F2 to open second text console or connect to the virtual appliance with SSH via PUTTY and logon as ‘vmcadmin’ user. Use the same password you use while logging in as the ‘vmcadmin’ user to the vSpace Management Center’s web-based frontend.

Verify the network and DNS configuration of your VMC virtual appliance. Output of following commands must match the configuration which has been set up in the TUI:

Check the hostname by running the following command:
hostname -s

Checking fully-qualified domain name (FQDN; host name followed by DNS domain name):
hostname -f

Checking if DNS servers can resolve the FQDN to the static IP address configured on VMC appliance:
hostname -i

For example:


[root@vmc37 ~]# hostname -s

vmc37

[root@vmc37 ~]# hostname -f

vmc37.nc-hdx.local

[root@vmc37 ~]# hostname -i

10.0.0.93


Create a certificate signing request:
A certificate signing request must be created and sent to a Certification Authority, which will issue a signed SSL certificate. While creating the certificate signing request you will be asked to provide some information allowing identification of your company. Pay special attention when entering the Common Name. The FQDN of your VMC 3.7 virtual appliance must be entered as Common Name.

In your console or SSH session, type the following commands:

cd /tmp

then

openssl req -new -key /etc/pki/tls/private/localhost.key -out vmc.csr

For example:

[root@vmc37 ~]# cd /tmp

[root@vmc37 tmp]# openssl req -new -key /etc/pki/tls/private/localhost.key -out vmc.csr

The output will look similar to this, insert your information in the text based prompts:


You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:US

State or Province Name (full name) []:California

Locality Name (eg, city) [Default City]:San Mateo

Organization Name (eg, company) [Default Company Ltd]:ZeroDesktop, Inc.

Organizational Unit Name (eg, section) []:NComputing

Common Name (eg, your name or your server's hostname) []:vmc37.nc-hdx.local

Email Address []:someuser@ncomputing.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:.

An optional company name []:.


With the following command you can verify the subject of the created certificate signing request. The CN (Common Name) field of the subject must match the FQDN of your VMC 3.7 appliance.


openssl req -in /tmp/vmc.csr -subject -noout


Now the created certificate signing request (the vmc.csr file) must be provided to the Certification Authority of your choice for verification and signing. You can copy the /tmp/vmc.csr file using the SCP utility (the Secure Copy Program leveraging the SSH protocol; numerous SCP client applications exist for all popular operating systems). It is also possible to transfer the certificate signing request by copying and pasting the text information:

cat /tmp/vmc.csr

The output will be similar to:

[root@vmc37 tmp]# cat vmc.csr

 

-----BEGIN CERTIFICATE REQUEST-----

MIICtDCCAZwCAQAwbzELMAkGA1UEBh3fP0VMxEzABgNVBAgMCkNhbGlmb3JuaWEx

EjAQBgNVBAcMCVNhbiBNYXRlbzEaMBgGA1UECgwRWmVyb0Rlc2t0b3AsIEluYy4x

GzAZBgNVBAMMEnZtYzM3Lm5jLWhkeC5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQAD

ggEPADCCAQoCggEBALa+sNv8tEfa2KNnqRWlV67zFxsDcIGO/DLP+W7eqGq3yfhx

g22dlGQQoTjt4T67e+AU6VhKNaKptWqadnGUAtXmVJ1HYFkjIKIE2BW9tgFcCZss

3iypyNqGncqyqRJuUYhlrLxHdxtrhVKmfYyr3WJW+t8jUf7HIJbJRdSJmGFGY0jw

2ysQy/PcM2DHw3U3ey3/eyJYYPEOLOa0y5WcCZkKor8S/zDD+qF4xtpZgfP7EyFw

h2Qunqcfsh9fjUYBdofTWIFX53Jh+sGhyyl3UltxZtQCsbG11H4GsD/wdpFz+hH7

mjFA0BW0bHCnQCAFGIiXeC9zpn+gt9c/M6mjFu0CAwEAAaAAMA0GCSqGSIb3DQEB

CwUAA4IBAQAFgbcJhV/mgviv7sGYuasdfKzvx/tASjav3w4H4TNjYkocVbu4lO7r

3WdoQ0rRMHjpoRjsYgbbI/IxdlKdOrjQp+rKSNLR0LDhrVwjyfgTAcC+/ydWpM2/

aeF21Fb83exn4tm4mNI+wdIHInl+8cAMKbs5alfo/jvtUs1xGtLmemVVErBUNlGE

yC/J0Yti7GnardS42+Mrl1UBEXuBi08X4jMrZfBjtUD4wbaN1QIWZeyTyYz6VscA

hxAiE48d35VyAVI17Inzaa51O9V7XE6AvIxS70heJvbcED0W19CfXSqTVwCabhrD

SrBJnrlYb1ntthgNecXYr1hWpPhkkme7

-----END CERTIFICATE REQUEST-----

Whole text between (and including) -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- needs to be selected and copied from the terminal program you use for accessing the Linux command prompt of your VMC 3.7 virtual appliance. The copied text needs to pasted to a text editor and saved to a file. Now the saved file contains the certificate signing request, which must be provided to the Certification Authority of your choice for verification and signing.

Issuing an SSL certificate using private Certification Authority integrated with Active Directory
If you use a private Certification Authority integrated with Active Directory domain you can transfer the vmc.csr file to your domain controller and then invoke following command on Windows command prompt to issue the certificate:

On your Windows machine, open command prompt and run the following:
certreq -attrib "CertificateTemplate:webserver" -submit vmc.csr

The certreq utility will ask to select a Certification Authority and then, if the process will finish successfully, to save the issued certificate into a file (let’s call the file vmc.cer). The file contains the signed SSL certificate, which needs to be transferred back into your VMC 3.7 virtual appliance. 

Installing the signed certificate:

The SCP utility can be used again to copy the certificate file to the /tmp folder on your virtual appliance. Copying and pasting text data is also possible. To transfer the certificate by copying and pasting the text data open the certificate file in Notepad, then select and copy the whole text including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Do not modify the file! Then on the Linux command prompt of your VMC 3.7 virtual appliance do:

On the VMC appliance, either through SSH (PUTTY) or through console, run:


cat > /tmp/vmc.cer

paste the copied text data into the terminal program you use for accessing the Linux command prompt. Then press CTRL-D.

To verify the transferred certificate run the following command:
openssl x509 -in /tmp/vmc.cer -issuer -subject -startdate -enddate –noout

The output should be similar to:

[root@vmc37 tmp]# openssl x509 -in /tmp/vmc.cer -issuer -subject -startdate -enddate –noout

 

issuer= /DC=local/DC=nc-hdx/CN=nc-hdx-DC-CA

subject= /C=US/ST=California/L=San Mateo/O=ZeroDesktop, Inc./OU=NComputing/CN=vmc37.nc-hdx.local/emailAddress=someuser@ncomputing.com

notBefore=Jul  3 12:21:56 2015 GMT

notAfter=Jul  2 12:21:56 2017 GMT


If everything is fine the signed SSL certificate can be copied to the final location:

mv /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.self-signed

mv /tmp/vmc.cer /etc/pki/tls/certs/localhost.crt

chmod 600 /etc/pki/tls/certs/localhost.crt


Now it is enough to restart the VMC 3.7 virtual appliance to activate the new SSL certificate. If the system (or web browser) you use for accessing the web-based vSpace Management Center fronted is equipped with the root certificate of the Certification Authority you used for issuing the SSL server certificate, the browser will connect through HTTPS to the FQDN of your VMC virtual appliance without displaying any SSL or certificate related warnings:






Article: 1018