Some environments require specific certificate be installed on each server, by default the vSpace Management Center contains a self-signed certificate. This guide will walk the user through installing a Signed Certificate on the vSpace Management Center appliance.
Verify the network and DNS configuration
In order to replace the default self-signed certificate, you mush have your networks settings configured correctly, and the appliance must have a proper host and DNS domain name.
Set a proper DNS domain name:
The specified host name must be registered in and resolvable through the configured DNS domain name servers.
On the text-based user interface (TUI) press Alt-F2 to open second text console or connect to the virtual appliance with SSH via PUTTY and logon as ‘vmcadmin’ user. Use the same password you use while logging in as the ‘vmcadmin’ user to the vSpace Management Center’s web-based frontend.
Verify the network and DNS configuration of your VMC virtual appliance. Output of following commands must match the configuration which has been set up in the TUI:
Check the hostname by running the following command:
Checking fully-qualified domain name (FQDN; host name followed by DNS domain name):
Checking if DNS servers can resolve the FQDN to the static IP address configured on VMC appliance:
~]# hostname -s
~]# hostname -f
~]# hostname -i
Create a certificate signing request:
A certificate signing request must be created and sent to a Certification Authority, which will issue a signed SSL certificate. While creating the certificate signing request you will be asked to provide some information allowing identification of your company. Pay special attention when entering the Common Name. The FQDN of your VMC 3.7 virtual appliance must be entered as Common Name.
In your console or SSH session, type the following commands:
openssl req -new -key
/etc/pki/tls/private/localhost.key -out vmc.csr
[root@vmc37 ~]# cd /tmp
[root@vmc37 tmp]# openssl
req -new -key /etc/pki/tls/private/localhost.key -out vmc.csr
The output will look similar to this, insert your information in the text based prompts:
You are about to be asked to enter information that
will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) :California
Locality Name (eg, city) [Default City]:San Mateo
Organization Name (eg, company) [Default Company
Organizational Unit Name (eg, section) :NComputing
Common Name (eg, your name or your server's hostname)
Email Address :email@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :.
An optional company name :.
With the following command you can verify the subject of the created certificate signing request. The CN (Common Name) field of the subject must match the FQDN of your VMC 3.7 appliance.
req -in /tmp/vmc.csr -subject -noout
Now the created certificate signing request (the vmc.csr file) must be provided to the Certification Authority of your choice for verification and signing. You can copy the /tmp/vmc.csr file using the SCP utility (the Secure Copy Program leveraging the SSH protocol; numerous SCP client applications exist for all popular operating systems). It is also possible to transfer the certificate signing request by copying and pasting the text information:
The output will be similar to:
[root@vmc37 tmp]# cat vmc.csr
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
Whole text between (and including) -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- needs to be selected and copied from the terminal program you use for accessing the Linux command prompt of your VMC 3.7 virtual appliance. The copied text needs to pasted to a text editor and saved to a file. Now the saved file contains the certificate signing request, which must be provided to the Certification Authority of your choice for verification and signing.
Issuing an SSL certificate using private
Certification Authority integrated with Active Directory
If you use a private Certification Authority integrated with Active Directory domain you can transfer the vmc.csr file to your domain controller and then invoke following command on Windows command prompt to issue the certificate:
On your Windows machine, open command prompt and run the following:
certreq -attrib "CertificateTemplate:webserver"
The certreq utility will ask to select a Certification Authority and then, if the process will finish successfully, to save the issued certificate into a file (let’s call the file vmc.cer). The file contains the signed SSL certificate, which needs to be transferred back into your VMC 3.7 virtual appliance.
Installing the signed certificate:
The SCP utility can be used again to copy the certificate file to the /tmp folder on your virtual appliance. Copying and pasting text data is also possible. To transfer the certificate by copying and pasting the text data open the certificate file in Notepad, then select and copy the whole text including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Do not modify the file! Then on the Linux command prompt of your VMC 3.7 virtual appliance do:
On the VMC appliance, either through SSH (PUTTY) or through console, run:
cat > /tmp/vmc.cer
paste the copied text data into the terminal program you use for accessing the Linux command prompt. Then press CTRL-D.
To verify the transferred certificate run the following command:
openssl x509 -in /tmp/vmc.cer -issuer -subject
-startdate -enddate –noout
The output should be similar to:
[root@vmc37 tmp]# openssl x509 -in /tmp/vmc.cer
-issuer -subject -startdate -enddate –noout
12:21:56 2015 GMT
12:21:56 2017 GMT
If everything is fine the signed SSL certificate can be copied to the final location:
chmod 600 /etc/pki/tls/certs/localhost.crt
Now it is enough to restart the VMC 3.7 virtual appliance to activate the new SSL certificate. If the system (or web browser) you use for accessing the web-based vSpace Management Center fronted is equipped with the root certificate of the Certification Authority you used for issuing the SSL server certificate, the browser will connect through HTTPS to the FQDN of your VMC virtual appliance without displaying any SSL or certificate related warnings: