Installing Signed Certificates into vSpace Management Center Appliance

            Some environments require specific certificate be installed on each server, by default the vSpace Management Center contains a self-signed certificate.  This guide will walk the user through installing a Signed Certificate on the vSpace Management Center appliance.

            Verify the network and DNS configuration
            In order to replace the default self-signed certificate, you mush have your networks settings configured correctly, and the appliance must have a proper host and DNS domain name.


            Set a proper DNS domain name:


            The specified host name must be registered in and resolvable through the configured DNS domain name servers.

            On the text-based user interface (TUI) press Alt-F2 to open second text console or connect to the virtual appliance with SSH via PUTTY and logon as ‘vmcadmin’ user. Use the same password you use while logging in as the ‘vmcadmin’ user to the vSpace Management Center’s web-based frontend.

            Verify the network and DNS configuration of your VMC virtual appliance. Output of following commands must match the configuration which has been set up in the TUI:

            Check the hostname by running the following command:
            hostname -s

            Checking fully-qualified domain name (FQDN; host name followed by DNS domain name):
            hostname -f

            Checking if DNS servers can resolve the FQDN to the static IP address configured on VMC appliance:
            hostname -i

            For example:


            [root@vmc37 ~]# hostname -s

            vmc37

            [root@vmc37 ~]# hostname -f

            vmc37.nc-hdx.local

            [root@vmc37 ~]# hostname -i

            10.0.0.93


            Create a certificate signing request:
            A certificate signing request must be created and sent to a Certification Authority, which will issue a signed SSL certificate. While creating the certificate signing request you will be asked to provide some information allowing identification of your company. Pay special attention when entering the Common Name. The FQDN of your VMC 3.7 virtual appliance must be entered as Common Name.

            In your console or SSH session, type the following commands:

            cd /tmp

            then

            openssl req -new -key /etc/pki/tls/private/localhost.key -out vmc.csr

            For example:

            [root@vmc37 ~]# cd /tmp

            [root@vmc37 tmp]# openssl req -new -key /etc/pki/tls/private/localhost.key -out vmc.csr

            The output will look similar to this, insert your information in the text based prompts:


            You are about to be asked to enter information that will be incorporated

            into your certificate request.

            What you are about to enter is what is called a Distinguished Name or a DN.

            There are quite a few fields but you can leave some blank

            For some fields there will be a default value,

            If you enter '.', the field will be left blank.

            -----

            Country Name (2 letter code) [XX]:US

            State or Province Name (full name) []:California

            Locality Name (eg, city) [Default City]:San Mateo

            Organization Name (eg, company) [Default Company Ltd]:ZeroDesktop, Inc.

            Organizational Unit Name (eg, section) []:NComputing

            Common Name (eg, your name or your server's hostname) []:vmc37.nc-hdx.local

            Email Address []:someuser@ncomputing.com

             

            Please enter the following 'extra' attributes

            to be sent with your certificate request

            A challenge password []:.

            An optional company name []:.


            With the following command you can verify the subject of the created certificate signing request. The CN (Common Name) field of the subject must match the FQDN of your VMC 3.7 appliance.


            openssl req -in /tmp/vmc.csr -subject -noout


            Now the created certificate signing request (the vmc.csr file) must be provided to the Certification Authority of your choice for verification and signing. You can copy the /tmp/vmc.csr file using the SCP utility (the Secure Copy Program leveraging the SSH protocol; numerous SCP client applications exist for all popular operating systems). It is also possible to transfer the certificate signing request by copying and pasting the text information:

            cat /tmp/vmc.csr

            The output will be similar to:

            [root@vmc37 tmp]# cat vmc.csr

             

            -----BEGIN CERTIFICATE REQUEST-----

            MIICtDCCAZwCAQAwbzELMAkGA1UEBh3fP0VMxEzABgNVBAgMCkNhbGlmb3JuaWEx

            EjAQBgNVBAcMCVNhbiBNYXRlbzEaMBgGA1UECgwRWmVyb0Rlc2t0b3AsIEluYy4x

            GzAZBgNVBAMMEnZtYzM3Lm5jLWhkeC5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQAD

            ggEPADCCAQoCggEBALa+sNv8tEfa2KNnqRWlV67zFxsDcIGO/DLP+W7eqGq3yfhx

            g22dlGQQoTjt4T67e+AU6VhKNaKptWqadnGUAtXmVJ1HYFkjIKIE2BW9tgFcCZss

            3iypyNqGncqyqRJuUYhlrLxHdxtrhVKmfYyr3WJW+t8jUf7HIJbJRdSJmGFGY0jw

            2ysQy/PcM2DHw3U3ey3/eyJYYPEOLOa0y5WcCZkKor8S/zDD+qF4xtpZgfP7EyFw

            h2Qunqcfsh9fjUYBdofTWIFX53Jh+sGhyyl3UltxZtQCsbG11H4GsD/wdpFz+hH7

            mjFA0BW0bHCnQCAFGIiXeC9zpn+gt9c/M6mjFu0CAwEAAaAAMA0GCSqGSIb3DQEB

            CwUAA4IBAQAFgbcJhV/mgviv7sGYuasdfKzvx/tASjav3w4H4TNjYkocVbu4lO7r

            3WdoQ0rRMHjpoRjsYgbbI/IxdlKdOrjQp+rKSNLR0LDhrVwjyfgTAcC+/ydWpM2/

            aeF21Fb83exn4tm4mNI+wdIHInl+8cAMKbs5alfo/jvtUs1xGtLmemVVErBUNlGE

            yC/J0Yti7GnardS42+Mrl1UBEXuBi08X4jMrZfBjtUD4wbaN1QIWZeyTyYz6VscA

            hxAiE48d35VyAVI17Inzaa51O9V7XE6AvIxS70heJvbcED0W19CfXSqTVwCabhrD

            SrBJnrlYb1ntthgNecXYr1hWpPhkkme7

            -----END CERTIFICATE REQUEST-----

            Whole text between (and including) -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- needs to be selected and copied from the terminal program you use for accessing the Linux command prompt of your VMC 3.7 virtual appliance. The copied text needs to pasted to a text editor and saved to a file. Now the saved file contains the certificate signing request, which must be provided to the Certification Authority of your choice for verification and signing.

            Issuing an SSL certificate using private Certification Authority integrated with Active Directory
            If you use a private Certification Authority integrated with Active Directory domain you can transfer the vmc.csr file to your domain controller and then invoke following command on Windows command prompt to issue the certificate:

            On your Windows machine, open command prompt and run the following:
            certreq -attrib "CertificateTemplate:webserver" -submit vmc.csr

            The certreq utility will ask to select a Certification Authority and then, if the process will finish successfully, to save the issued certificate into a file (let’s call the file vmc.cer). The file contains the signed SSL certificate, which needs to be transferred back into your VMC 3.7 virtual appliance. 

            Installing the signed certificate:

            The SCP utility can be used again to copy the certificate file to the /tmp folder on your virtual appliance. Copying and pasting text data is also possible. To transfer the certificate by copying and pasting the text data open the certificate file in Notepad, then select and copy the whole text including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Do not modify the file! Then on the Linux command prompt of your VMC 3.7 virtual appliance do:

            On the VMC appliance, either through SSH (PUTTY) or through console, run:


            cat > /tmp/vmc.cer

            paste the copied text data into the terminal program you use for accessing the Linux command prompt. Then press CTRL-D.

            To verify the transferred certificate run the following command:
            openssl x509 -in /tmp/vmc.cer -issuer -subject -startdate -enddate –noout

            The output should be similar to:

            [root@vmc37 tmp]# openssl x509 -in /tmp/vmc.cer -issuer -subject -startdate -enddate –noout

             

            issuer= /DC=local/DC=nc-hdx/CN=nc-hdx-DC-CA

            subject= /C=US/ST=California/L=San Mateo/O=ZeroDesktop, Inc./OU=NComputing/CN=vmc37.nc-hdx.local/emailAddress=someuser@ncomputing.com

            notBefore=Jul  3 12:21:56 2015 GMT

            notAfter=Jul  2 12:21:56 2017 GMT


            If everything is fine the signed SSL certificate can be copied to the final location:

            mv /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.self-signed

            mv /tmp/vmc.cer /etc/pki/tls/certs/localhost.crt

            chmod 600 /etc/pki/tls/certs/localhost.crt


            Now it is enough to restart the VMC 3.7 virtual appliance to activate the new SSL certificate. If the system (or web browser) you use for accessing the web-based vSpace Management Center fronted is equipped with the root certificate of the Certification Authority you used for issuing the SSL server certificate, the browser will connect through HTTPS to the FQDN of your VMC virtual appliance without displaying any SSL or certificate related warnings:






            Article: 1018

            Updated: 29 Aug 2016 01:31 AM
            Helpful?  
            Help us to make this article better
            0 0