-
【vSphere 8 自签名 VMCA 证书】企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅰ—— 生成 CSR
替换拓扑图
证书关系示意图
本系列博文要实现的拓扑是
说明 & 关联博文
因为使用企业 CA 直接替换 vSphere VMCA CA 证书步骤较多且繁琐,为了内容关联性和可读性,关于第二篇自签名证书系列的博文,博主分为3篇,这是第一篇,剩余2篇会陆续发布。
本篇博文主要描述了如何在 vCenter Server 系统中使用实用工具 certificate-manager 为 VMCA 生成自签名证书需要的证书签名请求 CSR 和 Key。适用的 vSphere 版本为 vSphere 7.0.x 和 vSphere 8.0.x
1.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅰ—— 生成 CSR
2.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅱ—— 创建和添加证书模板
3.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅲ—— 颁发自签名与替换 VMCA 证书1. 默认证书截图
在替换 vSphere 默认 Machine SSL证书前,我们通过 vSphere Client 确认该证书的信息。
登录 vSphere Client,Menu > Administration > Certificastes > Certificate Management,找到 VMware Certificate Authority,点击VIEW DETAILS
找到可信根证书,点击VIEW DETAILS
2. 使用 certificate-manager 生成CSR
2.1 创建存放CSR的目录
如果不创建特定目录,在后续步骤指定目录时必须要指定已存在目录,否则程序会报错。
mkdir /root/vmca- 1
2.2 记录PNID和IP
# 获取VC PNID /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost # 获取IP地址 ip address- 1
- 2
- 3
- 4
2.3 生成CSR
关于参数值的含义请参考
root@vc7-3 [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | | | *** Welcome to the vSphere 8.0 Certificate Manager *** | | | | -- Select Operation -- | | | | 1. Replace Machine SSL certificate with Custom Certificate | | | | 2. Replace VMCA Root certificate with Custom Signing | | Certificate and replace all Certificates | | | | 3. Replace Machine SSL certificate with VMCA Certificate | | | | 4. Regenerate a new VMCA Root Certificate and | | replace all certificates | | | | 5. Replace Solution user certificates with | | Custom Certificate | | NOTE: Solution user certs will be deprecated in a future | | release of vCenter. Refer to release notes for more details.| | | | 6. Replace Solution user certificates with VMCA certificates | | | | 7. Revert last performed operation by re-publishing old | | certificates | | | | 8. Reset all Certificates | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _| Note : Use Ctrl-D to exit. Option[1 to 8]: 2 Do you wish to generate all certificates using configuration file : Option[Y/N] ? : Y Please provide valid SSO and VC privileged user credential to perform certificate operations. Enter username [Administrator@vsphere.local]: Enter password: Please configure certool.cfg with proper values before proceeding to next step. Press Enter key to skip optional parameters or use Default value. Enter proper value for 'Country' [Default value : US] : CN Enter proper value for 'Name' [Default value : CA] : Enter proper value for 'Organization' [Default value : VMware] : Enter proper value for 'OrgUnit' [optional] : GSS Enter proper value for 'State' [Default value : California] : Beijing Enter proper value for 'Locality' [Default value : Palo Alto] : Beijing Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 192.168.1.3 Enter proper value for 'Email' [Default value : email@acme.com] : Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vc7-3.yz.local Enter proper value for VMCA 'Name' :vc7-3.yz.local 1. Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate 2. Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate Option [1 or 2]: 1 Please provide a directory location to write the CSR(s) and PrivateKey(s) to: Output directory path: /root/vmca 2023-10-18T03:14:07.090Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/root/vmca/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub'] 2023-10-18T03:14:10.272Z Done running command 2023-10-18T03:14:10.273Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencacsr', '--privkey', '/root/vmca/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub', '--config', '/var/tmp/vmware/certool.cfg', '--csrfile', '/root/vmca/vmca_issued_csr.csr'] 2023-10-18T03:14:13.388Z Done running command CSR generated at: /root/vmca/vmca_issued_csr.csr 1. Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate 2. Exit certificate-manager Option [1 or 2]: 2 root@vc7-3 [ ~ ]#- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
蓝色框是shell命令,红色实线框为必填项,红色虚线框为选填框。
2.4 验证CSR
cd /root/vmca ls- 1
- 2
关联博文
1.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅰ—— 生成 CSR
2.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅱ—— 创建和添加证书模板
3.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅲ—— 颁发自签名与替换 VMCA 证书参考资料
- 博文封面图片来自: https://blogs.vmware.com/vsphere/2019/06/10-things-about-vsphere-certificate-management.html
-
相关阅读:
PostgreSQL数据类型——范围类型
方舟生存进化开服需要多少钱
vue 如何判断元素内容是否超过宽度的方式
SpringMVC
如何给运行中的容器添加--restart=always
镜头之滤光片---关于日夜两用双通滤光片
2024.2.25 -ElasticSearch 进阶
矿山运营攻略:提高生产效率,这点至关重要
21条最好实践,从实际全面保障 GitHub 使用安全,你必须要知道的哦
HTML入门篇---01常用标签
- 原文地址:https://blog.csdn.net/NOWSHUT/article/details/133952421