佛山建站佛山网页设计网站建设背景朝阳

博文摘要

博文主要描述了在 vCenter Server 8 上通过实用工具 certificate-manager 将 vSphere 默认 Machine SSL 证书替换为 企业 CA 自签名证书。适用的 vSphere 版本为 vSphere 7.0.x 和 vSphere 8.0.x

6. 使用企业 CA 签发的 SSL 证书 替换 vSphere 默认 SSL 证书

6.1 确认证书文件

SSH 到 VCSA 中，cd 到 /root/machine_ssl 目录，此时该目录存在4个文件

需要用到的是

• 自定义证书：machine_ssl.cer
• 自定义密钥：vmca_issued_key.key
• 签名证书：root-64.cer

6.2 替换默认 vSphere 证书

再次使用certificate-manager工具替换默认证书

root@vc7-3 [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|                                                                     ||      *** Welcome to the vSphere 8.0 Certificate Manager  ***        ||                                                                     ||                   -- Select Operation --                            ||                                                                     ||      1. Replace Machine SSL certificate with Custom Certificate     ||                                                                     ||      2. Replace VMCA Root certificate with Custom Signing           ||         Certificate and replace all Certificates                    ||                                                                     ||      3. Replace Machine SSL certificate with VMCA Certificate       ||                                                                     ||      4. Regenerate a new VMCA Root Certificate and                  ||         replace all certificates                                    ||                                                                     ||      5. Replace Solution user certificates with                     ||         Custom Certificate                                          ||         NOTE: Solution user certs will be deprecated in a future    ||         release of vCenter. Refer to release notes for more details.||                                                                     ||      6. Replace Solution user certificates with VMCA certificates   ||                                                                     ||      7. Revert last performed operation by re-publishing old        ||         certificates                                                ||                                                                     ||      8. Reset all Certificates                                      ||_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 1Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificateOption [1 or 2]: 2Please provide valid custom certificate for Machine SSL.
File : /root/machine_ssl/machine_ssl.cerPlease provide valid custom key for Machine SSL.
File : /root/machine_ssl/vmca_issued_key.keyPlease provide the signing certificate of the Machine SSL certificate
File : /root/machine_ssl/root-64.cerYou are going to replace Machine SSL cert using custom cert
Continue operation : Option[Y/N] ? : Y
Command Output: /root/machine_ssl/machine_ssl.cer: OKStatus : 100% Completed [All tasks completed successfully]

此时 SSL 证书的更新状态是100%成功完成。

6.3 验证自签名证书

登录 vSphere Client，Menu > Administration > Certificastes > Certificate Management，找到 Machine SSL Certificate，点击VIEW DETAILS

此时 企业CA 直接签发的 Machine SSL 证书替换成功。

6.4 补充说明

我们替换的是 Machine SSL 证书，其它 VMCA 证书还是使用 vSphere 默认证书。

查看 VMware Certificate Authority 的 VMCA_ROOT_CERT 详细信息，显示内容依然和VMware相关：

关联博文

1.企业 CA 签名证书替换 vSphere Machine SSL 证书Ⅰ—— 生成 CSR
2.企业 CA 签名证书替换 vSphere Machine SSL 证书Ⅱ—— 创建和添加证书模板
3.企业 CA 签名证书替换 vSphere Machine SSL 证书Ⅲ—— 颁发自签名与替换证书
4.[企业 CA 签名证书替换 vSphere Machine SSL 证书Ⅳ—— 替换默认证书](

参考资料

• Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014)
• 博文封面图片来自:https://blog.codavel.com/accepting-self-signed-certificates-in-okhttp3