https://blogs.vmware.com/consulting/2015/10/vmware-certificate-authority-part-3.html
--------
In the last blog, I left off right after the architecture
discussion. To be honest, this was not because I wanted to but more because I
couldn’t say anything more about it at the time. As of September 10, vSphere
6.0 Update 1 has been released with some fantastic new features in this area
that make the configuration of customized certificates even easier. At this
point what is shown is a tech preview, however it shows the direction that the
development is headed in the future. It is amazing when things just work out
and with a little bit of love, an incredibly complex area becomes much easier.
In this release, there is a UI that has been released for
configuration of the Platform Services Controller. This new interface can be
accessed by navigating to:
https://psc.domain.com/psc
When you first navigate here, a first time setup screen
may be shown:
To set up the configuration, login with a Single Sign-On
administrator account, and the actual setup will run and be complete in short
order. Subsequently when you login, the screen is plain and similar to the
login of the vSphere Web Client:
After login, the interface appears as follows:
As you can see, it provides a ton of new and great
functionality, including a GUI for installation of certificates! I will not be
talking about the other features except to say there is some pretty fantastic
content in there, including the single sign-on configuration, as well as appliance-specific
configurations. I only expect this to grow in the future, but it is definitely
amazing for a first start.
Let’s dig in to the certificate stuff.
Certificate Store
When navigating to the Certificate Store link, it allows
you to see all of the different certificate stores that exist on the VMware
Certificate Authority System:
This gives the option to view the details of all the
different stores that are on the system, as well as view details, and add or
remove entry details of each of the entries available:
This is very useful when troubleshooting a configuration
or for auditing/validating the different certificates that are trusted on the
system.
Certificate Authority
Next up: the Certificate Authority option, which shows a
view similar to the following:
This area shows the Active, Revoked, Expired and Root
Certificate for the VMware Certificate Authority. It also provides the option
to be able to show details of each certificate for auditing or review purposes:
In addition to providing a review, the Root Certificate
Tab also allows the additional functionality of replacing the root certificate:
When you go here to do just that, you are prompted to
input the new Certificate and Private Key:
Once processed the new certificate will show up in the
list.
Certificate Management
Finally, and by far the most complex, is the Certificate
Management screen. When you first click this, you will need to enter the single
sign-on credentials for the server you want to connect to. In this case, it is
to the local Platform Services Controller:
Once logged in the interface looks as follows:
Don’t worry, however, the user or server is not a one-time
thing and can be changed by clicking the logout button. This interface allows
the Machine Certificates and Solution User Certificates to be viewed, renewed
and changed as appropriate.
If the renew button is clicked the certificate will be
renewed from VMware Certificate Authority.
Once complete the following message is presented:
If the certificate is to be replaced it is similar to the
process of replacing the root certificate:
Remember that the root certificate must be valid or
replaced first or the installation will fail. Finally, the last screenshot I
will show is the Solution Users Screen:
The notable difference here is that there is a Renew All
button, which will allow for all the solution user certificates to be changed.
This new interface for certificates is the start of
something amazing, and I can’t wait to see the continued development in the
future. Although it is still a tech preview, from my own testing it seems to
work very well. Of course my environment is a pretty clean one with little
environmental complexity which can sometimes show some unexpected results.
For further details on the exact steps you should take to
replace the certificates (including all of the command line steps, which are
still available as per my last blog) see, Replacing default certificates with CA
signed SSL certificates in vSphere 6.0 (2111219).
I hope this blog series has been useful to you – it is definitely
something I am passionate about so I can write about it for hours! I will be
writing next about my experiences at VMworld and hopefully to help address the
most common concerns I heard from customers while there.
