202009171058 使用 vSphere Certificate Manager 替换 SSL 证书
3年前 (2020-09-17) 作者:iMoke 分类:原创·技术 阅读次数:4291 评论(1)一个有自己CA的欠逼,做什么都希望把证书替换成自己的,这样,只要信任了自己的CA,打开自己的业务都不会弹错。
上次替换VC6.0,就费死个劲,这次又搞了个VC6.7,头疼啊……
一、前言
一个有自己CA的欠逼,做什么都希望把证书替换成自己的,这样,只要信任了自己的CA,打开自己的业务都不会弹错。
上次替换VC6.0,就费死个劲,这次又搞了个VC6.7,头疼啊……
二、参考资料
如何替换vcenter和ESXi证书,作者iMoke
如何使用 vSphere Certificate Manager 替换 SSL 证书 (2097936),官方KB文章
三、开始
参考自己的文章,知道了有一个“certificate-manager”文件存在,用这个来替换证书。
在vCenter Linux环境下,这个文件在
/usr/lib/vmware-vmca/bin/certificate-manager
按照之前自己的文章(后来发现,就是个坑),应该先创建5个证书,然后分别导进去。
各种尝试,各种失败。
搜了N多个国内文章,全是乱写的。
查到官方KB,终于看到一行
将 VMCA 证书替换为自定义 CA 证书(使用选项 2) 在此环境中,将默认的 VMCA 证书和密钥替换为来自企业 CA (如 Microsoft Windows CA) 或商业 CA(Verisign、GoDaddy 等)的自定义 CA 证书和密钥。 然后 VMCA 将用于生成新 vSphere 证书,这些证书将由以前导入的自定义 CA 证书和密钥签署。 在 vSphere 之外,这些由 VMCA 颁发的证书是被信任的。
以前我的思路是,把每个证书做好,挨个导入。
那我为什么不直接替换CA,让他自动创建子证书呢?
直接贴日志
root@vc [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | | | *** Welcome to the vSphere 6.7 Certificate Manager *** | | | | -- Select Operation -- | | | | 1. Replace Machine SSL certificate with Custom Certificate | | | | 2. Replace VMCA Root certificate with Custom Signing | | Certificate and replace all Certificates | | | | 3. Replace Machine SSL certificate with VMCA Certificate | | | | 4. Regenerate a new VMCA Root Certificate and | | replace all certificates | | | | 5. Replace Solution user certificates with | | Custom Certificate | | | | 6. Replace Solution user certificates with VMCA certificates | | | | 7. Revert last performed operation by re-publishing old | | certificates | | | | 8. Reset all Certificates | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _| Note : Use Ctrl-D to exit. Option[1 to 8]: 2 Do you wish to generate all certificates using configuration file : Option[Y/N] ? : Y Please provide valid SSO and VC privileged user credential to perform certificate operations. Enter username [Administrator@vsphere.local]:administrator@imoke.org Enter password: Please configure certool.cfg with proper values before proceeding to next step. Press Enter key to skip optional parameters or use Default value. Enter proper value for 'Country' [Default value : US] : Enter proper value for 'Name' [Default value : CA] : Enter proper value for 'Organization' [Default value : VMware] : Enter proper value for 'OrgUnit' [Default value : VMware Engineering] : Enter proper value for 'State' [Default value : California] : Enter proper value for 'Locality' [Default value : Palo Alto] : Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 168.168.168.5 Enter proper value for 'Email' [Default value : email@acme.com] : imoke@mmoke.com Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vc.imoke.org Enter proper value for VMCA 'Name' :VMCA 1. Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate 2. Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate Option [1 or 2]: 2 Please provide valid custom certificate for Root. File : /root/vCenterTianbao.crt Please provide valid custom key for Root. File : /root/vCenterTianbao.key You are going to replace Root Certificate with custom certificate and regenerate all other certificates Continue operation : Option[Y/N] ? : Y Get site nameCompleted [Replacing Machine SSL Cert...] default-site Lookup all services Get service default-site:4d7f8cad-114d-4d90-947b-467cec225e41 Update service default-site:4d7f8cad-114d-4d90-947b-467cec225e41; spec: /tmp/svcspec_axtek8d0 Get service default-site:e31474e1-0706-44d5-9766-0ef59559e68f Update service default-site:e31474e1-0706-44d5-9766-0ef59559e68f; spec: /tmp/svcspec_3dya83s6 Get service default-site:03908339-b669-4a9f-bf87-b52345e06c51 Update service default-site:03908339-b669-4a9f-bf87-b52345e06c51; spec: /tmp/svcspec_jb_2w92c Get service 35b9169e-6820-4e0c-a7b1-7c4bf0e1e8e1_authz Update service 35b9169e-6820-4e0c-a7b1-7c4bf0e1e8e1_authz; spec: /tmp/svcspec_m26nk89y Get service 35b9169e-6820-4e0c-a7b1-7c4bf0e1e8e1 Update service 35b9169e-6820-4e0c-a7b1-7c4bf0e1e8e1; spec: /tmp/svcspec_dygzh96u Get service 3ff2351a-6c5b-4fb7-b264-6662454696cf Update service 3ff2351a-6c5b-4fb7-b264-6662454696cf; spec: /tmp/svcspec_3ypwlche Get service 9bfb642a-d3f9-4943-96ad-95ba217b5faa Update service 9bfb642a-d3f9-4943-96ad-95ba217b5faa; spec: /tmp/svcspec_061uyt7q Get service d6df6597-aed3-429e-9702-1bf17ecde79e Update service d6df6597-aed3-429e-9702-1bf17ecde79e; spec: /tmp/svcspec_vaemgkfp Get service 304e0c7e-4240-4e29-a9d1-2c992916f40c Update service 304e0c7e-4240-4e29-a9d1-2c992916f40c; spec: /tmp/svcspec_f18gg5__ Get service ea17411f-3062-46dd-bd7c-87736fdc2a5d Update service ea17411f-3062-46dd-bd7c-87736fdc2a5d; spec: /tmp/svcspec_yurmyqks Get service c1eeee95-00c7-4c67-a284-99ea1b225936 Update service c1eeee95-00c7-4c67-a284-99ea1b225936; spec: /tmp/svcspec_5xwpqzmf Get service c1eeee95-00c7-4c67-a284-99ea1b225936_com.vmware.vsphere.client Don't update service c1eeee95-00c7-4c67-a284-99ea1b225936_com.vmware.vsphere.client Get service c76a764e-7c23-43a0-92dd-e0c49ed45567 Update service c76a764e-7c23-43a0-92dd-e0c49ed45567; spec: /tmp/svcspec_s69fvcjv Get service 35b9169e-6820-4e0c-a7b1-7c4bf0e1e8e1_kv Update service 35b9169e-6820-4e0c-a7b1-7c4bf0e1e8e1_kv; spec: /tmp/svcspec_qyhy2led Get service e7562c31-5b63-4789-89d3-dc7931fe1dc1 Update service e7562c31-5b63-4789-89d3-dc7931fe1dc1; spec: /tmp/svcspec_1k3eygrf Get service 443335eb-0da3-495c-b391-350974bce354 Update service 443335eb-0da3-495c-b391-350974bce354; spec: /tmp/svcspec_d14bukfm Get service bb6e758e-76c2-4250-ae99-06aa2243dd49 Update service bb6e758e-76c2-4250-ae99-06aa2243dd49; spec: /tmp/svcspec_8k3jnvt5 Get service 314e7a5d-5302-42c7-a251-befc8be0cb69 Update service 314e7a5d-5302-42c7-a251-befc8be0cb69; spec: /tmp/svcspec_sjjorr96 Get service ba0a9f7a-17c1-4681-8c60-a6aa1352eb37 Update service ba0a9f7a-17c1-4681-8c60-a6aa1352eb37; spec: /tmp/svcspec_t2yvo3fs Get service efd85806-fe4a-4d8c-80c8-5f7d73a7f114 Update service efd85806-fe4a-4d8c-80c8-5f7d73a7f114; spec: /tmp/svcspec_39j6s84r Get service 55245aa5-6e85-48d4-9526-58f200ebca9e Update service 55245aa5-6e85-48d4-9526-58f200ebca9e; spec: /tmp/svcspec_1avpyqfz Get service c07b67fb-d265-4e85-b84d-7010dd821fd2 Update service c07b67fb-d265-4e85-b84d-7010dd821fd2; spec: /tmp/svcspec_zjbik_za Get service 98b0fbc4-a362-4e8b-8287-61002cf5383a Update service 98b0fbc4-a362-4e8b-8287-61002cf5383a; spec: /tmp/svcspec_t9e7no9e Get service 2190eef0-60cc-47fb-8fd1-04dbe2cd3dbb Update service 2190eef0-60cc-47fb-8fd1-04dbe2cd3dbb; spec: /tmp/svcspec_zre3rse3 Get service fda4248d-2a11-4b60-b80f-0b159c753535 Update service fda4248d-2a11-4b60-b80f-0b159c753535; spec: /tmp/svcspec_ckqgg4ww Get service 2f92da99-febf-44a3-8c78-26965454bd67 Update service 2f92da99-febf-44a3-8c78-26965454bd67; spec: /tmp/svcspec_e12xrlxg Get service 5e7e9082-07a3-4b1a-acaa-1419285b3f03 Update service 5e7e9082-07a3-4b1a-acaa-1419285b3f03; spec: /tmp/svcspec_a2o41x6b Get service 67a39a3b-075c-4d9c-b05d-3d5259c2e6a2 Update service 67a39a3b-075c-4d9c-b05d-3d5259c2e6a2; spec: /tmp/svcspec_nwbdv0hw Get service 27cbb50b-d075-48de-8500-71e7104b1884 Update service 27cbb50b-d075-48de-8500-71e7104b1884; spec: /tmp/svcspec_alopdx9m Get service b65c5fde-0fb0-4852-80b7-2d56037afc44 Update service b65c5fde-0fb0-4852-80b7-2d56037afc44; spec: /tmp/svcspec_ym9tyztr Get service 9c03f2a0-e8b7-4e1c-95d9-b2a128d6b46f Update service 9c03f2a0-e8b7-4e1c-95d9-b2a128d6b46f; spec: /tmp/svcspec_rrxp310j Get service bf6045fb-c92a-40e6-a985-9ad30a11c096 Update service bf6045fb-c92a-40e6-a985-9ad30a11c096; spec: /tmp/svcspec_ezur4wn0 Get service ab5a3d08-4fef-4ca4-912a-96cd0982136b Update service ab5a3d08-4fef-4ca4-912a-96cd0982136b; spec: /tmp/svcspec__a55yl15 Get service 3515cfd0-8295-44c5-8b33-c76f3b4fdac4 Update service 3515cfd0-8295-44c5-8b33-c76f3b4fdac4; spec: /tmp/svcspec_dkvb2kwd Get service bad929e2-0e78-4954-87a8-ddadc7e6552e Update service bad929e2-0e78-4954-87a8-ddadc7e6552e; spec: /tmp/svcspec_zt3dq6rt Updated 34 service(s) Status : 60% Completed [Replace vpxd-extension Cert...] 2020-09-17T02:58:28.509Z Updating certificate for "com.vmware.imagebuilder" extension Status : 100% Completed [All tasks completed successfully] root@vc [ ~ ]#
没错,就是这么简单。
除非注明,发表在“傲孤漠客”的文章『202009171058 使用 vSphere Certificate Manager 替换 SSL 证书』版权归iMoke所有。
转载请注明出处为“本文转载于『傲孤漠客』原地址https://www.imoke.org/post/20200917320.html”
评论
发表评论