Monday, 29 July 2019

vRealize Orchestrator SSL Certificates

This post will go about replacing the Certificates on a pair of vRealize Operations Manager 7.5 Nodes. This is them:

And this is the Certificate current in use:
Nothing to see so far. Cool dark background though isn't it?!

Now, if we examine the current certificates, here is my first vROPS Node:


And here is the second:
Seems all vROPS Nodes get this name and if you added a third node you would get vc-ops-slice-3. Exciting!!! 
So, there is an "/Admin" url you can go to and there is where we'll upload the PEM file. Of course we've to create it first but let's have a look at that area. This is my cluster health in this view:
Now, where is the SSL certificate option hidden you may ask?! Have a look up the top RIGHT of the screen and there's a sneaky option up there. 

Now we can view the current certificate. 

And upload a new one. 

Now, we'll need that PEM ! 

The order of the certificates is the key once again. This is version 7.5 I'm working out of for reference. As per previous entries I have OpenSSL installed on my Windows Server that acts as a Certificate Authority. The opeenssl.cfg file I used is as follows:

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:labvrops1.lab.local, DNS:labvrops2.lab.local
[ req_distinguished_name ]
countryName = IE
stateOrProvinceName = IRL
localityName = Dublin
0.organizationName = Lab
organizationalUnitName = IT
commonName = labvrops1.lab.local

I then opened a command prompt and issued the following command:

openssl req -new -nodes -out C:\OpenSSL-Win64\bin\labvrops1.lab.local.csr -newkey rsa:2048 -keyout C:\OpenSSL-Win64\bin\labvrops1.lab.local.key -config C:\OpenSSL-Win64\bin\openssl.cfg

I used the Web Server template on the CA, nothing else special. I named the file labvrops1.lab.local.cer. Now I've three files to combine

I ran this command to put them in a PEM file in the right order:
(vROPS Certificate + Key + Root Cert)
type labvrops1.lab.local.cer labvrops1.lab.local.key lab_root_ca.cer > labvrops1.lab.local.pem

Next I uploaded the PEM file to the first vROPS node and it decoded it as follows:

Refresh the page to reload and then view the current certificate:


Now, if you check the second node and refresh there you'll find it's using the same certificate so there's nothing further to do!! Job completed!!