Certificates are not enjoyable but its always a good practice to deploy them. vShield Manager isnt the most intuitive when updating certificates below is the steps. Keep in mind the follwoing
- You organisation has a CA and PKI infrastructure
- You have permissions to request certificates and have access to the root CA and any intermediate CAs or have a copy of these certs
- You have vShield deployed and added to vCentre with a FQDN DNS entry
- The CA needs to be configured with a template that supported Subject Alternative Names (SAN)
Log onto vShield with the admin account.
Go to Settings & Reports – SSL Certificate.
Generate the request by filling the information, select Key Algorithm RSA and Key Size 2048. Note – use the FQDN for Common Name, using the IP address doesnt work. VMwares documentation suggests it does.
Once information is added – ‘Download generated certificate’ button will appear. Download the .cer file locally.
Browse to the CA through a webpage on \\servername\certsrv. The computer / user account will need permissions to be able to generate requests. Open the CSR .cer file in notepad and copy and paste the information into the request box. Select the template that supports SAN attributes with the right key settings. In the ‘Additional Attributes’ box add the vShield’s IP address. This is required as it is registered in vCentre by IP address. Failing to have the SAN info results in a security prompt every time the c# client is opened.
Submit the request and download the certificate as .cer file – select the Base 64 encoded.
If you dont already have the files now download the root certificates and any intermediates. Save these with the server certificate.
Once saved go back to vShield web page and log in as Admin. Go to Settings & Reports – SSL Certificate – Import Signed Certificate. These must be done in order, failing to do can result in starting again by generating a new request. If the import fails it will report ‘Importing certificate failed. Please retry the operation’ at which point I found it doesnt let you add it again successfully and you have to do a new request. Start with the root then intermediate then the server certificate. If you have multiple intermediates combine them into one file.
For the root select the drop down box as ‘Root CA’ this can be a .cer file or .pem.
Repeat this for intermediate by selecting ‘Intermediate CA’ drop down box.
If both of those import successfully move on and import the server cert by selecting the ‘CA-signed X.509 Cert’ drop down box.
All being well you should now have a ‘Apply Certificate’ button. Select this and wait for the VM to reboot. If this fails check the root / intermediates are correct, check the request is correct and try again also try again by doing the request process again.
You will see actions in vCentre ‘Update option values’ on the hosts. After the reboot you can now browse the vShield web page with no security warning and the c# client should open with no security warning.