10 Jun 2010
Rate this item
(0 votes)

This article forms part of the Replacing vSphere SSL Certificates series.

Before continuing with the steps ioutlined in this article, be sure to have completed Step 3: Submit the new Certificate Request to a Certificate Authority

The rui.key and rui.crt files will be used by VMware products as replacement SSL Certificate files. However in addition to these two files a PFX-formatted certificate file called “rui.pfx” specific for Windows must be created. The “rui.pfx” file is a concatenation of the system’s certificate and private key, exported in PFX format.

10 Jun 2010
Rate this item
(0 votes)

This article forms part of the Replacing vSphere SSL Certificates series.

Before continuing with the steps in this article, be sure that you have completed Step 2: Generate a new SSL Certificate Request

Now that we have used OpenSSL to generate a new SSL certificate request, we need to submit the request to a Certificate Authority in order to sign a new SSL Certificate based on the request. OpenSSL has now generated the request and saved the request in rui.csr. We now need to open the rui.csr file using Wordpad. Once the file has been opened in Wordpad, we will copy the entire contents of the file to the clipboard.

06 Jun 2010
Rate this item
(0 votes)

This article forms part of the Replacing vSphere SSL Certificates series.

Before you continue with the following procedure, ensure that you have completed Step 1: Prepare OpenSSL and Microsoft CS

We will be using OpenSSL to generate a new RSA key. We will then use this key to generate a new SSL Certificate Request that we can submit to the Microsoft Certificate Authority that we have created in Step 1.

 On the SSL Server that we have prepared in Step 1, Open a new command prompt window and change directory to the “C:\OpenSSL-Win32\bin” directory.

Written by 0 comment
Published in VMware vSphere
01 Jun 2010
Rate this item
(0 votes)

This article forms part of the Replacing vSphere SSL Certificates series.

In order to request and self sign new SSL certificates for VMware vCenter Server 4.x and VMware Update Manager we will need to get a certificate authority up and running. For this lab, we will use a Microsoft Windows 2003 Server running Microsoft Certificate Services as our Certificate Authority. Although we will be using Microsoft Certificate Services to sign the new SSL Certificates, OpenSSL will be used to generate the SSL Certificate Requests that will be submitted to the Microsoft Certificate Authority.

To build the SSL CA Server we will need to have the following software components:

  • A Windows 2003 Server
  • Microsoft Internet Information Services (IIS) enabled
  • Microsoft Certificate Services Installed
  • Visual C++ Redistibutable (Download this from here )
  • Win32 OpenSSL V1.0.0 Lite (Download this from here) 

For this example I have prepared a Windows 2003 Server called LABSSL01 and I've also added the server to the LABS.UK.VIRTUALVCP.COM domain. So, the FQDN of our SSL Certificate Authority server for this example will be: labssl01.labs.uk.virtualvcp.com.

Preparing the server for Microsoft Certificate Services

The first thing that we will need to get in place is IIS. We will use IIS to access the Microsoft Certificate Services Web Portal. The web portal will be handy to:

  • Submit new SSL Certificate Requests to the Microsoft CA
  • Download the signed SSL Certificates
  • Download the CA Root Certificate to client machines

We will be installing the IIS and Certificate Services components at the same time.

Using Add or Remove Programs from the Windows Control Panel, Click the Add/Remove Windows Components Button:


Select "Application Server" and click "Details". Then select the following components under "Application Server"

  • Application Server Console
  • Enable network COM+ access
  • Internet Information Services


Once the components have been selected, Click OK.

With the IIS components now selected, we can go ahead and select the Certificate Services components as well.

Select "Certificate Services", then click "Details"


The Certificate Services components dialog opens. Select the following components before clicking "OK":

  • Certificate Services CA
  • Certificate Services Web Enrollment Support


When Certificate Services CA is selected, the following message will appear. Click "Yes" to continue


Now that both IIS and Certificate Services components have been selected, click "Next".


As we are installing a new Certificate Authority, we need to provide some information for the new Certificate Authority.

For the CA type, select "Stand-alone root CA" and click "Next" 


Now it's time to supply information that will identify the new Certificate Authority. The information provided here will also be included in each SSL certificate that the new CA will sign in the future.

At least the "Common Name for this CA" field should be completed as well as the "Validity period" field.


At the Certificate Database Settings dialog, keep the default settings and click "Next"


A message will appear stating that in order to complete the installation, Internet Information Services must be restarted. Click "Yes" to acknowledge this message.


You may also be presented with a message requesting that ASP be enabled. Click "Yes" to enable ASP now.


During the installation, you may be prompted for the Windows 2003 Installation CD. Please make sure that you have this handy in order to complete the installation of IIS and Certificate Services.

When the above steps have been completed, your server will be an ASP Web Server as well as a Certificate Authority capable of signing new SSL Certificates. However we will still need to install OpenSSL for Windows. OpenSSL is used to generate new SSL Certificate requests that will be submitted to the new Microsoft Certificate Authority. In this example, our Certificate Authority is called "VirtualVCP SelfSign Certificate Authority"


 In order for your client machines to verify the authenticity of any certificates signed by your new CA, you will have to download and install the CA root certificate on each client machine. The new CA root certificate can be downloaded from http://<your-ca-server>/certserv

Installing Win32 OpenSSL V1.0.0 Lite

NOTE: Before installing Win32 OpenSSL V1.0.0 Lite, please download and install Visual C++ Redistibutable from the Microsoft Website.

Download Win32 OpenSSL V1.0.0 Lite from here

Run the Win32 OpenSSL Light installer. At the Welcome dialog, click “Next”


Select “I accept the agreement” and click “Next”


Keep the default Destination Location as “C:\OpenSSL-Win32” and click “Next”


Select "The OpenSSL binaries (/bin) directory" and click "Next"


Click "Finish" to complete the installation


This then completes the SSL Server preparation. However, as we will be issuing new SSL certificates using the SSL Certificate Authority installed on this server, we will have to import the CA's root certificate into the Trusted Root Certification Authorities store of each of the client computers that will be using the vSphere client to connect to vCenter and VUM.

Continue to the next step: Generate a new SSL Certificate Request

08 Feb 2010
Rate this item
(0 votes)

This is more of a note for future reference rather than a blog post.

I recently had to replace a RAID-10 member disk as the original disk had developed bad sectors and was causing mostly read related problems in the array. (That’s a whole other story it it’s won right and I don’t have time to get into that now). However, when I tried adding the replacement disk to the server, I found that the disk had a GPT table and not an msdos partition table, unlike the other 3 members in the RAID array. I was therefore unable to add the disk “as-is” to the RAID array as all disks are required to have the same partition table type. I therefore needed to remove the GUID Partition Table and replace it with an msdos partition table.

07 Jan 2010
Rate this item
(0 votes)

As I have now rebuilt my Openfiler 2.3 iSCSI box, I thought that it would be wise to document the procedure as I have installed Openfiler on a USB memory stick. This was something I’ve wanted to do this for a while now. Basically, I’m trying to cut back on the number hard disk drives in my environment. If therefore decided to install Openfiler on a USB memory stick instead of another hard drive. I could then run 4 750GB SATA drives in RAID10 and leave the Openfiler OS to run on the USB stick.

As most servers can boot from USB, I didn’t expect any issues with installing and booting Openfiler from USB. However, Openfiler doesn’t load the USB storage drivers when it boots by default. You’ll have to tweak the initrd image in order to boot from USB.


Why do mobile phone manufacturers now put finger print sensors under the display?! They've solved a problem that di… https://t.co/MO1NRzlk2Y
Follow Rynardt Spies on Twitter