Managing NSX Edge and Manager Certificates (SKKB1012)

Introduction

In this post we will take a dive into NSX. We will look into NSX Global certificates as well as NSX Edge self-signed certificates, certificates signed by a Certification Authority (CA), and certificates generated and signed by a CA.

Special thanks to Dimitri Desmidt for figuring some of the stuff out.

If you want to know how to configure NSX SSL VPN-Plus, visit Configuring NSX SSL VPN-Plus

 

Lab Environment

The logical design of this lab can be seen HERE.

 

NSX Edge: Configuring self-signed certificate

In this chapter we will see how we can generate and configure a NSX Edge self-signed certificate.
To do this we must first logon to vCenter and navigate one of our Edges. You can find the certificate configuration under the [Settings > Certificates] tab.

To generate a self-signed certificate request click on [Actions > Generate CSR]

Fill in the certificate request information.
Note: SSL VPN-Plus only supports RSA certificates. VMware recommends RSA for backward compatibility.

You should now see the generated certificate request.

Now this is only a certificate request . Go to [Actions > Self Sign Certificate] to self-sign the certificate request.

Enter the expiration interval and click OK.

You should see now two files: the certificate request (CSR) file and the self-signed certificate.

You are ready to go. Now if you go to the [SSL VPN-Plus > Server Settings > Change] you can select and this certificate for SSL VPN.

 

 

NSX Edge: Configuring a CA signed certificate

In this chapter we will see how we can generate and configure a NSX Edge CA signed certificate.

To do this we must first logon to vCenter and navigate one of our Edges. You can find the certificate configuration under the [Settings > Certificates] tab. We have already created a certificate request in the previous chapter and we are going to use it and sign it by a CA.

Copy the PEM Encodding of the CSR file.

Save it as a .CSR file.

Save it as a .CSR file.

You can now either give this file to external CA Authority to get is signed or use you own CA and sign it.
In this case I will sign it with my own CA.

I will use the [Submit certificate request (CSR) with Certreq] workflow part of my com.SpasKaloferov.library.pki vRO/vCO workflow library package to automate the process, but if you are your own CA Administrator you can do it via the Windows CA native tools.
Library download: com.SpasKaloferov vCO (vRO) workflow library package

If you are interested more in the workflows and similar to it make sure to check my “vCO Workflow to automate the certificate generation process” post.

Fill in the inputs and click Submit.

After the workflow finishes you should see the certificate in a .CRT format and in a .P7B format.

You can see that the certificate is signed by my RootCA certificate authority.
Now go back to the vSphere Web Client , navigate to the Edge again and import the certificate by going to [Actions > Import Certificate]

Copy the PEM encoding of the certificate and click OK.

You can see now that the certificate request (.CSR ) file that was present before turned to a CA signed certificate.

You are ready to go. Now if you go to the [SSL VPN-Plus > Server Settings > Change] you can select and this certificate for SSL VPN.

>

 

 

NSX Edge: Configuring a CA generated and signed certificate

In this chapter we will see how we can generate and configure a NSX Edge CA generated and signed certificate.
There are different ways to get you final PEM certificate and CA PEM certificate and import them into the NSX Edge. I will create a PKCS7 (.P7B) certificate package that contains my NSX Edge certificate and the CA certificate of the certificate authority that signed and issued the NSX Edge certificate. I have used the [Generate Certificate] workflow to generate a NSX certificate in a bunch of formats I can afterwards use in like 40 seconds.

I have than used the [Convert P7B to PEM in OpenSSL using PS] workflow to convert the PKCS7 certificate package to a PEM certificate containing the certificate chain.

You can now either give this file to external CA Authority to get is signed or use you own CA and sign it.
In this case I will sign it with my own CA.

Both workflows are part of my com.SpasKaloferov.library.pki vRO/vCO workflow library package to automate the process, but if you are your own CA Administrator you can do it via the Windows CA native tools.

Library download: com.SpasKaloferov vCO (vRO) workflow library package

If you how to use and run [Generate Certificate] or [Convert P7B to PEM in OpenSSL using PS] or looking for more similar workflows make sure to check my “vCO Workflow to automate the certificate generation process” post.

Now that we have the certificate package we need let’s import it into the NSX Edge.
Go to [ + > Certificate]

In the Certificate Contents filed paste the contents of the chain.pem certificate or the certificate you have created. Make sure both the NSX Certificate and the CA Certificates are included in the contents. 
In the Private Key filed paste the contents of the rui.key file or the private key you created. Enter password if you are using one and click OK.

You must have now all the certificates from the certificate chain imported. As I’m using 2-tier CA structure I have only three certificates: the NSX Edge certificate , the Issuing CA certificate, and the Root CA certificate.
Important note is that your PEM certificate file should contain the certificates in the following order:

—–BEGIN CERTIFICATE—–
(Your Primary SSL certificate: your_domain_name.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Your Issuing certificate: IssuingCA.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Your Intermediate certificate: IntermediateCA.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Your Root certificate: Root.crt)
—–END CERTIFICATE—–

After you import your certificate look at the chain under Certificate Details.
In this case correct chain is:

  • Perimeter-Gateway (my SSL VPN Cert)
  • SubCA (Issuing CA)
  • RootCA (Root CA)

A wrong certificate chain is for example:

  • RootCA (Root CA)
  • SubCA (Sub CA)
  • Perimeter-Gateway (my SSL VPN Cert)

Although you will be able to import both a certificates with correct chain and one with incorrect chain, in the next steps you will receive an error.

You are ready to go. Now if you go to the [SSL VPN-Plus > Server Settings > Change] you can select and this certificate for SSL VPN.

If your certificate has an incorrect chain, as explained above, you will receive error similar to this:

If you do an SSH to the Edge device and run [show log] you will notice error similar to the following:

2015-10-14T09:10:45+00:00 vShield-edge-4-0 config:  [daemon.err] ERROR :: C_UTILS :: [73001] [61952] Failed to add server configuration. : Invalid Certificate or Private Key
2015-10-14T09:10:45+00:00 vShield-edge-4-0  [user.notice]
2015-10-14T09:10:45+00:00 vShield-edge-4-0 config:  [daemon.err] ERROR :: VseCommandHandler :: Configuration request failed eventually. Error: [C_UTILS][73001][61952] Failed to add server configuration. : Invalid Certificate or Private Key

If you have successfully set the certificate you should see something similar:

 

NSX Manager: Configuring a CA signed certificate

In this chapter we will see how we can generate and configure a NSX Manager CA signed certificate.
The process for replacing the NSX Manager self-signed certificate with one signed from public CA is the same as with the NSX Edge explained in the “NSX Edge: Configuring a CA signed certificate” chapter earlier in the post.

You can generate a certificate request (CSR) from the [NSX Manager > Manager > SSL Certificates] tab by clicking on [Generate CSR]. You can download the CSR file , request a certificate  and import the certificate via the [Import] button in the same manner as we did in the “NSX Edge: Configuring a CA signed certificate” chapter earlier in the post.

 

NSX Edge: Configuring a global certificate

There is a term in NSX called Global Certificate as described in in the VMware NSX Edge Operations documentation under Configure a CA Signed Certificate.

The documentation says you can generate a CSR and get it signed by a CA. If you generate a CSR at the global level, it is available to all NSX Edges in your inventory. Unfortunately neither the NSX Manager User interface (UI) or the NSX tab of the vSphere Web client UI expose options to administer these global certificates. In order to create global certificate, import it into NSX Manager, use it in SSL VPN or an Application Profile you must create it via API call. Furthermore the API calls are not well documented, if documented at all.

Therefore I will not suggest digging into this and spending time at this point. Although the current NSX version 6.1 doesn’t provide UI options do administer and manager global certificates it is likely that future versions will.

 

 

DISCLAIMER; This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
Photos
Unless stated, all photos are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to the blog owner. For any edit to photos, including cropping, please contact me first.
Recipes
Unless stated, all recipes are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Please credit all recipes to the blog owner and link back to the original blog post.
Downloadable Files
Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.
Comments
Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to
– Comments deemed to be spam or questionable spam
– Comments including profanity
– Comments containing language or concepts that could be deemed offensive
– Comments containing hate speech, credible threats, or direct attacks on an individual or group
The blog owner is not responsible for the content in comments.
This policy is subject to change at anytime.

Leave a Reply

Your email address will not be published. Required fields are marked *