Introduction
In this post we will take a dive into NSX. We will look into NSX Global certificates as well as NSX Edge self-signed certificates, certificates signed by a Certification Authority (CA), and certificates generated and signed by a CA.
Special thanks to Dimitri Desmidt for figuring some of the stuff out.
If you want to know how to configure NSX SSL VPN-Plus, visit Configuring NSX SSL VPN-Plus
Lab Environment
The logical design of this lab can be seen HERE.
NSX Edge: Configuring self-signed certificate
In this chapter we will see how we can generate and configure a NSX Edge self-signed certificate.
To do this we must first logon to vCenter and navigate one of our Edges. You can find the certificate configuration under the [Settings > Certificates] tab.
To generate a self-signed certificate request click on [Actions > Generate CSR]
Fill in the certificate request information.
Note: SSL VPN-Plus only supports RSA certificates. VMware recommends RSA for backward compatibility.
You should now see the generated certificate request.
Now this is only a certificate request . Go to [Actions > Self Sign Certificate] to self-sign the certificate request.
Enter the expiration interval and click OK.
You should see now two files: the certificate request (CSR) file and the self-signed certificate.
You are ready to go. Now if you go to the [SSL VPN-Plus > Server Settings > Change] you can select and this certificate for SSL VPN.
NSX Edge: Configuring a CA signed certificate
In this chapter we will see how we can generate and configure a NSX Edge CA signed certificate.
To do this we must first logon to vCenter and navigate one of our Edges. You can find the certificate configuration under the [Settings > Certificates] tab. We have already created a certificate request in the previous chapter and we are going to use it and sign it by a CA.
Copy the PEM Encodding of the CSR file.
Save it as a .CSR file.
Save it as a .CSR file.
You can now either give this file to external CA Authority to get is signed or use you own CA and sign it.
In this case I will sign it with my own CA.
I will use the [Submit certificate request (CSR) with Certreq] workflow part of my com.SpasKaloferov.library.pki vRO/vCO workflow library package to automate the process, but if you are your own CA Administrator you can do it via the Windows CA native tools.
Library download: com.SpasKaloferov vCO (vRO) workflow library package
If you are interested more in the workflows and similar to it make sure to check my “vCO Workflow to automate the certificate generation process” post.
Fill in the inputs and click Submit.
After the workflow finishes you should see the certificate in a .CRT format and in a .P7B format.
You can see that the certificate is signed by my RootCA certificate authority.
Now go back to the vSphere Web Client , navigate to the Edge again and import the certificate by going to [Actions > Import Certificate]
Copy the PEM encoding of the certificate and click OK.
You can see now that the certificate request (.CSR ) file that was present before turned to a CA signed certificate.
You are ready to go. Now if you go to the [SSL VPN-Plus > Server Settings > Change] you can select and this certificate for SSL VPN.
>
NSX Edge: Configuring a CA generated and signed certificate
In this chapter we will see how we can generate and configure a NSX Edge CA generated and signed certificate.
There are different ways to get you final PEM certificate and CA PEM certificate and import them into the NSX Edge. I will create a PKCS7 (.P7B) certificate package that contains my NSX Edge certificate and the CA certificate of the certificate authority that signed and issued the NSX Edge certificate. I have used the [Generate Certificate] workflow to generate a NSX certificate in a bunch of formats I can afterwards use in like 40 seconds.
I have than used the [Convert P7B to PEM in OpenSSL using PS] workflow to convert the PKCS7 certificate package to a PEM certificate containing the certificate chain.
You can now either give this file to external CA Authority to get is signed or use you own CA and sign it.
In this case I will sign it with my own CA.
Both workflows are part of my com.SpasKaloferov.library.pki vRO/vCO workflow library package to automate the process, but if you are your own CA Administrator you can do it via the Windows CA native tools.
Library download: com.SpasKaloferov vCO (vRO) workflow library package
If you how to use and run [Generate Certificate] or [Convert P7B to PEM in OpenSSL using PS] or looking for more similar workflows make sure to check my “vCO Workflow to automate the certificate generation process” post.
Now that we have the certificate package we need let’s import it into the NSX Edge.
Go to [ + > Certificate]
In the Certificate Contents filed paste the contents of the chain.pem certificate or the certificate you have created. Make sure both the NSX Certificate and the CA Certificates are included in the contents.
In the Private Key filed paste the contents of the rui.key file or the private key you created. Enter password if you are using one and click OK.
You must have now all the certificates from the certificate chain imported. As I’m using 2-tier CA structure I have only three certificates: the NSX Edge certificate , the Issuing CA certificate, and the Root CA certificate.
Important note is that your PEM certificate file should contain the certificates in the following order:
—–BEGIN CERTIFICATE—–
(Your Primary SSL certificate: your_domain_name.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Your Issuing certificate: IssuingCA.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Your Intermediate certificate: IntermediateCA.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Your Root certificate: Root.crt)
—–END CERTIFICATE—–
After you import your certificate look at the chain under Certificate Details.
In this case correct chain is:
- Perimeter-Gateway (my SSL VPN Cert)
- SubCA (Issuing CA)
- RootCA (Root CA)
A wrong certificate chain is for example:
- RootCA (Root CA)
- SubCA (Sub CA)
- Perimeter-Gateway (my SSL VPN Cert)
Although you will be able to import both a certificates with correct chain and one with incorrect chain, in the next steps you will receive an error.
You are ready to go. Now if you go to the [SSL VPN-Plus > Server Settings > Change] you can select and this certificate for SSL VPN.
If your certificate has an incorrect chain, as explained above, you will receive error similar to this:
If you do an SSH to the Edge device and run [show log] you will notice error similar to the following:
2015-10-14T09:10:45+00:00 vShield-edge-4-0 config: [daemon.err] ERROR :: C_UTILS :: [73001] [61952] Failed to add server configuration. : Invalid Certificate or Private Key
2015-10-14T09:10:45+00:00 vShield-edge-4-0 [user.notice]
2015-10-14T09:10:45+00:00 vShield-edge-4-0 config: [daemon.err] ERROR :: VseCommandHandler :: Configuration request failed eventually. Error: [C_UTILS][73001][61952] Failed to add server configuration. : Invalid Certificate or Private Key
If you have successfully set the certificate you should see something similar:
NSX Manager: Configuring a CA signed certificate
In this chapter we will see how we can generate and configure a NSX Manager CA signed certificate.
The process for replacing the NSX Manager self-signed certificate with one signed from public CA is the same as with the NSX Edge explained in the “NSX Edge: Configuring a CA signed certificate” chapter earlier in the post.
You can generate a certificate request (CSR) from the [NSX Manager > Manager > SSL Certificates] tab by clicking on [Generate CSR]. You can download the CSR file , request a certificate and import the certificate via the [Import] button in the same manner as we did in the “NSX Edge: Configuring a CA signed certificate” chapter earlier in the post.
NSX Edge: Configuring a global certificate
There is a term in NSX called Global Certificate as described in in the VMware NSX Edge Operations documentation under Configure a CA Signed Certificate.
The documentation says you can generate a CSR and get it signed by a CA. If you generate a CSR at the global level, it is available to all NSX Edges in your inventory. Unfortunately neither the NSX Manager User interface (UI) or the NSX tab of the vSphere Web client UI expose options to administer these global certificates. In order to create global certificate, import it into NSX Manager, use it in SSL VPN or an Application Profile you must create it via API call. Furthermore the API calls are not well documented, if documented at all.
Therefore I will not suggest digging into this and spending time at this point. Although the current NSX version 6.1 doesn’t provide UI options do administer and manager global certificates it is likely that future versions will.
include TEMPLATEPATH."/../../../itBlogDisclaimer.php"; ?>