企业信用信息公示系统查询官网,seo搜外,app模板下载网站,天津建设集团网站目录 替换拓扑图证书关系示意图说明 关联博文1. 默认证书截图2. 使用 certificate-manager 生成CSR2.1 创建存放CSR的目录2.2 记录PNID和IP2.3 生成CSR2.4 验证CSR 参考资料 替换拓扑图
证书关系示意图
本系列博文要实现的拓扑是
说明 关联博文
因为使用企业 … 目录 替换拓扑图证书关系示意图说明 关联博文1. 默认证书截图2. 使用 certificate-manager 生成CSR2.1 创建存放CSR的目录2.2 记录PNID和IP2.3 生成CSR2.4 验证CSR 参考资料 替换拓扑图
证书关系示意图
本系列博文要实现的拓扑是
说明 关联博文
因为使用企业 CA 直接替换 vSphere VMCA CA 证书步骤较多且繁琐为了内容关联性和可读性关于第二篇自签名证书系列的博文博主分为3篇这是第一篇剩余2篇会陆续发布。
本篇博文主要描述了如何在 vCenter Server 系统中使用实用工具 certificate-manager 为 VMCA 生成自签名证书需要的证书签名请求 CSR 和 Key。适用的 vSphere 版本为 vSphere 7.0.x 和 vSphere 8.0.x
1.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅰ—— 生成 CSR 2.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅱ—— 创建和添加证书模板 3.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅲ—— 颁发自签名与替换默认 VMCA 证书
1. 默认证书截图
在替换 vSphere 默认 Machine SSL证书前我们通过 vSphere Client 确认该证书的信息。
登录 vSphere ClientMenu Administration Certificastes Certificate Management找到 VMware Certificate Authority点击VIEW DETAILS 找到可信根证书点击VIEW DETAILS 2. 使用 certificate-manager 生成CSR
2.1 创建存放CSR的目录
如果不创建特定目录在后续步骤指定目录时必须要指定已存在目录否则程序会报错。
mkdir /root/vmca2.2 记录PNID和IP
# 获取VC PNID
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
# 获取IP地址
ip address2.3 生成CSR
关于参数值的含义请参考
rootvc7-3 [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _| || *** Welcome to the vSphere 8.0 Certificate Manager *** || || -- Select Operation -- || || 1. Replace Machine SSL certificate with Custom Certificate || || 2. Replace VMCA Root certificate with Custom Signing || Certificate and replace all Certificates || || 3. Replace Machine SSL certificate with VMCA Certificate || || 4. Regenerate a new VMCA Root Certificate and || replace all certificates || || 5. Replace Solution user certificates with || Custom Certificate || NOTE: Solution user certs will be deprecated in a future || release of vCenter. Refer to release notes for more details.|| || 6. Replace Solution user certificates with VMCA certificates || || 7. Revert last performed operation by re-publishing old || certificates || || 8. Reset all Certificates ||_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 2
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : YPlease provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administratorvsphere.local]:
Enter password:Please configure certool.cfg with proper values before proceeding to next step.Press Enter key to skip optional parameters or use Default value.Enter proper value for Country [Default value : US] : CNEnter proper value for Name [Default value : CA] :Enter proper value for Organization [Default value : VMware] :Enter proper value for OrgUnit [optional] : GSSEnter proper value for State [Default value : California] : BeijingEnter proper value for Locality [Default value : Palo Alto] : BeijingEnter proper value for IPAddress (Provide comma separated values for multiple IP addresses) [optional] : 192.168.1.3Enter proper value for Email [Default value : emailacme.com] :Enter proper value for Hostname (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vc7-3.yz.localEnter proper value for VMCA Name :vc7-3.yz.local1. Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate2. Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificateOption [1 or 2]: 1Please provide a directory location to write the CSR(s) and PrivateKey(s) to:
Output directory path: /root/vmca
2023-10-18T03:14:07.090Z Running command: [/usr/lib/vmware-vmca/bin/certool, --genkey, --privkey, /root/vmca/vmca_issued_key.key, --pubkey, /tmp/pubkey.pub]
2023-10-18T03:14:10.272Z Done running command
2023-10-18T03:14:10.273Z Running command: [/usr/lib/vmware-vmca/bin/certool, --gencacsr, --privkey, /root/vmca/vmca_issued_key.key, --pubkey, /tmp/pubkey.pub, --config, /var/tmp/vmware/certool.cfg, --csrfile, /root/vmca/vmca_issued_csr.csr]
2023-10-18T03:14:13.388Z Done running commandCSR generated at: /root/vmca/vmca_issued_csr.csr1. Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate2. Exit certificate-managerOption [1 or 2]: 2
rootvc7-3 [ ~ ]#蓝色框是shell命令红色实线框为必填项红色虚线框为选填框。
2.4 验证CSR
cd /root/vmca
ls参考资料
博文封面图片来自: https://blogs.vmware.com/vsphere/2019/06/10-things-about-vsphere-certificate-management.html
