Chinaunix首页 | 论坛 | 博客

yanxiyanxi.blog.chinaunix.net

首页 |  博文目录 |  关于我

zhujiawen

  • 博客访问: 24855856
  • 博文数量: 271
  • 博客积分: 10025
  • 博客等级: 上将
  • 技术积分: 3358
  • 用 户 组: 普通用户
  • 注册时间: 2007-11-12 15:28
文章分类

全部博文(271)

文章存档

2010年(71)

2009年(164)

2008年(36)

我的朋友
最近访客
推荐博文
相关博文
Replacing or Regenerating an SSL Certificate

分类: LINUX

2010-04-07 11:49:21

Replacing or Regenerating an SSL Certificate for the Management Interface

Details

How can I replace or regenerate an SSL certificate for the management interface after I change the encryption algorithm that SSL uses (for example, to SHA1)?

Solution

Note: This article describes how to perform the procedure on ESX Server. To find the steps for GSX Server, see www.vmware.com/support/gsx25/doc/manage_secure_remote_gsx.html.

Log on to the service console as root to perform the following steps.

  1. Stop the management interface: 
    root@esxserver ssl # /etc/init.d/httpd.vmware stop
  2. Change to the following directory: 
    root@esxserver ssl # cd /etc/vmware-mui/ssl
  3. Set up a directory infrastructure: 
    root@esxserver ssl # touch index.txt
root@esxserver ssl # echo $(date '+%Y%m%d%H%M') > serial
    Note: The initial serial number can be any unique value.

  4. Create the proper configuration file, openssl.cnf: 
    root@esxserver ssl # vi openssl.cnf
[ ca ]
default_ca       = VMware_Inc

[ VMware_Inc ]
dir              = /etc/vmware-mui/ssl
certificate      = $dir/cacert.crt
new_certs_dir    = $dir/certs
private_key      = $dir/cacert.key
database         = $dir/index.txt
serial           = $dir/serial
default_bits     = 1024
default_crl_days = 30
default_days     = 365
default_md       = sha1
encrypt_key      = no
prompt           = no
x509_extensions  = ca_extensions
policy           = VMware_Inc_policy

[ ca_extensions ]
basicConstraints       = CA:false

[ VMware_Inc_policy ]
commonName             = supplied
stateOrProvinceName    = supplied
countryName            = supplied
emailAddress           = supplied
organizationName       = supplied
organizationalUnitName = optional

[ req ]
default_bits       = 1024
private_key        = /etc/vmware-mui/ssl/mui.key
default_md         = sha1
distinguished_name = VMware
x509_extensions    = v3_ca
string_mask        = nombstr
encrypt_key        = no
prompt             = no

[ VMware ]
countryName            = US
stateOrProvinceName    = California
localityName           = Palo Alto
organizationName       = VMware
organizationalUnitName = VMware Management Interface
commonName             = esxserver
emailAddress           = ssl-certificates@vmware.com

[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:true
    Note: Modify all entries so they are specific to your environment.

  5. Point openssl to the proper configuration file: 
    root@esxserver ssl # export
OPENSSL_CONF=/etc/vmware-mui/ssl/openssl.cnf
  6. Create a self-signed root certificate: 
    root@esxserver ssl # openssl req -x509 -newkey rsa -out cacert.crt
-keyout cacert.key
Using configuration from /etc/vmware-mui/ssl/openssl.cnf
Generating a 1024 bit RSA private key
..++++++
.++++++
writing new private key to 'cacert.key'
-----
  7. Verify the root certificate: 
    root@esxserver ssl # openssl x509 -in cacert.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
...
  8. Generate a certificate request: 
    root@esxserver ssl # openssl req -newkey rsa:1024 -keyout mui.key -out
request.crt
Using configuration from /etc/vmware-mui/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.............++++++
......++++++
writing new private key to 'mui.key'
-----
  9. Verify the certificate request: 
    root@esxserver ssl # openssl req -in request.crt -text -noout
Using configuration from /etc/vmware-mui/ssl/openssl.cnf
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=California, L=Palo Alto, O=VMware, OU=VMware
Management Interface, CN=esxserver/Email=ssl-certificates@vmware.com
...
  10. Generate a certificate: 
    root@esxserver ssl # openssl ca -in request.crt -out mui.crt -notext
Using configuration from /etc/vmware-mui/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'California'
localityName          :PRINTABLE:'Palo Alto'
organizationName      :PRINTABLE:'VMware'
organizationalUnitName:PRINTABLE:'VMware Management Interface'
commonName            :PRINTABLE:'esxserver'
emailAddress          :IA5STRING:'ssl-certificates@vmware.com'
Certificate is to be certified until Aug 30 22:13:14 2006 GMT (365
days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
  11. Start the management interface: 
    root@esxserver # /etc/init.d/httpd.vmware start
  12. Access the management interface through your browser to examine the certificate.
阅读(1664) | 评论(0) | 转发(0) |
0

上一篇:使用VMware vCenter Convert 4转换VMware Workstation 7虚拟

下一篇:IP地址接管(IP Address Takeover IPAT)机制

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6