Chinaunix首页 | 论坛 | 博客
  • 博客访问: 24328107
  • 博文数量: 271
  • 博客积分: 10025
  • 博客等级: 上将
  • 技术积分: 3358
  • 用 户 组: 普通用户
  • 注册时间: 2007-11-12 15:28
文章分类

全部博文(271)

文章存档

2010年(71)

2009年(164)

2008年(36)

我的朋友

分类: LINUX

2010-04-07 11:49:21

Replacing or Regenerating an SSL Certificate for the Management Interface

Details

How can I replace or regenerate an SSL certificate for the management interface after I change the encryption algorithm that SSL uses (for example, to SHA1)?

Solution

Note: This article describes how to perform the procedure on ESX Server. To find the steps for GSX Server, see www.vmware.com/support/gsx25/doc/manage_secure_remote_gsx.html.

Log on to the service console as root to perform the following steps.

  1. Stop the management interface:
    root@esxserver ssl # /etc/init.d/httpd.vmware stop
  2. Change to the following directory:
    root@esxserver ssl # cd /etc/vmware-mui/ssl
  3. Set up a directory infrastructure:
    root@esxserver ssl # touch index.txt
    root@esxserver ssl # echo $(date '+%Y%m%d%H%M') > serial
    Note: The initial serial number can be any unique value.

  4. Create the proper configuration file, openssl.cnf:
    root@esxserver ssl # vi openssl.cnf
    [ ca ]
    default_ca       = VMware_Inc
    
    [ VMware_Inc ]
    dir              = /etc/vmware-mui/ssl
    certificate      = $dir/cacert.crt
    new_certs_dir    = $dir/certs
    private_key      = $dir/cacert.key
    database         = $dir/index.txt
    serial           = $dir/serial
    default_bits     = 1024
    default_crl_days = 30
    default_days     = 365
    default_md       = sha1
    encrypt_key      = no
    prompt           = no
    x509_extensions  = ca_extensions
    policy           = VMware_Inc_policy
    
    [ ca_extensions ]
    basicConstraints       = CA:false
    
    [ VMware_Inc_policy ]
    commonName             = supplied
    stateOrProvinceName    = supplied
    countryName            = supplied
    emailAddress           = supplied
    organizationName       = supplied
    organizationalUnitName = optional
    
    [ req ]
    default_bits       = 1024
    private_key        = /etc/vmware-mui/ssl/mui.key
    default_md         = sha1
    distinguished_name = VMware
    x509_extensions    = v3_ca
    string_mask        = nombstr
    encrypt_key        = no
    prompt             = no
    
    [ VMware ]
    countryName            = US
    stateOrProvinceName    = California
    localityName           = Palo Alto
    organizationName       = VMware
    organizationalUnitName = VMware Management Interface
    commonName             = esxserver
    emailAddress           = ssl-certificates@vmware.com
    
    [ v3_ca ]
    subjectKeyIdentifier   = hash
    authorityKeyIdentifier = keyid:always,issuer:always
    basicConstraints       = CA:true
    Note: Modify all entries so they are specific to your environment.

  5. Point openssl to the proper configuration file:
    root@esxserver ssl # export
    OPENSSL_CONF=/etc/vmware-mui/ssl/openssl.cnf
  6. Create a self-signed root certificate:
    root@esxserver ssl # openssl req -x509 -newkey rsa -out cacert.crt
    -keyout cacert.key
    Using configuration from /etc/vmware-mui/ssl/openssl.cnf
    Generating a 1024 bit RSA private key
    ..++++++
    .++++++
    writing new private key to 'cacert.key'
    -----
  7. Verify the root certificate:
    root@esxserver ssl # openssl x509 -in cacert.crt -text -noout
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 0 (0x0)
            Signature Algorithm: sha1WithRSAEncryption
    ...
  8. Generate a certificate request:
    root@esxserver ssl # openssl req -newkey rsa:1024 -keyout mui.key -out
    request.crt
    Using configuration from /etc/vmware-mui/ssl/openssl.cnf
    Generating a 1024 bit RSA private key
    .............++++++
    ......++++++
    writing new private key to 'mui.key'
    -----
  9. Verify the certificate request:
    root@esxserver ssl # openssl req -in request.crt -text -noout
    Using configuration from /etc/vmware-mui/ssl/openssl.cnf
    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: C=US, ST=California, L=Palo Alto, O=VMware, OU=VMware
    Management Interface, CN=esxserver/Email=ssl-certificates@vmware.com
    ...
  10. Generate a certificate:
    root@esxserver ssl # openssl ca -in request.crt -out mui.crt -notext
    Using configuration from /etc/vmware-mui/ssl/openssl.cnf
    Check that the request matches the signature
    Signature ok
    The Subjects Distinguished Name is as follows
    countryName           :PRINTABLE:'US'
    stateOrProvinceName   :PRINTABLE:'California'
    localityName          :PRINTABLE:'Palo Alto'
    organizationName      :PRINTABLE:'VMware'
    organizationalUnitName:PRINTABLE:'VMware Management Interface'
    commonName            :PRINTABLE:'esxserver'
    emailAddress          :IA5STRING:'ssl-certificates@vmware.com'
    Certificate is to be certified until Aug 30 22:13:14 2006 GMT (365
    days)
    Sign the certificate? [y/n]:y
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
  11. Start the management interface:
    root@esxserver # /etc/init.d/httpd.vmware start
  12. Access the management interface through your browser to examine the certificate.
阅读(1418) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~