Internal certificate authority (CA) SSL Cert (root+intermediate chain) Minting Process

Document created by menkowski Expert on Oct 22, 2015Last modified by fran.schwarzmann on Aug 15, 2016
Version 2Show Document
  • View in full screen mode

Internal certificate authority (CA) - Ex.  Microsoft, Venafi

 

Issue - Out the box a self-signed cert is issued (linex.site).  This also gives end users the scary click though message "

Your connection is not private   Attackers might be trying to steal your information from xyz.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID"

 

 

  1. Login to your internal CA to mint a cert for the FQDN of the VTM instance.
  2. Download the cert as a PKCS 12 format.  Make sure the root chain and private key files are checked off.   Type in a password.
  3. Convert the PKCS 12 cert into a .pem format.   RDP into a windows 2008/2012 server.  Copy the ssl-certificate-updater-tool-1308332.zip  located on the windows vcenter iso and extact.
  4. Copy the .pfx file into the openssl folder.
    ex.  \Desktop\ssl-certificate-updater-tool-1308332\tools\openssl\
  5. Open a command prompt as admin (start / cmd / right click on the command prompt icon) and change into the openssl directory.
  6. Extract the private key and chain.   Type in openssl and hit enter.  Then type in the following with the correct name of your pfx file.
    pkcs12 -in ***.pfx -out privatekey.pem –nodes -nocerts
    pkcs12 -in ***.pfx –out chain.pem –nodes –nokeys
  7. Edit the privatekey.pem file.  Remove the 6 lines of text above  -----BEGIN RSA PRIVATE KEY-----
    1.png
  8. Rename the privatekey.pem file to private.key
  9. Edit the chain.pem file.  Remove the same text above and below the following lines.
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    Your chain.pem should have 78 lines of text at the end.
    2.png
  10. The structure of the chain.pem should be:
    Lines 1-25 = root cert
    Lines 26-51 = intermediate cert
    Lines 52-78 = hostname cert
  11. Create a new rootca.crt file from lines 1-25.    Open the rootca.crt file file to validate.
    3.png
  12. Create a new intermediate.crt file from lines 26-51
    4.png
  13. Create a new host.crt file from lines 52-78
    5.png
  14. SSH into the VMTurbro server and backup the vhost-ssl file
    cp /etc/apache2/vhosts.d/vhost-ssl /etc/apache2/vhosts.d/vhost-ssl.bak
  15. Rename SSLCertificateFile /etc/apache2/ssl.crt/server.crt to host.crt
    Rename SSLCertificateKeyFile /etc/apache2/ssl.key/server.key to private.key
    Add:
    SSLCaCertificateFile /etc/apache2/ssl.crt/rootca.crt
    SSLCertificateChainFile /etc/apache2/ssl.crt/intermediate.crt
    6.png
  16. Save the vhost-ssl file in VI or upload via winscp.   /etc/apache2/vhosts.d/
  17. WinSCP the 3 files (host.crt, rootca.crt, intermediate.crt)  on your pc to /etc/apache2/ssl.crt/
  18. WinSCP private.key on your pc to /etc/apache2/ssl.key/
  19. restart the web server service
    service httpd restart
  20. Validate the URL and click on the lock icon.

 

Rollback plan

  1. Delete the the vhost-ssl file located in /etc/apache2/vhosts.d/
  2. Rename vhost-ssl.bak to vhost-ssl   
    The .bak file has different files name for the SSLCertificateFile and SSLCertificateKeyFile
  3. restart the web server service
    service httpd restart
1 person found this helpful

Attachments

    Outcomes