Article Content

Issue


In some situations, end user may need to manually import the SSL certificates in vCenter after VxRail initial deployment.

For example, end user may want to replace vCenter SSL self-signed certificate with their own ones.
Cause
Resolution
Follow these steps to replace certificates on VxRail Manager:   
  1. Get root trusted certificates from the vCenter: Open a browser and navigate to https://<vc_ip>/, Click the Download trusted root CA certificates link at the bottom of the grey box on the right, and download the file (download.zip). Alternatively, download trusted root CA certificates directly to VxRail manager using wget; in that case you can skip step 2.
mystic@vrm:~> wget --no-check-certificate https://<vc_ip>/certs/download.zip
  1. Transfer download.zip to VxRail Manager using FTP or SCP, put it under a directory such as /tmp/.
  1. Unzip download.zip file, you will see it unzipped under the file certs/ if you are using vCenter 6.0, or certs/lin/ if you are using vCenter 6.5/6.7.
$ ls
029dee96.0 2e722e7f.r0 71111911.2 71111911.r1 dd6b9399.0
029dee96.r0 71111911.0 71111911.3 71111911.r2 dd6b9399.r1
2e722e7f.0   71111911.1   71111911.r0  71111911.r3
  1. The file(s) with digit as file name extension are the certificate files. The files with ".r<digit>" as file name extension is the corresponding CRL.
  1. Convert certificate file(s) to DER format using `openssl x509 -outform der -in <INPUT_CA> -out <OUTPUT_FILE>`
$/tmp/certs # openssl x509 -outform der -in /tmp/certs/71111911.3 -out newcertfile1

If there are more than one certificate files with distinct file name (ignore the extension different), convert each of them, and choose a different output file name for each (e.g. newcertfile2).

For the file listed above, "71111911" has four certificates. In this situation, choose the one with the LARGEST NUMBER as extension. We should choose 7111911.3. Sometimes we may need to import all certificates, not only the ones with the largest numbers.

Put all this together, for the example in step 3, we should convert 4 certificate files:    029dee96.0 , 2e722e7f.0 , 7111911.3 , dd6b9399.0 . 
  1. Move the new converted Certs to the original folder /var/lib/vmware-marvin/trust/ 
$/tmp/certs # cp newcertfile* /var/lib/vmware-marvin/trust/

Note: Starting from this step, root privilege is needed for file operation.
  1. Convert CRL files to DER format.
Similar to step 5 above, choose the CRL files (files with extention of "rx") that has the same file name and the LARGEST NUMBER after "r" in extension.

For the example above, we need to convert 4 CRL files: 029dee96.r0, 2e722e7f.r0, 7111911.r3, dd6b9399.r1

The following command is an example:
 $/tmp/certs # openssl crl -outform der -in /tmp/certs/71111911.r3 -out newcrltfile1
  1. Move the new converted Certs to the original folder /var/lib/vmware-marvin/trust/crl
$/tmp/certs # cp newcrltfile* /var/lib/vmware-marvin/trust/crl
  1. Change the permission of the new cert file(s) and new CRL file(s)
cd /var/lib/vmware-marvin/trust/
chown tcserver:pivotal newcertfile*
chmod 777 newcertfile*
cd crl
chown tcserver:pivotal newcrltfile*
chmod 777 newcrltfile*
  1. Restart marvin service
/etc/init.d/vmware-marvin restart  // for VxRail 3.0
systemctl restart vmware-marvin    // for VxRail 3.5 and later

Note: By this point, the VxRail Manager should by fully trusted.  
  1. Change the permission of the new cert file(s) in step 7 back to just '-rw-r--r--' (chmod 644)
# chmod 644 /var/lib/vmware-marvin/trust/newcertfile*
 
# chmod 644 /var/lib/vmware-marvin/trust/crl/newcrltfile*
  1. Wait for the Web Interface to load. It may take up to 10 minutes for the GUI to be ready.
Notes

Note: Sometimes it may be necessary to import all certificates, not only the ones with the higher numbers.