前回に引き続き、vCert をのぞいていこうと思います。
VCF/VVF Certificate Management Utility (version 6.0.0)
-----------------------------------------------------------------
1. Check current certificate status
2. View certificate info
3. Manage certificates
4. Manage SSL trust anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit
Select an option [1]: 一旦証明書の期限を確認してみたいので、2 を入力して Enter 。
Select an option [1]: 2
View vCenter Certificates
-----------------------------------------------------------------
1. Machine SSL certificate
2. Solution User certificates
3. CA certificates in VMware Directory
4. CA certificates in VECS
5. SMS certificates
6. vCenter Extension thumbprints
7. STS signing certificates
8. VMCA certificate
9. Smart Card CA certificates
10. LDAPS Identity Source certificates
Select an option [Return to main menu]:それぞれの証明書を選択出来るみたいですね。
試しにマシン SSL の証明書を見てみます。
Certificate Information
-----------------------------------------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
hogehogehogehogehoge
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = vc.nesk.style, OU = VMware Engineering
Validity
Not Before: Apr 30 15:00:00 2025 GMT
Not After : Apr 30 15:00:00 2027 GMT
Subject: CN = vc.nesk.style, C = US, ST = California, L = Palo Alto, O = VMware, OU = VMware Engineering
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:vc.nesk.style
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
Authority Information Access:
CA Issuers - URI:https://vc.nesk.style/afd/vecs/ca
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
SHA1 Fingerprint=
Certification Path
-----------------------------------------------------------------
[ + ] CA
|_[ + ] vc.nesk.style一部内容を消したりマスクしたりしてますが上記の用に表示されます。
現状、証明書更新する必要はないのですが、更新の手順を実行してみます。
VCF/VVF Certificate Management Utility (version 6.0.0)
-----------------------------------------------------------------
1. Check current certificate status
2. View certificate info
3. Manage certificates
4. Manage SSL trust anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit
Select an option [1]: 3上記の状態から 3 を選択します。
Manage vCenter Certificates
-----------------------------------------------------------------
1. Machine SSL certificate
2. Solution User certificates
3. CA certificates in VMware Directory
4. CA certificates in VECS Directory
5. SMS certificates
6. vCenter Extension thumbprints
7. STS signing certificates
8. VMCA certificate
9. Smart Card CA certificates
10. LDAPS Identity Source certificates
11. Clear expired certificates in BACKUP_STORE in VECS
12. Clear TRUSTED_ROOT_CRLS store in VECS
13. Clear Machine SSL CSR in VECS
Select an option [Return to main menu]: 1選択画面でマシン SSL を更新したいので、1 を選択します。
Select Machine SSL Certificate Replacement Method
-----------------------------------------------------------------
1. Replace Machine SSL certificate with a VMCA-signed certificate
2. Replace Machine SSL certificate with a custom CA-signed certificate選択項目の内容から、カスタム証明書も設定出来るみたいですね。
私は vCenter が発行する証明書で全然よいので 1 を選択して進めてみようと思います。
Please enter a Single Sign-On administrator account [administrator@vsphere.local]:
Please provide the password for administrator@vsphere.local:Single Signーon のアカウントを入力します。
Certificate Signing Request Information
-----------------------------------------------------------------
Enter the country code [US]:
Enter the Organization name [VMware]:
Enter the Organizational Unit name [VMware Engineering]:
Enter the state [California]:
Enter the locality (city) name [Palo Alto]:
Enter the IP address (optional):
Enter an email address (optional):
Enter any additional hostnames for SAN entries (comma separated value):なにも考えずに Enter 連打でよいかと。
Replace Machine SSL Certificate
-----------------------------------------------------------------
Generate certool configuration OK
Regenerate Machine SSL certificate OK
Backing up Machine SSL certificate and private key OK
Updating MACHINE_SSL_CERT certificate OK
Update SSL Trust Anchors (vc.nesk.style)
Update SSL Trust Anchors (vc.nesk.style)
-----------------------------------------------------------------
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: Default-First-Site:hoge
Updating service: Default-First-Site:hoge
Updating service: Default-First-Site:hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hogeeac2_com.vmware.vsphere.client
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updating service: hoge
Updated 44 service(s)
Update vCenter Extension Thumbprints
-----------------------------------------------------------------
com.vmware.vcIntegrity (vpxd-extension) MATCHES
com.vmware.vim.eam (vpxd-extension) MATCHES
com.vmware.vlcm.client (vpxd-extension) MATCHES
com.vmware.vmcam (Authentication Proxy) MATCHES
com.vmware.vsan.health (Machine SSL) UPDATED
Restart VMware services [N]: nhoge のところは本来別の単語が入ってます。
最後に、サービスを再起動するか?って聞いてきます。
後で再起動しようと思ったのでここでは n にしていますが、
y を入力すると vCenter のサービスを再起動することもできます。
今回は、最初のメニュー画面でサービス再起動を実行してみます。
VCF/VVF Certificate Management Utility (version 6.0.0)
-----------------------------------------------------------------
1. Check current certificate status
2. View certificate info
3. Manage certificates
4. Manage SSL trust anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit
Select an option [1]: 8サービスの再起動はオプションの 8 番なので 8 を入力して Enter 。
Restart VMware Services
-----------------------------------------------------------------
1. Restart all VMware services
2. Restart specific VMware service
Select an option [Return to main menu]: 1すべてのサービスをリスタートするために、1 を入力してEnter
Restart VMware services [N]: y
Restarting Services
-----------------------------------------------------------------
Stopping VMware services OK
Starting VMware services OKリスタートするには y を入力して、Enter。
サービスのストップとスタートが開始されます。
Restart VMware Services
-----------------------------------------------------------------
1. Restart all VMware services
2. Restart specific VMware service
Select an option [Return to main menu]:サービスが再起動すればこちらの画面に戻ります。
証明書の一括更新もすることができるようなので、fixcert とそこまで大差は無いかもしれませんが、あまり考えずに使うことが出来るのは fixcert の方がやっぱり楽ですかね。
一括で更新する場合
選択する場合は 6 を入力して、Enter。
VCF/VVF Certificate Management Utility (version 6.0.0)
-----------------------------------------------------------------
1. Check current certificate status
2. View certificate info
3. Manage certificates
4. Manage SSL trust anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit
Select an option [1]: 6Admin 権限のアカウント名とパスワードを入力。
Please enter a Single Sign-On administrator account [administrator@vsphere.local]:
Please provide the password for administrator@vsphere.local:証明書の内容を入力していきます。
Certificate Signing Request Information
-----------------------------------------------------------------
Enter the country code [US]:
Enter the Organization name [VMware]:
Enter the Organizational Unit name [VMware Engineering]:
Enter the state [California]:
Enter the locality (city) name [Palo Alto]:
Enter the IP address (optional):
Enter an email address (optional):
Enter any additional hostnames for SAN entries (comma separated value):入力が終わると自動的に更新作業開始。
Replace Machine SSL Certificate
-----------------------------------------------------------------
Generate certool configuration OK
Regenerate Machine SSL certificate OK
Backing up Machine SSL certificate and private key OK
Updating MACHINE_SSL_CERT certificate OK
Replace Solution User Certificates
-----------------------------------------------------------------
Verifying Service Principal entries exist OK
Generate new certificates and keys:
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
hvc OK
wcp OK
Backup certificate and private key:
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
hvc OK
wcp OK
Updating certificates and keys in VECS:
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
hvc OK
wcp OK
Updating solution user certificates in VMware Directory:
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
hvc OK
wcp OK
Update vCenter Extension Thumbprints
-----------------------------------------------------------------
com.vmware.vcIntegrity (vpxd-extension) UPDATED
com.vmware.vim.eam (vpxd-extension) UPDATED
com.vmware.vlcm.client (vpxd-extension) UPDATED
com.vmware.vmcam (Authentication Proxy) MATCHES
com.vmware.vsan.health (Machine SSL) UPDATED
Replace SSO STS Signing Certificate
-----------------------------------------------------------------
Generate certool configuration OK
Regenerate STS signing SSL certificate OK
Backup and delete tenant credentials OK
Backup and delete trusted cert chains OK
Add new STS signing certificate to VMDir OK
Update SSL Trust Anchors (vc.nesk.style)
-----------------------------------------------------------------
hogehoge
.....
Updated 44 service(s)終わったら、サービスを再起動するか聞かれるので y を入力してEnterにし、サービスの再起動を行うことにします。
Restart VMware services [N]: y
Restarting Services
-----------------------------------------------------------------
Stopping VMware services OK
Starting VMware services OK手順としては以下のような感じで、内容について確認するところが多めではあるので、
証明書の更新らしいといえば、らしいのかもしれません。
訳のわからない人が頼まれて実行するような内容ではないですね。
