0

Root password expired on vCenter VCSA 6.5

I thought I’d update my homelab’s primary vCenter to the latest and greatest (6.5 update 1d), when I encountered an issue with the root password.¬†The update showed up ok in the appliance’s VAMI interface and I selected to install it but an error quickly showed up:

VCSA 6.5 is not ready to be updated

Not ready, huh? When I clicked on the “Show Details” button, I saw a message informing me that the root password had expired or expiring soon:


VCSA 6.5 update is blocked by expired root password

Well ok, I’ll go and reset it and turn off the expiry I thought. (That process is covered in the vCenter documentation.) But noooo, permission denied! The password couldn’t be set and the expiry settings could not be changed. Continue Reading

0

Howto: Creating a CA template for VMware services

Having setup my lab’s PKI infrastructure previously, one of the next steps I needed to complete was to create a template for certificates for VMware’s products to use as they require certain properties to be present in the certificates used.

There is a KB article that covers this but I wanted to run through it and use some of the specifics for my lab.

Template for VMware SSL Certificates

This template will provide certificates for ESXi hosts, vCenter, vRA, vRO etc. To create it, we first need the Certificate Templates Console. This can be opened by running certtmpl.msc.

Per the KB article, I duplicated the “Web Server” template as a starting point. My first task was to give the template a new name and set the validity to 4 years:

20160256_150269-CapturFiles

On the Extensions tab, although it’s possibly not required for vSphere 6 (it is for earlier versions of vSphere), I added “Client Authentication” under the Application Policies option.

20160256_150243-CapturFiles

Again, it may not be universally required but I’ve added the “Signature is proof of origin” option under Key Usage (also on the Extensions tab.

20160256_150215-CapturFiles

Depending on the use case required, it might be useful to be able to export a certificate’s private key. I haven’t worked on View for some years but this option came in handy then. It’s configured under the Request Handling tab.

20160256_150270-CapturFiles

On the Subject Name tab, ensure that “Supply in the request” is checked.

20160256_150296-CapturFiles

That’s it. Just hit OK to save it.

Template for VMware VMCA

If you want to set up the VMCA as a subordinate certificate authority on a vSphere 6 Platform Services Controller, a slightly different type of certificate is required. I don’t think that I deviated from the KB article here except with the validity period.

20160256_150295-CapturFiles

20160256_150278-CapturFiles

“Publishing” the certificate templates

This is a fairly straightforward process accomplished using the Certification¬†Authority¬†Manager. Templates are added one at a time by right clicking on “Certificate Templates” and selecting New > Certificate Template to Issue.

20160256_160296-CapturFiles

Once published, the templates are available via the CA’s web interface for new requests.

20160256_150246-CapturFiles