VMware vCenter TLS Cert auto renew

tdmarchetta · September 28, 2023, 3:27pm

I’m trying to automate the process of creating and renewing TLS certificates for my VMware vCenter servers using Certify the Web and PowerShell. Certify the Web is a program that runs on a Windows desktop and can generate certificates from Let’s Encrypt or other providers. I want to use PowerShell to push the certificates to the vCenter servers after they are created or renewed by Certify the Web. Does anyone have any experience or tips on how to do this? Here is what I have so far:

# Parameter from Certify the Web.
param($result) # Required to access the $result parameter

#Loads all Module(s)
Try { Import-Module -Name VMware.PowerCLI -ErrorAction Stop }
Catch { Write-Host "Unable to load VMware.PowerCLI module, Please, run 'Install-Module -Name VMware.PowerCLI -AllowClobber -Force'" -ForegroundColor Red; Exit }

#Try { Set-PowerCLIConfiguration -InvalidCertificateAction Warn -Scope Session,User,AllUsers }
#Catch { Write-Host "Self-signed or invalid cert run, 'Set-PowerCLIConfiguration Warn -Scope Session,User,AllUsers'" -ForegroundColor Red; Exit }

#Try { Set-PowerCLIConfiguration -Scope Session,User,AllUsers -ParticipateInCeip $false }
#Catch { Write-Host ", 'Set-PowerCLIConfiguration -Scope Session,User,AllUsers -ParticipateInCeip $false'" -ForegroundColor Red; Exit }

if ($result.IsSuccess) {
    # Edit Variables Below
    $FQDM               = "vcenter.vmware.com" # E.G. vcenter.vmware.com
    $vCenterUsername    = "username"
    $vCenterPassword    = "Your_Password"
    # Do Not Edit Below This Point

    # Setup to connect to a VMware vCenter.
    $vCenterConnection = Connect-VIServer -Server $FQDM -User $vCenterUsername -Password $vCenterPassword

    # Connect to a VMware vCenter
    $vCenterConnection

    # Getting new certs
    $certificatePem = Get-Content -Path "C:\CTW\FullChain\$($FQDM)\$($FQDM).pem" -Raw
    $certificatePrivKeyPem = Get-Content -Path "C:\CTW\FullChain\$($FQDM)\$($FQDM).privkey.pem" -Raw
    # You will need manualy push up CA cert(s)

    # Update the vCenter certificate
    Try { Set-VIMachineCertificate -PemCertificate $certificatePem -PemKey $certificatePrivKeyPem -ErrorAction Stop }
    Catch { Write-Host "Failed to update vCenter certificate. Error: $_" -ForegroundColor Red }

    # Cleans up TLS certs.
    Get-VITrustedCertificate | Where-Object { $_.NotValidAfter -lt (Get-Date) } | Remove-VITrustedCertificate
    
    # Disconnect from vCenter
    Disconnect-VIServer -Server $FQDM -Confirm:$false
}

AaronK · September 28, 2023, 5:06pm

Not sure what you are trying to accomplish, but as someone who works with products that integrate with VCenter, having a cert update that frequently would cause us major issues. If you can’t leave the default one on, then you should just use an internal CA to generate a cert for it.

tdmarchetta · September 28, 2023, 5:27pm

So, the goal is to get a CA-signed certificate from Let’s Encrypt Into my vCenter server. I’m taking a wild guess that the product you work on is breaking Because the certificate is not signed by a trusted authority. My goal is to get a legitimate, trusted, signed certificate into the vCenter.

big_D · September 28, 2023, 5:54pm

I’m with @AaronK , use your internal CA to generate a valid certificate for your vCenter. The root from the CA should be pushed to all corporate devices as a trusted issuer anyway, so it is much easier that way and you can issue a long life certificate and not have to worry about it for a couple of years.

AaronK · September 28, 2023, 5:55pm

No, the product I work with imports the cert with the proper signature. Each time the cert changes (ie cert renewal, new cert, etc), the integration breaks. Since Let’s Encrypt will renew certs every 30 days or so, this would break the integration. It would be best to just use your internal CA for this. There’s no need for a publicly signed cert to be installed on Vcenter.

knewman · September 29, 2023, 5:32am

I will echo what others said, if you really want to use a custom TLS then you should utilize your own CA.

However, if you’re set on using an ACME service then I probably wouldn’t use Powershell. You’ll want to utilize the cert manager built in to vCenter and configure a custom issuer that will handle the cert request/retrieval. VMware actually has documentation on this here - cert-manager packaged by VMware - Generate TLS certificates using ACME Issuers

I hope this doesn’t need to be said, but for the love of god, do not expose any of your vCenter instances to the WAN.

Topic		Replies	Views
WW 678: No Code Left Behind Windows Weekly episode	16	1211	July 1, 2020
SN 755: Apple's Cert Surprise Security Now episode	10	464	March 3, 2020
SSL Setup Question (Back from OneDrive to NextCloud) Tech Talk	16	393	August 6, 2020
Migrating to the Azure Cloud This Week In Enterprise Tech	6	262	August 29, 2021
Security Now 764: RPKI Security Now episode	5	548	May 19, 2020

VMware vCenter TLS Cert auto renew

Related Topics