Mike Foley posted July 14, 2015
[UPDATE] So far, this blog has been one of my most popular here on the vSphere blog. Since publishing this over 18 months ago we have learned quite a bit about the different requirements and considerations customers are under. This “Hybrid Mode” of certificate configuration, where you replace the externally facing reverse proxy certificate and let VMCA manage the hosts and solution users, addresses a number of issues that customers have encountered. It’s not only easier to manage from an IT standpoint but it has also stood up as an acceptable method of securing your vSphere environment by many security teams.Because so many read this blog, it only made sense to update to link so something I’m sure you’ll all find very useful. So, I’m happy to announce that Adam Eckerle has posted a blog that links to one of our Product Walkthrough demos. This PWT will guide you, click by click, through the process of replacing the Machine SSL certificate. Check out this great work by Adam here.Adam is one half of our dynamic duo of vCenter Tech Marketing guys. Emad Younis is the other and his focus is on migration from Windows vCenter to the VCSA. Their blogs are a must read!
A customer recently asked me “How do I replace the “external” SSL certificate of vCenter but still use VMCA in default mode?” Ever curious, I asked “Why?”. His security team required that any “externally” facing management web pages needed to have a custom certificate that chained up to the corporate PKI. But behind that, they were totally cool with using VMCA in default mode (with the self-generated root certificate) for things like ESXi servers and solution users.
Here’s a description of how this should look.
3rd Party Certificate for External Access
CN = lab-DC1-CA, DC = lab, DC = local
O = vcsa.lab.local, C = US, DC = local, DC = vsphere, CN = CA
Note: Although the two CA’s come from systems in the same “lab.local” domain name in this example, they are two entirely different CA’s with no shared chain between them.As such, the Windows CA could just as easily be in an entirely different domain and this would still work.
Create a folder that you’ll be able to download and upload files to during the exercise. On the VCSA I created a folder in the root account. “/root/Machine_SSL”. I’ll be connecting using WinSCP later. If you’re using WinSCP to connect to VCSA, read KB 2107727 and save yourself some frustration!
The first thing we are going to do is generate the Certificate Signing Request (CSR) for the “Machine SSL” certificate. As mentioned in the previous blog, “The Machine SSL certificate is the certificate you get when you open the vSphere Web Client in a web browser. It is used by the reverse proxy service on every management node, Platform Services Controller, and embedded deployment. You can replace the certificate on each node with a custom certificate.”
To generate the CSR we’ll use the Certificate Manager utility. This is located in:
– C:Program FilesVMwarevCenter Servervmcad certificate-manager
Run the utility and select Option 1
Certificate Manager Utility
Now select Option 1 again to generate the CSR and provide the output directory path to write out the files created. In my example I used the “/root/machine_ssl” folder I previously mentioned.
Next, I logged into my Windows system (DC1.lab.local), fired up WinSCP and downloaded the Machine_SSL csr and key files.
WinSCP copy CSR from VCSA
Open the CSR file in your favorite text editor and copy the contents to the clipboard
Copy CSR contents to Clipboard
Open the web page of the Microsoft Certificate Authority and select “advanced certificate request”. Paste the contents of CSR and select the previously created “vSphere 6.0” template. Submit the request. Note that in some cases, your CA Administrator may have an approval process in place that will require additional steps. These haven’t been implemented in this lab-focused environment.
Submit Certificate Request to MS CA
After submitting the CSR, you’ll be presented with a download page.
Certificate Download Page
On the download page, Select “Base 64 encoded” and click on “Download Certificate”. The downloaded file will be called “certnew.cer”. Rename this to “machine_ssl.cer”
Go back to the download web page and click on “Download certificate chain” (ensuring that “Base 64 encoded” is still selected). The downloaded file will be called “certnew.pb7”. Rename this to “cachain.pb7”
We are now going to export the CA Root certificate from the cachain.pb7 files. Right-click on the cachain.pb7 file and select “Open”
Open cachain.pb7 file for export
Expand the list and click on the Certificates folder. Right-click on the CA root cert (lab-DC1-CA in this example), select All Tasks…Export
Export CA cert
You’re now presented with the Certificate Export Wizard. Click Next and then select the format you want to use. Select “Base 64 encoded X.509 (CER)”
Export cert wizard – select Base 64 encoded
In the next window, click on Browse… and provide a file location and filename. I used “root-64.cer” in the c:tempvcsa.lab.localMachine_SSL” folder I had previously created.
Save root-64.cer file
After successfully saving and exporting the root-64.cer file, it’s time to upload it to vCenter. Here I’ll use WinSCP again to copy the machine_ssl.cer and root-64.cer file to VCSA.
Copy cer files to VCSA
Now that the files have been copied, open up the Certificate Manager Utility and select Option 1, Replace Machine SSL certificate with Custom Certificate. Provide the password to your firstname.lastname@example.org account and select Option 2, “Import Custom Certificate(s) and key(s) to replace existing Machine SSL certificate” You will be prompted for following files:
Import Custom Certificates via Certificate Manager Utility
Select “Y” to continue the operation. This may take a few minutes, depending on how your systems are configured.
70 percent completed
100 percent completed
Now it’s time to check to see if all this work has paid off. One thing to remember before we start. Because the new Machine SSL cert has been issued by the CA on the domain controller, browsers that use the Windows certificate store will automatically recognize the vCenter web page. In my experience, Internet Explorer and Google Chrome will use the Windows certificate store. Mozilla Firefox does NOT use the Windows certificate store and as such you need to import the root certificate. Import the previously created root-64.cer into Firefox’s Trusted Root Authority and then open the vCenter web page and you should be all set.
Import root-64.cer into Firefox
Root cert imported into Firefox
Now open your vCenter login page and check the certificate being used to protect it.
vCenter web certificate in Firefox
You’ll see that the certificate has been verified by “lab-DC1-CA”. This is the CA running on the Windows domain controller. If I click on More Information and then View Certificate and scroll down to Issuer, you’ll see the hierarchy details of the certificate I referenced above in Lab Details.
vCenter Certificate Hierarchy
So now that we’ve confirmed we’re using the Microsoft CA issued cert for vSphere Web Client logon, let’s see what’s going on after we log in.
In a previous blog post I went over the different modes you can run VMCA in. The “Default Mode” is when VMCA uses its own root certificate and issues certificates that change to the root. You can install that root certificate in your browsers if you don’t want to see things as “untrusted”. Read more about the default modes and installing the root cert.
When you add an ESXi server to vCenter, VMCA will automatically issue it a certificate.
ESXi server certificate
You can see that the issuer matches the values from the Lab Setup portion of this blog.
And the SSL thumbprint/fingerprint (SHA256) has a specific value ending in 1C:0D:E8
ESXi Original SSL thumbprint
Now we’ll go back to vCenter and renew the ESXi certificate. Open vCenter, right click on the host and select Certificates…Renew…
Renew ESXi Certificate
Confirm by clicking on Yes.
Confirm ESXi renew certificate
Refresh your browser and repeat the steps to display the certificate properties. You’ll see in this example that the SHA256 thumbprint/fingerprint value has changed. The new ending values are now E8:E5:E1. VMCA has re-issued a completely new certificate.
ESXi Renewed SSL Thumbprint
To wrap up, let’s review what we’ve done.
[frontpage_news widget=”31951″ name=”CyberSecurity”]
How to reclaim space in InnoDB when innodb_file_per_table is ONNilnandan Joshi | September 25, 2013 | Posted In: Insight for DBAs, MySQL, Percona ToolkitWhen innodb_file_per_table is OFF and all data is going to be stored in ibdata files. If you drop some tables of delete some data then there is no any other way to reclaim that unused disk space except dump/reload method.When Innodb_file_per_table is ON, each table stores data and indexes in it’s own tablespace file. However, the shared tablespace-ib
Error establishing a database connection wordpress March 24, 2017 518 views WORDPRESS UBUNTU 16.04 Error establishing a database connection wordpress. Is there any proper solution? I have tried many things but after 2 to 4 days same error occurs. Log In to Comment 3 Answers 0 newbie March 24, 2017 @jgojariya most probably your out of resources and your mysql is crashing for that. switch to a higher plan if you are on 5$ one or add some swap space https://www.digitalocean.com/community/tutorials/how-to-a
Archiving a Terminated Users Mailbox in Office 365 using Inactive Mailboxes June 6, 2014 by Alan ByrneWant to save this blog for later? Download it now.Microsoft have now added a feature that allows you to keep a terminated employees mailbox on your Office 365 cloud environment even after you have deleted their user account and freed up their licence. This feature is called Inactive Mailboxes.We do not charge you for these kinds of Inactive Mailboxes in Cogmotive Office 365 Reports, so it’s win-win!
MicrosoftSearch Office help0 items in cartMarkOfficeBuy Office 365 Products TemplatesSupportApps Install Account Learning AdminManage my mailbox sizeApplies To: Outlook 2013Are you getting weekly or even daily messages warning that you’re about to run out of mailbox space? Mailbox Cleanup is a one-stop-clean-up tool you can use to trim the size of your mailbox.In Outlook, choose File> Cleanup Tools > Mailbox Cleanup.Do any of the following:View the total size of your mailbox and o
Source: Manage my mailbox size – Outlook
Published on Jul 17, 2015
If the motor checks out, do the same on the 3 wires to the ESC. Again, you should get about the same readings between any pair of wires. If you have a much lower ohm reading, one or more FET transistors are open in the ESC. You should never have a short in the ESC without significant circuit damage.
Troubleshooting a motor can be quite a hassle unless you understand a bit about how brushless DC motors work.
A brushless motor uses electromagnets to spin the motor by pushing and pulling the magnets attached the bell of the motor.
Electromagnets can also be used to generate power. When you spin a motor by hand it generates power. Many modern generators use this same process to create power.
- If you short any two of the wires together you can create resistance within the motor when you try to spin the motor by hand.
- A brushless motor should spin freely when all the wires are separated as there is not a complete circuit.
- If the motor resists your rotation regardless of the wire connections, it’s likely that your motor has an internal short circuit.
How to test Brushless Motors for short circuits – no tools necessary!Posted on April 13, 2016 by Tim S.1 Comment 3750 views