HomeLab Stage: XLIII Operation SSL

After completing the last Stage XLII: Monster NAS, I wanted to secure my environment a little bit more. The plan was to replace all Self-Signed SSL certificates with CA trusted ones. I would have never expect the amount of work that is required to achieve this „small“ goal….

First step was to do an inventory scan of all systems to check how many SSL certificates are in use…. Oh boy, a lot….

Let´s start with some basics inside a VMware environment:

vCenter Server (Main Datacenter)

vCenter Remote Server (Second Datacenter)

vRealize LogInsight VIP

vRealize Operations Manager Load Balancer within NSX-T

Horizon Connection Server for Internal Use

Horizon Connection Server for External Use

Horizon Unified Access Gateways (UAG)

Horizon Load Balancer within NSX-T

AppVolumes Load Balancer within NSX-T

Xpenology DS3617 Custom NAS

Cohesity Virtual Edition Cluster (Main Datacenter)

Cohesity Virtual Edition Remote Node (Second Datacenter)

vRealize Network Insight Platform & Proxy

NSX-T Manager VIP

Ubiquiti Controller (Ubuntu VM)

Dell VRTX Chassis Management Controller (CMC)

Dell M640 iDRACs

Site Recovery Manager Appliance (Main Datacenter)

Site Recovery Manager Appliance (Second Datacenter)

vSphere Replication Appliance (Main Datacenter)

vSphere Replication Appliance (Second Datacenter)

Dell OpenManage Appliance

Dell OpenManage Integration VMware vCenter (OMIVV)

HCX Enterprise Manager

VMware Identity Manager

Every single system within my lab should have a trusted CA based SSL certificate including Subject Alternative Names (SAN).

After a very short time, I realized that every single system requires its certificates in a different format or with different options…

I checked hundreds of documentations to make sure that I create the correct certificate… I semi automated the process, creating a CSR within the target system (if possible) submit it and sign it with a customized „Webserver-Template“. For systems without the create CSR option, I used OpenSSL to create an appropriate signing request file. After signing, re-submitting the new certificate and restarting the service, the same procedure…. on every single system.

What a pain in the ass…..

Why have I done it? What are my main take away´s? My documentation about it!!!! I think I will profit from it for several years at customer installations.

Stay tuned for the next episode:

HomeLab Stage XLIV: DC2 Redesign