Updating the vCenter server appliance Command line

The offline method of updating the vCenter server appliance is useful for the enviroments which does not have direct internet to avoid security risk and also to update the vCenter where the update fails when using the VAMI page. It’s very important that we may need to update or patch these environments to protect them from vulnerabilities.

How to download the patch iso?

We can download the patch from the VMware product patches page.

Once you reach the VMware product patches page, Select VC from the drop-down Menu VC -> Select the version of your vCenter 6.5, 6.7 or 7.0. Download the patch that is the latest in the list for the version of the vCenter that you are using.

Note: when downloading the iso make sure that the tag FP on the iso, when you want to patch the vCenter server. (Refer the image below)

Important: You only need the latest patch because the updates are cumulative, which contains all the patches.

After downloading the iso from the Product Patches page.

Now connect to your vSphere Client and upload this ISO to a data store which is accessible vCenter server appliance. Then select the vCenter server appliance VM and connect the ISO to the VM and select the option connected.

Please connect take an SSH session (PuTTY for example)of the vCenter appliance using the root account and follow the below steps,

software-packages stage --iso --acceptEula
Stage the patches by mounting it to the machine
software-packages list --staged
Show the patch which is staged to the vCenter
 software-packages install --staged
Command installs the patch to the vCenter

This method is very useful where you can stage the patches prior to the update to reduce downtime.

Also, VMware patch does not require a reboot. You can confirm if the reboot is required or not from the release notes of the particular patch.

Updating the vCenter server appliance using iso

The offline method of updating the vCenter server appliance is useful for the enviroments which does not have direct internet to avoid security risk. It’s very important that we may need to update or patch these environments.

How to download the patch iso?

We can download the patch from the VMware product patches page.

Once you reach the VMware product patches page, Select VC from the drop-down Menu VC -> Select the version of your vCenter 6.5, 6.7 or 7.0. Download the patch that is the latest in the list for the version of the vCenter that you are using.

Note: when downloading the iso make sure that the tag FP on the iso, when you want to patch the vCenter server. (Refer the image below)

Important: You only need the latest patch because the updates are cumulative, which contains all the patches.

After downloading the iso from the Product Patches page.

Now connect to your vSphere Client and upload this ISO to a data store which is accessible vCenter server appliance. Then select the vCenter server appliance VM and connect the ISO to the VM and select the option connected.

Lets login to the vCenter Appliance management page, use your web browser and connect to https://<vCSA IP Address or hostname>:5480 and log in as root. We’re accessing the appliance itself and not the vCenter Server. Note the port number (5480), which is a specific port destined for management of the vCenter Server appliance.

Click on the update menu and click Check Updates > Check CD‑ROM. Based on the FP iso attached, the update will show up, select Stage and Install

Once you Click the stage and install link, follow the assistant, which will guide you through the patch process.

You have to accept the end-user license agreement, then you might want to join the CEIP (customer experience improvement program). Click -> Next

In the next screen you must check a box saying “I have backed up vCenter and its associated databases.” and then click on Finish.

Once it’s complete the vCenter will be updated to the patch as per the iso attached.

vSphere SSL Certificates

What is a certificate?

A Certificate or digital certificate is a unique, digitally Signed document that authoritatively identifies the identity of an individual or organization. Using public-key cryptography, its authenticity can be verified to ensure that the software or website you are using is legitimate. On the Internet, a certificate is signed by a trusted CA (certificate authority), and verified with the authority’s public key. The decrypted certificate contains a verified public key of the certificate holder (website operator), with which encrypted HTTPS communications can be established.

An operating system or web browser may alert the user when loading software or a website whose digital certificate is not verified by a trusted CA.

A certificate, contains information about the owner of the certificate, like e-mail address, owner’s name, certificate usage, duration of validity, resource location or Distinguished Name (DN) which includes the Common Name (CN) (web site address or e-mail address depending of the usage) and the certificate ID of the person who certifies (signs) this information.

It contains also the public key and finally a hash to ensure that the certificate has not been tampered with. As you made the choice to trust the person who signs this certificate, therefore you also trust this certificate. This is a certificate trust tree or certificate path.
Usually your browser or application has already loaded the root certificate of well known Certification Authorities (CA) or root CA Certificates.

The CA maintains a list of all signed certificates as well as a list of revoked certificates.

A certificate is insecure until it is signed, as only a signed certificate cannot be modified.

You can sign a certificate using itself, it is called a self signed certificate.

All root CA certificates are self signed.

We have seen what is a certificate, Now let’s see how are certificates used in the vSphere Environment.

vSphere Certificate:

The below is error that we get when we try to login to the vCenter server using the browser, because the certificate is not trusted by the computer in your organization by default.

In day to day scenario’s most of us see the below web browser certificate warnings when accessing the vSphere Web Client? Those are caused by an untrusted (and perhaps self-signed) Machine SSL certificate.

We will be able to bypass warning by different methods, let see how it works and what are the different ways to use the certificates in the vSphere environment.

vSphere Certificate Management:

Certificates ensure that communication between services, solutions, and users are secure and that systems are who we think they are. By default, VMCA acts as a root certificate authority. Certificates are issued that chain to VMCA where the root certificate of VMCA is self-signed as it is the end of the chain.

The certificate Lifecycle can be defined in two ways,

VMware vSphere 6.x Solution for Complete Certificate Lifecycle Management

VMware Certificate Authority (VMCA):

Located on: Embedded Deployment and Platform Services Controller (vCSA with external PSC).

VMware Endpoint Certificate Store (VECS):

Located on: Embedded Deployment, and vCenter Management Node (vCSA with external PSC).

VMware Certificate Authority (VMCA):

  • Dual Operational modes:
    • Root CA
    • Issuer CA
  • Root CA:

Automated one which is created during the installation, this has the capability of issuing other certs, all solutions and endpoint certificates are created and trusted to this root cert

  • Issuer CA:
  1. Can replace all default root CA certificate created during installation.
  2. This requires a CSR from VMCA to be used by an enterprise or 3rd party CA to generate a new issuing certificate.
  3. This will replace all the default certificates issued during the installation.
  4. Managed using the certificate manager utility
    • /usr/lib/vmware-vmca/bin/certificate-manager
  5. VMCA then issues certificates to any vCenter Servers and associated ESXi hosts that are registered to it.
  6. The real value of the VMCA is in the automation of replacing and renewing certificates without having to manually generate CSRs, mint certificates, then manually install those certificates.

VMware Endpoint Certificate Store (VECS):

  • Repository for certificates and private keys
  • Key stores:
    • Machine SSL certs
    • Trusted roots
    • CRLs
    • Solution users (certificates issued by the VMCA are for internal service-to-service communication within vCenter Server)
    • others (e.g. VVOLS, VASA etc.).
  • We can manage VECS using the vecs-cli
  • Does not manage SSO certificates

Types of Certificates in VMware vSphere 6.x:

  • ESXi Certificates
  • Machine SSL Certificate
  • Solution User Certificates
  • Single Sign-On Certificates

ESXi Certificates:

Machine SSL certificates:

Solution User Certificates:

  • Solution User Certificate Certificate stores are located in VECS on each management node (PSC) and embedded deployment.
  • machine – Used by component manager, license server, and the logging service.
  • vpxd – vCenter service daemon (vpxd) store on management nodes and embedded deployments. vpxd uses the solution user certificate to authenticate to vCenter Single Sign-On.
  • vpxd-extensions – Includes the Auto Deploy service, inventory service, and other services that are not part of other solution users.
  • vsphere-webclient – Includes the vSphere Web Client and some additional services such as the performance chart service.

Single Sign-On Certificates:

  • Not stored in VECS.
  • Not managed with certificate management tools.
  • Security Token Service (STS) – an identity provider that issues, validates, and renews SAML tokens that are used for authentication throughout vSphere
  • By default, the STS signing certificate is generated by VMCA
  • Manually refresh STS certificate via vSphere Web Client when the certificate expires.

We will see in detail about the different types of certificates and how to implement them. Please follow my page for regular updates on virtualization.

How to Create a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x&7.x

In this article we are going to learn how to configure Microsoft Certificate Authority (CA) templates for use with custom SSL certificate implementation in vSphere 6.x/7.x.

Connect to the CA server, where you will be generating the certificates from using an RDP session (mstsc).

Click Start > Run, type certtmpl.msc, and click OK.

In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.

In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.

Note: If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.

Click the General tab and In the Template display name field, enter VMware (anything you prefer) as the name of the new template.

Click on the Extensions tab.

  1. Select Application Policies and click Edit.
  2. Select Server Authentication and click Remove, then OK.Note: If Client Authentication exists, remove this from Application Policies as well.

Note: If Client Authentication exists, remove this from Application Policies as well.

Select Key Usage and click Edit.

  1. Select the Signature is proof of origin (non repudiation) option. Leave all other options as default.
  2. Click OK.

Click the Subject Name tab.

  1. Ensure that the Supply in the request option is selected.
  2. Click OK to save the template.

Click OK to save the template.

Now let’s proceed Proceed with Adding a new template to certificate templates section in the article to make the newly created certificate template available.

Click Start > Run, type certsrv.msc, and click OK.

In the left pane of the Certificate Console, if collapsed, expand the node by clicking the + icon.

Right-click Certificate Templates and click New > Certificate Template to Issue.

Locate VMware under the Name column and Click OK.

Now we have successfully added the VMware CA template to the Certificate Templates.

Reference: https://kb.vmware.com/s/article/2112009

Updating the vCenter server appliance using VAMI (vCenter Appliance Management Page)

Updating the vCenter from the VAMI (vCenter Appliance Management Page) is widely used option since most of the vCenter servers are connected to internet and has been the easiest way to update the vCenter server appliance in the recent times.

How to Patch the vCSA using VAMI?

In Order to patch the vCenter server appliance login to the vCenter Appliance management page, use your web browser and connect to “https://<vCSA IP Address or hostname>:5480” and log in as root. We’re accessing the appliance management and not the vCenter Server. Note the port number (5480), which is a specific port destined for management of the vCenter Server appliance.

Once you login you will see the VAMI homepage,

VAMI homepage

Perform the below four steps to update the vCenter:

  1. Click on Update
  2. Select Check CD-ROM+URL
  3. Select the latest patch in the list.
  4. Select Stage and Install.
Steps to update vCenter

Accept the Licence Agreement and click NEXT

Accept License Agreement

Check the box Join the VMware’s Customer Experience Improvement Program (CEIP) and click NEXT

VMware’s Customer Experience Improvement Program

Now confirm that you have backed up the vCenter server and it’s databases. (Offline or Memory snapshot of the vCenter will suffice) and Click FINISH

Please ignore the Estimated Downtime it will maximum take 15 -20 minutes to complete the entire update process.

Now the process Staging and the Installation of the patch will begin

Installation of Patch

Verify that the vCenter is updated from the Homepage,

By the above process we have successfully updated the vCenter.