Update NetApp Virtual Storage Console SSL Certs with your own Windows Domain CA Certificates using PowerShell

Ahhh, it seems like replacing SSL certificates in vSphere is a never-ending process. My vSphere farm was not prompting me about untrusted SSL certs until I installed the NetApp Virtual Storage Console. Using the template from my previous posts, however, I was able to quickly update VSC's certs using a combination of the practical admin's post and NetApp's KB (login required).

The pratical admin post kept VSC's keystore password encrypted, but with vSphere keystore passwords being so easily available on the Internet and NetApp's KB suggesting to place the password on the filesystem in plain-text, I did it the easy way and kept the password (netapp) in clear text in the config file. I've tested this script on both VSC 4.1 and 4.2 and it worked quite well.

You can copy and paste the code below, or download the script directly here.

Note: this script uses the Windows CA default WebServer Certificate Template. It also makes backups of your original certificates.

#########################################################################################

NetApp Virtual Storage Console SSL Generation and Replacement script version 0.5

Tested on VSC 4.1 and 4.2

No guarantees, warranties, etc.

Blog post: https://goo.gl/Cdlhb

#########################################################################################

Place the certs on a network location if your farm is larger than one server

$basedir = "\\fileserver\share\Certs"

Enter your Windows Certificate Authority information

below. Make sure it responds to certutil requests.

$rootCA = "dc.base.local" $rootCAName = "BASE-DC-CA" $email = "[email protected]" $org = "NetNerds" $city = "Kaplan" $state = "LA" $country = "US"

Enter the path of your VSC Installation

$vscdir = "C:\Program Files\NetApp\Virtual Storage Console"

Enter the path of your openssl.exe (0.x and 1.x are supported).

If you don't have OpenSSL already, the script will download it for you.

$openssldir = "C:\OpenSSL-Win32"

##############################################################################################

You probably don't need to change anything below.

##############################################################################################

If (!(Test-Path($vscdir))) { Write-Host "VSC not found. Script will now exit." ; exit }

$thisfqdn = ("$env:computername.$env:userdnsdomain").ToLower()
$backuptime = (Get-Date -uformat "%m%d%Y%H%M%S")
$backupdir = "$servicedir\\backup-$backuptime"
$openssl = $openssldir+"\\bin\\openssl.exe"
$wc = New-Object System.Net.WebClient

if (!(Test-Path "$basedir")) { $null = New-Item -Type Directory "$basedir" }
$null = (New-Item -Type Directory $backupdir)

Write-Host -Foreground "DarkBlue" -Background "White" "Downloading root CA Cert.."
$url = "https://$rootCA/certsrv/certnew.cer?ReqID=CACert&Renewal=0&Enc=b64"
$root64 = "$basedir\\Root64.cer"
$wc.UseDefaultCredentials = $true; $wc.DownloadFile($url,$root64)

if (!(Test-Path($openssl))) {
	Write-Host -Foreground "DarkBlue" -Background "White" "Downloading OpenSSL.."
	$null = New-Item -Type Directory $openssldir
	$sslurl = "https://openssl-for-windows.googlecode.com/files/openssl-0.9.8k\_WIN32.zip"
	$sslzip = "$env:temp\\openssl.zip"
	$wc.DownloadFile($sslurl,$sslzip)
	$env:path = $env:path + ";$openssldir"
	
	Write-Host -Foreground "DarkBlue" -Background "White" "Extracting OpenSSL.."
	$shellApplication = new-object -com shell.application
	$zipPackage = $shellApplication.NameSpace($sslzip)
	$destinationFolder = $shellApplication.NameSpace($openssldir)
	$destinationFolder.CopyHere($zipPackage.Items())
	Remove-Item $sslzip
} 

######################################################################

Generate Certs

######################################################################

Write-Host -Foreground "DarkBlue" -Background "White" "Generating service certs.."	
$service = "$thisfqdn-netapp"
$server = $thisfqdn.Substring(0,$thisfqdn.IndexOf("."))

$servicedir = "$basedir\\$service"
$servicecfg = "$servicedir\\$service.cfg"
$tempkey = "$servicedir\\temp.key"
$netappkey = "$servicedir\\netapp.key"
$netappcsr = "$servicedir\\netapp.csr"
$netappcrt = "$servicedir\\netapp.crt"
$netapppfx = "$servicedir\\netapp.pfx"
$keyalias = "netapp" 

if (Test-Path($servicedir)) { $null = Remove-Item "$servicedir\\\*.\*" } else {$null = mkdir $servicedir } 

Set-Content $servicecfg "\[ req \]"
Add-Content $servicecfg " default\_md = sha512"
Add-Content $servicecfg " default\_bits = 2048"
Add-Content $servicecfg " default\_keyfile = netapp.key"
Add-Content $servicecfg " distinguished\_name = req\_distinguished\_name"
Add-Content $servicecfg " encrypt\_key = no"
Add-Content $servicecfg " prompt = no"
Add-Content $servicecfg " string\_mask = nombstr"
Add-Content $servicecfg " req\_extensions = v3\_req"
Add-Content $servicecfg "\`n\[ v3\_req \]"
Add-Content $servicecfg " basicConstraints = CA:FALSE"
Add-Content $servicecfg " keyUsage = digitalSignature, keyEncipherment, dataEncipherment"
Add-Content $servicecfg " extendedKeyUsage = serverAuth"
Add-Content $servicecfg " subjectAltName = DNS:$server, DNS:$thisfqdn"
Add-Content $servicecfg "\`n\[ req\_distinguished\_name \]"
Add-Content $servicecfg " countryName = $country"
Add-Content $servicecfg " stateOrProvinceName = $state"
Add-Content $servicecfg " localityName = $city"
Add-Content $servicecfg " 0.organizationName = $org"
Add-Content $servicecfg " organizationalUnitName = $service"
Add-Content $servicecfg " commonName = $thisfqdn"
	
&$openssl req -new -nodes -out $netappcsr -keyout $tempkey -config $servicecfg
&$openssl rsa -in $tempkey -out $netappkey
Remove-Item $tempkey
certreq -submit -config ""$rootCA\\$rootCAName"" -attrib "CertificateTemplate:WebServer" $netappcsr $netappcrt
&$openssl pkcs12 -export -in $netappcrt -inkey $netappkey -certfile $root64 -name $keyalias -passout pass:netapp -out $netapppfx

###############################################################################

NetApp Virtual Storage Console

###############################################################################

Write-Host -Foreground "DarkBlue" -Background "White" "Updating NetApp Virtual Storage Console.."

Stop-Service NVPF

Write-Host -Foreground "DarkBlue" -Background "White" "Backing up current keystore.."
Move-Item "$vscdir\\etc\\keystore.properties" $backupdir
Move-Item "$vscdir\\etc\\nvpf.keystore" $backupdir
	
Set-Content "$vscdir\\etc\\keystore.properties" "http.ssl.keystore.file=etc/nvpf.keystore"
Add-Content "$vscdir\\etc\\keystore.properties" "http.ssl.keystore.password=netapp"
Add-Content "$vscdir\\etc\\keystore.properties" "http.ssl.key.password=netapp"

Write-Host -Foreground "DarkBlue" -Background "White" "Creating new NetApp Virtual Storage Console keystore.."	
$null = (&"$vscdir\\jre\\bin\\keytool.exe" -v -importkeystore -srckeystore "$servicedir\\netapp.pfx" -srcstoretype pkcs12 -srcstorepass netapp -srcalias "netapp" -destkeystore "$vscdir\\etc\\nvpf.keystore" -deststoretype JKS -deststorepass netapp -destkeypass netapp -destalias "netapp")
$null = (&"$vscdir\\jre\\bin\\keytool.exe" -alias "netapp" -noprompt -v -importcert -keystore "$vscdir\\etc\\nvpf.keystore" -deststoretype JKS -storepass netapp -file $netappcrt)

Start-Service NVPF

###############################################################################

Finish

###############################################################################

Write-Host -Foreground "DarkBlue" -Background "White" "Done!"

Done!

All SSL Certificate Replacement Posts and Scripts in this Series

vSphere 4.1-5.0 SSL Generation and Replacement Post
 

Copyright 2003 -  Chrissy LeMaire. All Rights Reserved