Release date: January 2nd 2023
Welcome to my VMware App Volumes series. I have previously described how to replace the self-signed AVM certificate manually, here: VMware App Volumes – Replace App Volumes Manager self-signed certificate with Domain CA signed certificate. In this session I will describe how to do this by using a PowerShell Script from a management station instead. As this new certificate will be used with a HAProxy load balancer, I needed to add the FQDN of the loadbalancer to the SAN when requesting the new certificate. Before I started I made myself a little workflow as show below.
First, I created the following credentials to be used in the script:
$credential = Get-Credential
$credential | Export-CliXml -Path '<path>\appvol_admin.xml'Although I wanted to use PowerShell for the configuration, I ran into some issues with openSSL which resulted in the need to use a CMD-file, below.
ConvCerts.cmd
openssl.exe pkcs12 -in c:\install\<cert.pfx> -inkey 1234 -passin pass:1234 -nocerts -out c:\install\<cert.key> -passout pass:1234
openssl.exe rsa -in c:\install\<cert.key> -passin pass:1234 -outform PEM -out c:\install\<cert-PEM.key>
openssl.exe pkcs12 -in c:\install\<cert.pfx> -passin pass:1234 -clcerts -nokeys -out c:\install\<cert.crt>Prerequisites:
- The computer-account for the AVM-server, has to have read/enroll permissions on the certificate template
- PowerShell Administrative access to the AVM-server
- OpenSSL needs to be installed on the AVM-server
Now that I had the credential and the cmd-file ready, I was good to go. (PS: I know I’m no programmer and a lot of this script have the potential for improvement, but, it gets the job done, and that’s good enough for me).
# --- Configure and start PSSession ---
$avm = "avm fqdn"
$credential = Import-CliXml -Path "<path to App Volumes Admin>\appvol_admin_${env:USERNAME}_${env:COMPUTERNAME}.xml"
$session = New-PSSession -ComputerName $avm -Credential $credential -Authentication CredSSP
# --- Define, Copy, Request Certificate and Run CMD ---
Invoke-Command -Session $session -ScriptBlock {
$installDir = "C:\Install\"
$convCertsCMD = "<network-path>\convCerts.cmd"
$nginxDir ="C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf"
New-Item -Path $installDir -type directory -Force
Copy-Item -Path $convCertsCMD -Destination $installDir -Force
# Remove existing CA provided certificate
$oldThumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Issuer -match "<CA Name>"}).Thumbprint;
Get-ChildItem -Path Cert:\LocalMachine\My\ | where{$_.Thumbprint -eq $oldThumbprint} | Remove-Item -Force
# Request new certificate from CA, export to pfx
Get-Certificate -Template "<Certificate Template>" -DnsName "<fqdn avm server>","<fqdn load balancer>" -SubjectName 'CN=<fqdn avm server>' -CertStoreLocation cert:\LocalMachine\My
$mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText
$CertThumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Issuer -match "<CA Name>"}).Thumbprint;
Get-ChildItem -Path Cert:\LocalMachine\My\ | where{$_.Thumbprint -eq $CertThumbprint} | Export-PfxCertificate -FilePath C:\Install\cert.pfx -Password $mypwd
# Use openSSL to export key and convert certificate
C:\Install\convCerts.cmd.cmd
# Copy new certificate and key to NGINX-folder
Copy-Item -Path $installDir\<cert.crt> -Destination $nginxDir -Force
Copy-Item -Path $installDir\<cert.key> -Destination $nginxDir -Force
Start-Sleep -s 120 # SLOW LAB...:)
# Remove temp folder with content
Remove-Item –path $installDir –Recurse -Force
Restart-Computer -ComputerName "<fqdn avm server>" -Force
}
Remove-PSSession $sessionOfficial VMware Documentation:
VMware App Volumes planning, deployment, upgrades etc.
Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.
bjosoren's IT-Tech blog 