VMware App Volumes – Replace AVM self-signed certificate with Domain CA signed certificate using PowerShell

Release date: January 2nd 2023

Welcome to my VMware App Volumes series. I have previously described how to replace the self-signed AVM certificate manually, here: VMware App Volumes – Replace App Volumes Manager self-signed certificate with Domain CA signed certificate. In this session I will describe how to do this by using a PowerShell Script from a management station instead. As this new certificate will be used with a HAProxy load balancer, I needed to add the FQDN of the loadbalancer to the SAN when requesting the new certificate. Before I started I made myself a little workflow as show below.

First, I created the following credentials to be used in the script:

$credential = Get-Credential
$credential | Export-CliXml -Path '<path>\appvol_admin.xml'

Although I wanted to use PowerShell for the configuration, I ran into some issues with openSSL which resulted in the need to use a CMD-file, below.

ConvCerts.cmd

openssl.exe pkcs12 -in c:\install\<cert.pfx> -inkey 1234 -passin pass:1234 -nocerts -out c:\install\<cert.key> -passout pass:1234
openssl.exe rsa -in c:\install\<cert.key> -passin pass:1234 -outform PEM -out c:\install\<cert-PEM.key>
openssl.exe pkcs12 -in c:\install\<cert.pfx> -passin pass:1234 -clcerts -nokeys -out c:\install\<cert.crt>

Prerequisites:

  • The computer-account for the AVM-server, has to have read/enroll permissions on the certificate template
  • PowerShell Administrative access to the AVM-server
  • OpenSSL needs to be installed on the AVM-server

Now that I had the credential and the cmd-file ready, I was good to go. (PS: I know I’m no programmer and a lot of this script have the potential for improvement, but, it gets the job done, and that’s good enough for me).

# --- Configure and start PSSession ---

$avm = "avm fqdn"
$credential = Import-CliXml -Path "<path to App Volumes Admin>\appvol_admin_${env:USERNAME}_${env:COMPUTERNAME}.xml"
$session = New-PSSession -ComputerName $avm -Credential $credential -Authentication CredSSP

# --- Define, Copy, Request Certificate and Run CMD ---

Invoke-Command -Session $session -ScriptBlock {
    
    $installDir = "C:\Install\"
    $convCertsCMD = "<network-path>\convCerts.cmd"
    $nginxDir ="C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf"
    
    New-Item -Path $installDir -type directory -Force
    Copy-Item -Path $convCertsCMD -Destination $installDir -Force
    
    # Remove existing CA provided certificate
    $oldThumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Issuer -match "<CA Name>"}).Thumbprint;
    Get-ChildItem -Path Cert:\LocalMachine\My\ | where{$_.Thumbprint -eq $oldThumbprint} | Remove-Item -Force

    # Request new certificate from CA, export to pfx
    Get-Certificate -Template "<Certificate Template>" -DnsName "<fqdn avm server>","<fqdn load balancer>" -SubjectName 'CN=<fqdn avm server>' -CertStoreLocation cert:\LocalMachine\My
    $mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText
    $CertThumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Issuer -match "<CA Name>"}).Thumbprint;
    Get-ChildItem -Path Cert:\LocalMachine\My\ | where{$_.Thumbprint -eq $CertThumbprint} | Export-PfxCertificate -FilePath C:\Install\cert.pfx -Password $mypwd 
        
    # Use openSSL to export key and convert certificate
    C:\Install\convCerts.cmd.cmd

    # Copy new certificate and key to NGINX-folder
    Copy-Item -Path $installDir\<cert.crt> -Destination $nginxDir -Force
    Copy-Item -Path $installDir\<cert.key> -Destination $nginxDir -Force

    Start-Sleep -s 120 # SLOW LAB...:)

    # Remove temp folder with content

    Remove-Item –path $installDir –Recurse -Force

    Restart-Computer -ComputerName "<fqdn avm server>" -Force
}

Remove-PSSession $session

Official VMware Documentation:

VMware App Volumes planning, deployment, upgrades etc.

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: