I recently had the "pleasure" of installing SSL certificates onto a VMware vCenter Server Appliance. And by pleasure, I mean I followed the 81-step process for replacing the self-signed SSL certificates that were created when the appliance was initially installed. Yes, you read that right, 81 steps.
In reality, it was over 100 steps by the time you completed all of the preparation to generate the certificate signing requests (CSR) and send them off to the CA to be signed. The process was made that much more enjoyable by the fact that I had to perform it 2 times since the certificates needed to be setup for both client and server authentication usage, something that the CSR specified but my CA software did not honor the first time through.
As I was going through the process, I could not help but wonder what drove the Java camp to adopt PKCS12 formatting as their preferred SSL container vs PEM formatting that the C world uses. Add to that the special sauce for the Java keystore file in step 65, and I had to keep reminding myself of the old adage: The nice thing about standards is that there are so many to choose from.
Please, appliance vendors, take note: Any time you have to write a process for your users that involves the use of ssh to perform what should be basic management tasks, you have violated the implied appliance contract. An appliance needs to be something that I install and forget about; a tool that I use to accomplish a task; one less operating system installation that I have to worry about. Not something that I have to ssh into and copy files by hand in a manual, repetitive, error-prone process. I use systems management tools to avoid this kind of mundane work for a reason.
Hopefully VMware will improve the appliance management functions and provide an interface that will allow the certificates to be managed by the appliance. Zimbra has this ability already, maybe the VCSA developers should buy them a cup-o-joe and pick their brains. If not, maybe projects like vCert Manager will bear fruit and make this task less painful in the future.
No comments:
Post a Comment