• Skip to primary navigation
  • Skip to content

Open902.com

My own Knowledge Base made public ..

  • Home
  • vRealize Automation 7
    • vRA & vRB 7.2
      • Installation
        • vRA 7.2 – Installation
        • vRA 7.2 – Unattended Enterprise Install
        • vRA 7.2 – Unattended Install Answer File Generator
        • vRB 7.2 – Installation
      • Configuration
        • vRA 7.2 – Initial Configuration
        • vRA 7.2 – Endpoints and AD Integration
        • vRA 7.2 – Fabric and Business Groups
        • vRA 7.2 – Reservations, Reservation Policies and Network Profiles
        • vRA 7.2 – Blueprints and Entitlements
        • vRA 7.2 – Email Config and Approval Policies
      • Advanced Configuration
        • vRA 7.2 – Guest Agent and Software Components
        • vRA 7.2 – Custom Property RegEx
        • vRA 7.2 – Make IP in Network Profile unavailable for deployments
      • Integrations
        • vRA 7.2 – Azure Integration
        • vRA 7.2 – vRB 7.2 Configuration
        • vRB Cloud without vRA by using vIDM
    • vRA 7.0 & 7.1
      • Installation & Configuration
        • vRealize Automation 7 – Simple install
        • vRealize Automation 7 – Enterprise install
        • Upgrade vRealize Automation 7.0 to 7.0.1
        • vRA7 – Initial Configuration
        • vRA7 – Endpoint
        • vRA7 – Business Groups
        • vRA7 – AD Integration
        • vRA7 – Fabric Group
        • vRA7 – Network Profile
        • vRA7 – Reservations
        • vRA7 – IaaS Blueprint
        • vRA7 – Mail and Approvals
      • Advanced Configuration
        • vRA7 – Customize Hostname, VLAN and IP during deployment
        • vRA7 – Custom Property Relationships using Actions
        • vRA7 – vRealize Orchestrator 7
        • vRA7 – VAMI Certificate
        • vRA7 – Gugent on Linux
        • vRA7 – Gugent on Windows
        • vRA7 – Import Unmanaged Virtual Machines from vSphere
      • Integrations
        • vRA7 – NSX 6 Integration
        • Ubiquiti EdgeRouter X, NSX and vRealize Automation in network kinda harmony
        • vRA7 – vRealize Business Standard
        • vRealize Business for Cloud – Change Time zone
        • vRB Cloud without vRA by using vIDM
      • Troubleshooting
        • vRA7 – Delete stuck ‘In Progress’ Deployments
        • vRA 7 – Remove Stuck Approval Process
        • Remove Orphaned Network Profiles
        • vRA7 – Remove Stuck or Orphaned Managed Machines
  • vRA / vCAC 6
    • Installation
      • 1. Requirements
      • 2. Identity Appliance
      • 3. vCAC Appliance
      • 4. IaaS Server
    • Configuration
      • 5. Add a Tenant
      • 6. Agents & Endpoints
      • 7. Resource Allocations
      • 8. Blueprints
      • 9. Services & Catalogs
      • 10. Entitlements & Test
    • Advanced Configuration
      • Enable vCenter Orchestrator in vCAC
      • Configure External vCenter Orchestrator for vCAC
      • vCAC – Create Active Directory Endpoint & Test
      • vCAC – Refresh Inventory
      • vCAC – SMTP Settings
  • NSX
    • Ubiquiti EdgeRouter X, NSX and vRA7 Configuration
    • NSX 6 Integration into vRA7
    • NSX Authentication in Web Client using Sub-Domain users
  • vCloud Director 8.x
    • Install vCloud Director 8.0 for SP
    • NSX 6.2 for vCloud Director 8.0 SP
    • Configure vCloud Director 8.0 for SP – PVDC
    • Configure vCloud Director 8.0 for SP – Organization
    • vCloud Director 8.0 with NSX 6.2 – Final Testing
  • vCloud Director 5.x
    • 1. Installation of vCD 5.5
    • 2. vShield Manager
    • 3. VXLAN Configuration
    • 4. Initial vCloud Config
    • 5. Create a Provider vDC
    • 6.External Network
    • 7. Organization VDC
    • 8. vShield Edge & Organization Network
    • 9. Final Testing
    • 10. Installing an additional vCloud cell
    • Upgrade 1.5 > 5.5
      • 1. vCloud Director Binaries
      • 2. vShield Manager
      • 3. Final Touches
  • Lego NUC vSAN Cluster
  • Vembu
  • About Me

Create a Windows Enterprise CA and issue certificates for vRA and other VMware Products with examples

I have been running my own lab for quite a while and whilst Self-Signed certificates usually work in a lab environment, knowing how to use Signed Certificates is invaluable.

In vSphere 6, the VCSA now ships with its own Certificate Authority (VMware Certificate Authority, or VMCA for short). It can be configured as subordinate CA and issues certificates on behalf of your Enterprise CA (VMCA Enterprise). VCSA certificates issued will then automatically include the full certificate chain (e.g. by adding a host to the VCSA)

Enough jibbajabba, here I will

  1. Create a Windows 2012R2 Enterprise CA
  2. Create a VMware specific template in your newly created Enterprise CA
  3. As example, show how to create a signed certificate for the vRealize Automation Identity Appliance

Let’s get started

Please note: Commands shown here include hyphen (-) and double quotes (“). These might be malformed by WordPress. If you wish to copy / paste commands, ensure you paste it into Notepad first and replace the funny characters.

Example (note the slight italic double quotes):

winca_78

1. Create a Windows 2012R2 Enterprise CA

I am starting with a fresh install of Server 2012R2 which is joined to my domain.

First the necessary roles need installing.

Click Add roles and features

winca_03

Click Next

winca_04

Click Next

winca_05

Click Next

winca_06

Select Active Directory Certificate Services

winca_07

And confirm the dependencies

winca_08

Click Next

winca_09

Click Next

winca_10

Click Next

winca_11

In addtion to the default Certification Authority, tick also Certification Authority Web Enrollment

winca_12

And confirm the dependencies

winca_13

Click Next

winca_14

Click Next

winca_15

Click Next

winca_16

Click Install

winca_17

And wait until the installation has finished and click Close

winca_20

Click Configure Active Directory Certificate Services

winca_21

Click Next

winca_23

Tick both Certification Authority and Certification Authority Web Enrollment

winca_22

Select Enterprise CA and click Next

winca_24

Select Root CA and click Next

winca_25

Select Create a new private key and click Next

winca_27

Click Next

winca_28

Click Next

winca_29

Click Next

winca_30

Click Next

winca_31

Click Configure

winca_32

Ensure the configuration succeeded and click Close

winca_33

Now test the enrollment page by browsing to http://localhost/certsrv/certrqxt.asp

winca_34

2. Create a VMware specific template

VMware has specific requirements of the template.

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0

On the server, run certtmpl.msc

winca_35

Scroll down on the list of templates, select Web Server, right-click the template and select Duplicate Template

winca_36

Under the General tab, enter a name.

winca_37

Select the Extension tab

winca_38

Select Application Policies and click Edit

winca_39

Select Server Authentication  and click Remove. Click OK

winca_40

Select Key Usage and click Edit

winca_41

Select Signature is proof of origin. Leave all other options as default and click OK

winca_42

Under Subject Name ensure Supply in the request is selected.

Click OK to save the template

winca_43

Ensure your new template is now listed

winca_44

Start certsrv.msc

winca_45

Right-Click Certificate Templates > New > Certificate Template to Issue

winca_46

Select your newly created template and click OK

winca_47

Browse to the Web-Enrollment site again and ensure the new template is now listed under Certificate Template

winca_48

3. Request, Issue and Install a new Signed Certificate for the vRealize Identity Appliance

Now we are ready to create a new signed certificate for our VMware stack. Here I show an example using the vRealize Automation Identity Appliance.

Here you can see that the current certificate is a Self-Signed Certificate

winca_02

Here I am using Linux, which has OpenSSL installed by default, to create the required certificates / keys.

Create a configuration file. Example:

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:identity, DNS:identity.vspherelab.co.uk, IP:10.10.0.130

[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = GB
localityName = Ely
0.organizationName = vSpherelab
organizationalUnitName = vCAC Single Sign On
commonName = identity.vspherelab.co.uk

Save the file on the server. Example: identity.cfg

winca_50

Ensure you change the details based on your environment accordingly. Add all hostnames and IPs you may use to connect to this server / appliance.

For example, if you intend to use SRM with IP re-numbering, add the DR IP to the above configuration file as well.

Create the Certificate Signing Request (CSR) by running the following command, specifying the newly created configuration file

openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config identity.cfg

winca_51

Decrypt the private key by running the following command

openssl rsa -in rui-orig.key -out rui.key

winca_52

You will now have the following files in your directory

  • identity.cfg
  • rui-orig.key
  • rui.csr
  • rui.key

Now copy  the content of the CSR – rui.csr

winca_53

Browse to your Certificate Authority , e.g. http://localhost/certsrv/certrqxt.asp

Paste the content of rui.csr and select the newly created Certificate Template – here vSphere 6

Click Submit

winca_54

Download the certificate. Ensure to select Base 64 enconded and click Download certificate

winca_56

Here you can see the downloaded file is named certnew.cer. Ensure you renamed it to rui.cer and copy it to your Linux server used to create the *.csr

Your server should now have the following files

  • identity.cfg
  • rui-orig.key
  • rui.csr
  • rui.key
  • rui.cer

Next, download the Root Certificate from your CA server.

Click Home

winca_57

Select Download a CA certificate, certificate chain, or CRL

winca_58

Select Base 64 and then Download CA certificate chain

winca_59

Click Open or save it and then open it

Right-Click the certificate and select All Tasks > Export

winca_60

Select Base-64 encoded X.509 (.CER) and click Next

winca_61

Save it as Root64.cer

winca_63

Click Finish

winca_64

Copy the Root64.cer file to your Linux server used to create the *.csr

Your server should now have the following files

  • identity.cfg
  • rui-orig.key
  • rui.csr
  • rui.key
  • rui.cer
  • Root64.cer

On your Linux server, create a PFX file by running the following command

openssl pkcs12 -export -in rui.cer -inkey rui.key -certfile Root64.cer -name “identity.vspherelab.co.uk” -passout pass:SomePassword -out rui.pfx

winca_65

Ensure to change the name and password according to your environment

Now create the actual certificate (PEM) by running the following command

openssl pkcs12 -in rui.pfx -inkey rui.key -out rui.pem –nodes

winca_66

You should now have the following files

  • identity.cfg
  • rui-orig.key
  • rui.csr
  • rui.key
  • rui.cer
  • Root64.cer
  • rui.pfx
  • rui.pem

To install the certificate in your Identity Appliance, you need two files

  • rui.key – The Private Key
  • rui.pem – The actual certificate

Download these two files to your local PC and open them with notepad.

On your Identity Appliance navigate to SSO > SSL and select Import PEM encoded Certificate

In the top section – RSA Private Key, paste the content of rui.key

In the bottom section – Certificate Chain, paste the content of rui.pem

and enter the Pass Phrase from the previous step and click Apply Settings

winca_67

Wait until the process has finished and check the details. They should match the content of your configuration file

winca_68

To test the certificate – browse to the Identity Appliance using the SSO port (:7444)

You may need to clear the cache of your browser or simply open a private tab.

winca_69

Copyright © 2019 · Genesis Sample on Genesis Framework · WordPress · Log in