I have been running my own lab for quite a while and whilst Self-Signed certificates usually work in a lab environment, knowing how to use Signed Certificates is invaluable.
In vSphere 6, the VCSA now ships with its own Certificate Authority (VMware Certificate Authority, or VMCA for short). It can be configured as subordinate CA and issues certificates on behalf of your Enterprise CA (VMCA Enterprise). VCSA certificates issued will then automatically include the full certificate chain (e.g. by adding a host to the VCSA)
Enough jibbajabba, here I will
- Create a Windows 2012R2 Enterprise CA
- Create a VMware specific template in your newly created Enterprise CA
- As example, show how to create a signed certificate for the vRealize Automation Identity Appliance
Let’s get started
Please note: Commands shown here include hyphen (-) and double quotes (“). These might be malformed by WordPress. If you wish to copy / paste commands, ensure you paste it into Notepad first and replace the funny characters.
Example (note the slight italic double quotes):
1. Create a Windows 2012R2 Enterprise CA
I am starting with a fresh install of Server 2012R2 which is joined to my domain.
First the necessary roles need installing.
Click Add roles and features
Click Next
Click Next
Click Next
Select Active Directory Certificate Services
And confirm the dependencies
Click Next
Click Next
Click Next
In addtion to the default Certification Authority, tick also Certification Authority Web Enrollment
And confirm the dependencies
Click Next
Click Next
Click Next
Click Install
And wait until the installation has finished and click Close
Click Configure Active Directory Certificate Services
Click Next
Tick both Certification Authority and Certification Authority Web Enrollment
Select Enterprise CA and click Next
Select Root CA and click Next
Select Create a new private key and click Next
Click Next
Click Next
Click Next
Click Next
Click Configure
Ensure the configuration succeeded and click Close
Now test the enrollment page by browsing to http://localhost/certsrv/certrqxt.asp
2. Create a VMware specific template
VMware has specific requirements of the template.
Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0
On the server, run certtmpl.msc
Scroll down on the list of templates, select Web Server, right-click the template and select Duplicate Template
Under the General tab, enter a name.
Select the Extension tab
Select Application Policies and click Edit
Select Server Authentication and click Remove. Click OK
Select Key Usage and click Edit
Select Signature is proof of origin. Leave all other options as default and click OK
Under Subject Name ensure Supply in the request is selected.
Click OK to save the template
Ensure your new template is now listed
Start certsrv.msc
Right-Click Certificate Templates > New > Certificate Template to Issue
Select your newly created template and click OK
Browse to the Web-Enrollment site again and ensure the new template is now listed under Certificate Template
3. Request, Issue and Install a new Signed Certificate for the vRealize Identity Appliance
Now we are ready to create a new signed certificate for our VMware stack. Here I show an example using the vRealize Automation Identity Appliance.
Here you can see that the current certificate is a Self-Signed Certificate
Here I am using Linux, which has OpenSSL installed by default, to create the required certificates / keys.
Create a configuration file. Example:
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:identity, DNS:identity.vspherelab.co.uk, IP:10.10.0.130[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = GB
localityName = Ely
0.organizationName = vSpherelab
organizationalUnitName = vCAC Single Sign On
commonName = identity.vspherelab.co.uk
Save the file on the server. Example: identity.cfg
Ensure you change the details based on your environment accordingly. Add all hostnames and IPs you may use to connect to this server / appliance.
For example, if you intend to use SRM with IP re-numbering, add the DR IP to the above configuration file as well.
Create the Certificate Signing Request (CSR) by running the following command, specifying the newly created configuration file
openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config identity.cfg
Decrypt the private key by running the following command
openssl rsa -in rui-orig.key -out rui.key
You will now have the following files in your directory
- identity.cfg
- rui-orig.key
- rui.csr
- rui.key
Now copy the content of the CSR – rui.csr
Browse to your Certificate Authority , e.g. http://localhost/certsrv/certrqxt.asp
Paste the content of rui.csr and select the newly created Certificate Template – here vSphere 6
Click Submit
Download the certificate. Ensure to select Base 64 enconded and click Download certificate
Here you can see the downloaded file is named certnew.cer. Ensure you renamed it to rui.cer and copy it to your Linux server used to create the *.csr
Your server should now have the following files
- identity.cfg
- rui-orig.key
- rui.csr
- rui.key
- rui.cer
Next, download the Root Certificate from your CA server.
Click Home
Select Download a CA certificate, certificate chain, or CRL
Select Base 64 and then Download CA certificate chain
Click Open or save it and then open it
Right-Click the certificate and select All Tasks > Export
Select Base-64 encoded X.509 (.CER) and click Next
Save it as Root64.cer
Click Finish
Copy the Root64.cer file to your Linux server used to create the *.csr
Your server should now have the following files
- identity.cfg
- rui-orig.key
- rui.csr
- rui.key
- rui.cer
- Root64.cer
On your Linux server, create a PFX file by running the following command
openssl pkcs12 -export -in rui.cer -inkey rui.key -certfile Root64.cer -name “identity.vspherelab.co.uk” -passout pass:SomePassword -out rui.pfx
Ensure to change the name and password according to your environment
Now create the actual certificate (PEM) by running the following command
openssl pkcs12 -in rui.pfx -inkey rui.key -out rui.pem –nodes
You should now have the following files
- identity.cfg
- rui-orig.key
- rui.csr
- rui.key
- rui.cer
- Root64.cer
- rui.pfx
- rui.pem
To install the certificate in your Identity Appliance, you need two files
- rui.key – The Private Key
- rui.pem – The actual certificate
Download these two files to your local PC and open them with notepad.
On your Identity Appliance navigate to SSO > SSL and select Import PEM encoded Certificate
In the top section – RSA Private Key, paste the content of rui.key
In the bottom section – Certificate Chain, paste the content of rui.pem
and enter the Pass Phrase from the previous step and click Apply Settings
Wait until the process has finished and check the details. They should match the content of your configuration file
To test the certificate – browse to the Identity Appliance using the SSO port (:7444)
You may need to clear the cache of your browser or simply open a private tab.