The Subject Alternative Name field lets you specify additional hostnames and IP addresses to be protected by a single SSL Certificate. Starting from VCF 4.3, the certificate management module of SDDC Manager supports custom Subject Alternative Names (SAN).
Background
From VCF 3.x onwards, the certificate management module of SDDC Manager was used to generate Certificate Signing Request (CSR) with the predefined SAN fields i.e. the hostname and the IP address of the servers. This solves most of the customer use cases. But, it was not possible to access a server with an alternate DNS name.
User Interface change
The existing ‘Generate CSRs‘ popup was a dialogue box:
Old CSR generation modal dialog
The new ‘Generate CSRs‘ popup is a wizard containing additional inputs to accept custom SAN fields:
Details input 
SAN input 
Summary view
API changes
In VCF 4.2 or earlier, it was not possible to pass the SAN fields in Generate CSR API. However, starting from VCF 4.3, it is possible to pass the SAN input to the Generate CSR API.
An example of generating CSR with custom SAN with a custom domain name and IP addresses (both IPv4 and IPv6) is shown below:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
sddcManager=localhost domainName=MGMT curl "https://${sddcManager}/v1/domains/${domainName}/csrs" -kX PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer ${accessToken}" \ -d '{ "csrGenerationSpec" : { "country" : "IN", "state" : "Karnataka", "locality" : "Bengaluru", "organization" : "VMware", "organizationUnit" : "VCF", "email" : "[email protected]", "keySize" : "2048", "keyAlgorithm" : "RSA" }, "resources" : [ { "fqdn" : "'${sddcManager}'", "type" : "SDDC_MANAGER", "sans": ["sddc-manager.example.com", "127.0.0.1", "::1"] } ] }' |
The below example illustrates a complete workflow on how resource certificates can be replaced with custom SAN fields. In this example, a third-party utility called jq is used.
Example
Step 1: Log in
|
1 2 3 4 5 6 7 |
sddcManager=sddc-manager.example.com accessToken=$(curl "https://${sddcManager}/v1/tokens" -ksX POST \ -H 'Content-Type: application/json' \ -d '{ "username":"[email protected]", "password":"********" }' | jq .accessToken) |
Step 2: Configure CA
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# This is an optional step if the certificates are signed offline # verify the existing Certificate Authorities curl "https://${sddcManager}/v1/certificate-authorities" -ks \ -H "Authorization: Bearer ${accessToken}" |jq # Delete an existing CA curl "https://${sddcManager}/v1/certificate-authorities/OpenSSL" -ikX DELETE \ -H "Authorization: Bearer ${accessToken}" # Configure OpenSSL CA curl "https://${sddcManager}/v1/certificate-authorities" -ikX PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer ${accessToken}" \ -d '{ "openSSLCertificateAuthoritySpec" : { "commonName" : "OpenSSL CA", "country" : "IN", "state" : "Karnataka", "locality" : "Bengaluru", "organization" : "VMware", "organizationUnit" : "VCF" } }' # Configure Microsoft CA curl "https://${sddcManager}/v1/certificate-authorities" -ikX PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer ${accessToken}" \ -d '{ "microsoftCertificateAuthoritySpec" : { "username" : "Administrator", "secret" : "********", "serverUrl" : "https://certificate-authority.example.com/certsrv", "templateName" : "VCF" } }' |
List the domains and resources (optional)
|
1 2 |
curl "https://${sddcManager}/v1/domains" -ks \ -H "Authorization: Bearer ${accessToken}" | jq |
Step 4: Generate CSR
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
# Generate CSR: curl "https://${sddcManager}/v1/domains/${domainName}/csrs" -kX PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer ${accessToken}" \ -d '{ "csrGenerationSpec" : { "country" : "IN", "state" : "Karnataka", "locality" : "Bengaluru", "organization" : "VMware", "organizationUnit" : "VCF", "email" : "[email protected]", "keySize" : "2048", "keyAlgorithm" : "RSA" }, "resources" : [ { "fqdn" : "'${sddcManager}'", "type" : "SDDC_MANAGER", "sans": ["sddc-manager.example.com", "127.0.0.1", "::1"] } ] }' # Wait until CSRs are generated: taskId=... # find the task ID from above command curl "https://${sddcManager}/v1/tasks/${taskId}" -ks \ -H "Authorization: Bearer ${accessToken}" | jq # View the generated CSRs (optional): curl "https://${sddcManager}/v1/domains/${domainName}/csrs" -ks \ -H "Authorization: Bearer ${accessToken}" | jq # Download the generated CSRs (optional): curl "https://${sddcManager}/v1/domains/${domainName}/csrs/downloads" -k \ -H "Authorization: Bearer ${accessToken}" \ -o ${domainName}.tar.gz |
Step 5: Sign the certificates
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# This step is optional if the certificates are signed offline # Sign using OpenSSL or Microsoft CA: curl "https://${sddcManager}/v1/domains/${domainName}/certificates" -ikX PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer ${accessToken}" \ -d '{ "caType" : "OpenSSL", "resources" : [ { "fqdn" : "'${sddcManager}'", "type" : "SDDC_MANAGER" } ] }' # Wait until the certificates are signed: taskId=... # find the task ID from above command curl "https://${sddcManager}/v1/tasks/${taskId}" -ks \ -H "Authorization: Bearer ${accessToken}" | jq # View the signed certificates (optional): curl "https://${sddcManager}/v1/domains/${domainName}/certificates" -ks \ -H "Authorization: Bearer ${accessToken}" | jq |
Step 6: Install Certificates
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# Install Certificates curl "https://${sddcManager}/v1/domains/${domainName}/certificates" -ikX PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer ${accessToken}" \ -d '{ "operationType" : "INSTALL", "resources" : [ { "fqdn" : "'${sddcManager}'", "type" : "SDDC_MANAGER" } ] }' # Wait until the certificates are installed: taskId=... # find the task ID from above command curl "https://${sddcManager}/v1/tasks/${taskId}" -ks \ -H "Authorization: Bearer ${accessToken}" | jq # View the resource certificates after installation (optional): curl "https://${sddcManager}/v1/domains/${domainName}/resource-certificates" -ks \ -H "Authorization: Bearer ${accessToken}" | jq |
Final thoughts
It is possible to pass both IPv4 and IPv6 IP addresses. Also, VCF supports wildcard SANs (e.g. *.example.com). However, the downstream products may not support certain types of SAN inputs. Check the individual product documentation for more information.
