Adopting vRSLCM-2.0’s Certificate Management for vRealize Products

vRealize Suite of Products support different certificates for different products. Managing certificates for all products in dev, testing, staging and prod environment will be difficult. Wouldn’t it be good if the certificates for all the products can be managed from a single application? This is where vRSLCM 2.0 comes into the picture. vRSLCM-2.0 introduces certificate management which allows the user,

• Generate Certificate – For Product deployments.
• Replace Certificate – For vRealize Products managed by LCM whose certificates might expire in few days.
• Manage Certificates – Look for certificate details such as products and environments consuming a certificate, certificate expiration, issuer, etc.,

Add Certificate in vRSLCM-2.0

Certificates are managed in LCM under the Certificates Tab in the Settings Page.

Here user can,

• Generate new certificate.
• Import an existing certificate.
• Generate a CSR(Certificate Sign Request).

Generating a New Certificate

User can create a SSL certificate from LCM which he can use it for product deployment. The SSL Certificate created may be a wildcard or SAN Certificate.

• Browse to Certificate Tab under Settings Tab and Click the ADD CERTIFICATE Button

• Enter the details for the certificate
  • In the “Certificate Name” field, give a name which will be used to store the certificate in LCM.
  • In the “Server Domain/Host Names” field, add the domain name with wildcard like “*.testdomain.local” or give the hostname entries which is used for product deployments like “vra.testdomain.local”, ”vrb.testdomain.local”, ”vrli.testdomain.local”, ”vrops.testdomain.local”.
  • In the “IP Address” field, add the components IP Addresses that are part of the vRealize Suite with comma separated values like “10.12.13.150,10.123.124.150,10.150.156.196”.
  • It is not mandatory that both “Server Domain/Host Names” and “IP Address” fields should be given for generating a certificate. User can choose between these two, based on the product on which he is going to use this certificate.
• Click Generate button to create a new Certificate.

• Certificates added will be listed in the Certificate Tab under Settings page.

Importing an Existing Certificate into LCM

User can Import certificates into LCM and use it on the vRealize Products.

• Browse to Certificate Tab under Settings Tab and Click the ADD CERTIFICATE Button
• Select the Import Certificate Option in the Pop-up Block the appears

• LCM supports Base64 encoded X509 certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“, “—–BEGIN PRIVATE KEY—–” and “—–END PRIVATE KEY—–”.
  • User can import the certificate by giving the private key and certificate in above said format under the “Enter Private Key” and “Enter Certificate Chain” fields
  • Or User can import a .pem file (Privacy-Enhanced Mail (PEM) is a file format for storing and sending cryptographic keys, certificates, and other data, based on a set of 1993 IETF standards defining “privacy-enhanced mail.”) by Clicking CHOOSE FILE button and selecting the certificate file that needs to be imported, the Private Key and Certificate Chain fields will get pre-populated .
  • Click on the IMPORT button to Add the Certificate.

• vRSLCM-2.0 supports only PEM file format.
• If a certificate is encrypted, then the user should provide the passphrase in the Passphrase field for importing it. Lcm supports keys in PKCS8 form.
• Once imported user can view the certificates in the Certificates Tab under Settings Page

Once the certificates are added to LCM user can view the certificate details by clicking on the Certificate Name.

Navigate to associated environment tab to view the environments and the products that are using this certificate. This Tab will populate details like the below image once a certificate is used for product deployment or for replacing a product’s certificate.

Generating CSR

vRSLCM-2.0 allows the user to generate a CSR which can be taken to get Signed from the Certificate Authority.

• Browse to Certificate Tab under Settings Tab and Click the GENERATE CSR Button

• Provide the required details as like in Generate Certificate.
• Once details are entered Click “GENERATE” Button.
• A .pem file will be downloaded automatically which has the certificate chain and the private key.
• Use the .pem file for getting signed from the Certificate Authority.
• Navigate back to the “Certificate” tab in the settings page and Click “ADD CERTIFICATE” button and import the certificate that got signed from the Certificate Authority.
• You can use the Signed Certificate for the product deployments, or for replacing any of the existing products in LCM.

Using Certificate in Product Deployment

Certificate added in the LCM can be used for product deployments. This can be either used at the environment level or at the Product level.

• Click the Create Environment Button in the Home page to go the Wizard.
• Fill up the Environment details in and Click Next.
• Select the Product and versions that are required and Click Next.
• Accept the EULA and Click Next.
• Enter the required License, Infrastructure and Network Details
• The Next step will be providing Certificate Details.

• Here user can choose to give the certificate either at environment or at product level.
• Select the certificate from the drop-down in the Certificate Step Wizard, if certificate needs to be provided at the environment level.

• User can also add a certificate from here by clicking the “+” icon. This will open the Add Certificate Pop-Up Block, where a new certificate can be added to LCM and can be used for deployment.
• Toggle on “Provide Product Specific Certificate” to give the certificates at the product level.

• Click NEXT to go to the Product Properties.
• User can select the certificate at the Product Properties Area.

Replacing Product Certificate in an Environment

vRSLCM 2.0 allows the user to replace the certificate of the products. Certificate replacement for products from vRSLCM is supported from specific product versions.

Click on the Manage Environment button from the home page.

• Click the VIEW DETAILS button on the environment to land at the Product Page.
• Click the three dots on the product and click Replace Certificate button.

• A pop-up will appear for replacing the product certificate.

• The Current Certificate page provides the certificate details that is currently applied in the product.
• Click NEXT
• Select the new certificate from the drop down that needs to be applied in the Product.
• This dropdown will list all the certificates that are added in the Settings Page.

• The details of the selected certificate can be viewed in this page.

• Click NEXT
• Click the RUN PRECHECK button to run the precheck for the certificate against the selected product.
• The precheck will be mostly the hostname verification between the entries in the certificate and the product components.

• Click FINISH button to submit the request.
• The progress of the request can be monitored in the request page.
• User has to manually re-establish the trust between all products and endpoints that are configured after certificate replacement is done .
• The same steps are applicable for all the products.

Troubleshooting

• Certificate Replacement Precheck for vRNI giver error saying “The hosts in the certificate doesn’t match with the provided/product hosts” .
  • This alert occurs when a domain name or hostname based certificate is used.
  • Certificate Precheck for vRNI looks for IP entries in the Certificate. This is a warning. User can ignore the message and proceed with the precheck or User can use a IP based certificate for vRNI.
• Precheck for Scaling out of product components failing at “Certificate Validation to see if the new certificate matches with Master node”.
  • Scale out pre-check looks for the certificate at the master node is same as the certificate selected for component.
  • The recommendation is to use the master node certificate or replace the product certificate and perform the scale out with the replaced certificate.