Uncategorized

vCloud Automation Center 6 Certificates A to Z

By Eiad Al-Aqqad, Senior Consultant, VMware Professional Services

Eiad Al-AqqadWhile working on delivering vCAC 6 engagements, I have noticed that getting all the required certificates in place has always involved jumping across different information sources, from VMware documentation and blogs to other consultants’ work. I have created the following guide to make the process easier. This is the first of three posts that cover the certificates process for a new vCAC 6.x installation from A-Z, beginning with how to install your own CA and continuing through assigning the certificates to each component.

First, I have to give credit where it is due. This document includes information from the following sources:

While I have used a lot of material from the above sources, I have also applied these steps at various customer sites, and carried out the full process in my lab. I hope you will find it useful.

Before You Begin
There are some important recommendations and requirements before you get started.

  1. VMware recommends a domain certificate or a wildcard domain certificate for a distributed installation.
  2. The certificate must be in PFX (for Windows) and PEM (for Appliances and Load Balancer) formats. (See table below.)

Certificates needed

While this post focuses on generating and using certificates for a new vCAC 6 installation, if you have an existing installation and vCAC 6 setup and you want to replace your self-signed certificates with signed certificates, you need to consider the following:

  1. Update components certificates in the following order:
    1. Identity Appliance
    2. vCloud Automation vCenter Appliance
    3. IaaS components

Note: With one exception, changes to later components do not affect earlier ones. For example, if you import a new certificate to a vCloud Automation Center Appliance, you must register this change with the IaaS server, but not with the Identity Appliance. The exception is that an updated certificate for IaaS components must be registered with vCloud Automation Center Appliance.

The table below shows registration requirements when you update a certificate.

Registration requirements

Step 1: Installing Domain CA
This section documents how to create the Domain Certificate Authority that you will later use to generate your certificates.

      1. In the Select Server Roles screen, click to select Install Active Directory Certificate Services.Select Server Roles screen
      2. In the Select Role Services screen, click to select both Certification Authority and Certifications Authority Web Enrollment.
        Select Role Services screen
      3. In the Specify Setup Type screen, click to select Enterprise.
        Specify Setup Type screen
      4. If this is your first CA, in the Specify CA Type screen, click to select Root CA.
        Specify CA Type screen
      5. In the Set Up Private Key screen, click to select Create a new private key.
        Set Up Private Key screen
      6. In the Configure Cryptography for CA screen, make the selections as shown in the below screenshot.
        Configure Cryptography for CA screen
      7. In the Configure CA Name screen, type in the name of your CA.
        Configure CA Name screen
      8. In the Set Validity Period screen, use the drop-down menu to select the appropriate period for the certificate generated by this CA.
        Set Validity Period screen

Step 2: Creating vCAC Certificate Templates
To allow for export of the certificate key, you need to create a non-standard certificate template, which is a modified copy of the standard web server template. In addition, the Microsoft CA will be updated to allow for Subject Alternative Names (SANs) as specified in the attributes.

To create a new, non-standard default template:

      1. Connect to the Root CA server or Subordinate CA server via RDP.
      2. Click Start > Run, type certtmpl.msc, and click OK. The Certificate Template Console opens.
      3. In the middle pane, under Template Display Name, locate Web Server.
      4. Right-click Web Server and click Duplicate Template.
      5. In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.
      6. Click the General tab.
      7. In the Template Display Name field, enter vCAC Certificate as the name of the new template.
      8. Click the Extensions tab.
      9. Select Key Usage and click Edit.
      10. Select the Signature is proof of origin (nonrepudiation) option.
      11. Select the Allow encryption of user data option.
      12. Click OK.
      13. Select Application Policies and click Edit.
      14. Click Add.
      15. Select Client Authentication.
      16. Click OK.
      17. Click OK again.
      18. Click the Subject Name tab.
      19. Ensure that the Supply in the request option is selected.
      20. Click the Request Handling tab
      21. Ensure that the Allow private key to be exported option is selected
      22. Click OK to save the template.

 

To add a new template to certificate templates:

      1. Connect to the Root CA server or Subordinate CA server via RDP.
        Note: Connect to the CA server in which you intend to perform your certificate generation.
      2. Click Start > Run, type certsrv.msc, and click OK. The Certificate Server console opens.
      3. In the left pane, if collapsed, expand the node by clicking the [+] icon.
      4. Right-click Certificate Templates and click New > Certificate Template to Issue.
      5. Locate vCAC Certificate under the Name column.
      6. Click OK.

A new template option is now created in your Active Directory Certificate Services node. This new template can be used in the place of Web Server for the vSphere 5.x CA certificate.

Step 3: Installing OpenSSL version 0.9.8.
Use the following steps to install OpenSSL, which will be used to request the required certificates.

Important: Ensure that you are using OpenSSL version 0.9.8. If you do not use this version, the SSL implementation will fail.

To set up OpenSSL:

      1. Ensure that the Microsoft Visual C++ 2008 Redistributable Package (x86) is installed on the system on which you want to generate the requests. To download the package, see the Microsoft Download Center.
      2. Download the Shining Light Productions installer for OpenSSL x86 version 0.98r or later at http://www.slproweb.com/products/Win32OpenSSL.html. This software was developed by the OpenSSL Project.
      3. Launch the installer, proceed through the installation, and note the appropriate directory for later use. By default, it is located at c:OpenSSL-Win32.

This tutorial includes two additional posts, which you can find on my blog at the following links:

Post 2: Generating Certificates for the identity Appliance/vCAC Appliance
Post 3: Generating Certificates for vCAC 6 IaaS Web Server & Manager Service

Eiad Al-Aqqad is a Senior Consultant within the SDDC Professional Services practice. He has been an active consultant using VMware technologies since 2006. He is VMware Certified Design Expert (VCDX#89), as well as an expert in VMware vCloud, vSphere, and SRM. Read more from Eiad at his blog, Virtualization Team, and follow him on Twitter @VirtualizationT.

Related Articles