Generating Certificates for the identity Appliance/vCAC Appliance

At this post, I will go through how you Generate and import the certificates in a step by step fashion for both the Identity and vCAC Appliance. Please note this post is the second part of a three post tutorial where you can find the other two posts at:

Note: for vRealize Automation 7, please check out following blogpost: Replacing Certificates in vRealize Automation 7

Step 1: Generate the appropriate configuration files:

  1. Open a text editor on the system where OpenSSL is installed.
  2. Paste the following text into a file, replacing the information in red with that specific to your environment.

This one I used for Identity server:

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vtid01, IP:192.168.2.101, DNS:vtid01.vt.com
[ req_distinguished_name ]
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
0.organizationName = Lab
organizationalUnitName = vCACSSO
commonName = vtid01.vt.com


This one I used for my vCAC Appliance:

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vtvcac01, IP:192.168.2.102, DNS:vtvcac01.vt.com, DNS:vtvcac01a, IP:192.168.2.103, DNS:vtvcac01a.vt.com, DNS:vtvcac01b, IP:192.168.2.104, DNS:vtvcac01b.vt.com  
[ req_distinguished_name ]
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
0.organizationName = Lab
organizationalUnitName = vCACAppliance
commonName = vtvcac01.vt.com

3. Save the file as vcacid.cfg but do not close it (I have saved my file in C:\certs\identity as you’ll note further on).
4. To create the vCAC VA config file, update the fields in red with the appropriate information and save as vcaca.cfg (I have saved my file in C:\certs\vcaca as you’ll note further on).

 

Step 2: generate the certificate request and corresponding key for each of the certificates.

To generate a certificate request:

1. Launch a command prompt and navigate to your OpenSSL directory. By default this is located in C:\OpenSSL\bin.
2. Run the following commands (replacing the path with your desired location) to create the certificate request and export the private key:

C:\OpenSSL\bin>openssl req -new -nodes -out c:\certs\identity\rui.csr -keyout c:\certs\identity\rui-orig.key -config c:\certs\identity\vcacid.cfg

C:\OpenSSL\bin>openssl req -new -nodes -out c:\certs\vcaca\rui.csr -keyout c:\certs\vcaca\rui-orig.key -config c:\certs\vcaca\vcaca.cfg

3. Convert the keys to the appropriate RSA format required by the appliances:

openssl rsa -in c:\certs\identity\rui-orig.key -out c:\certs\identity\rui.key
openssl rsa -in c:\certs\vcaca\rui-orig.key -out c:\certs\vcaca\rui.key

Step 3: Getting the Certificate from Microsoft CA

1. Logon to the Microsoft CA Web Interface (https://ca-server/CertSrv)
2. Click on the Request Certificate > Advanced Certificate Request. Choose Submit a certificate Request by using a base- 64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

3. Open the rui.csr file for the vCAC Identity Appliance and then copy and paste the contents into the Base-64-encoded certificate request field.
4. Ensure you select the correctly configured Certificate Template.

Request vCloud Automation Center Identity Appliance Certificate

5. Click “Submit” to submit the request.
6. Select the “Base64 encoded” option on the Certificate Issued screen.
7. Click the “Download Certificate” link and save as rui.crt in the same location as your config file and CSR.
8. Repeat the above process for the vCACVA Certificate Request.
9. Navigate back to the homepage of the certificate server and click “Download a CA certificate, certificate chain or CRL”.
10. Select the “Base64 encoded” option.
11. Click the “Download a CA Certificate Chain” link.
12. Save the certificate chain as cachain.p7b in your desired location.
13. Double click the cachain.p7b file and navigate to yourlocation\cachain.p7b > Certificates
14. Right click the root certificate and select “All Actions > Export” and then click Next.
15. Select Base64-encoded X.509 (.CER) and click Next.
16. Save the export to your location/Root64.cer and click Next.

Step 4: Converting the Certificates to PEM Format

1. Launch a command prompt and navigate to your OpenSSL directory. By default this is located in c:\OpenSSL \bin
2. Run the following commands (replacing the path with your desired location and desired passphrase) to convert the certificates to the format expected of the Virtual Appliances.

openssl pkcs12 -export -in C:\certs\identity\rui.crt -inkey C:\certs\identity\rui.key -certfile c:\certs\Root64.cer -name “rui” -passout pass:Vmware1! -out C:\certs\identity\rui.pfx

openssl pkcs12 -export -in C:\certs\vcaca\rui.crt -inkey C:\certs\vcaca\rui.key -certfile c:\certs\Root64.cer -name “rui” -passout pass:Vmware1! -out C:\certs\vcaca\rui.pfx

Use the below commands for vCAC versions previous to 6.2

openssl pkcs12 -in C:\certs\identity\rui.pfx -inkey C:\certs\identity\rui.key -out C:\certs\identity\rui.pem –nodes

openssl pkcs12 -in C:\certs\vcaca\rui.pfx -inkey C:\certs\vcaca\rui.key -out C:\certs\vcaca\rui.pem –nodes

Use the below commands instead for vRA 6.2, as using the above commands seems to give the following error “unable to create keystore” when installing the cert in the identity appliance in vRA 6.2. I found these two commands in vRA 6.2 document at http://pubs.vmware.com/vra-62/index.jsp?topic=%2Fcom.vmware.vra.install.doc%2FGUID-8E7A0EBA-FB3D-4243-90BC-AC38F108FB41.html.

openssl pkcs12 -in C:\certs\identity\rui.pfx -clcerts -nokeys -out C:\certs\identity\rui.pem

openssl pkcs12 -in C:\certs\vcaca\rui.pfx -clcerts -nokeys -out C:\certs\vcaca\rui.pem

 

Step 5: Importing the Certificates to your Virtual Appliances

  1. Login to https://vCAC.ID.VA:5480 
  2. Click on the SSO tab.
  3. Click on the SSL tab.
  4. In the “Choose Option” field, click the drop down and select Import PEM encoded certificate.
  5. Open the rui.key file for your vCAC ID appliance in a text editor.
  6. Copy and paste the contents into the “RSA Private Key” field.
  7. Open the rui.pem file for you vCAC ID appliance in a text editor. (Make sure to copy all the contents)
  8. Copy and paste the contents into the “Certificate” field.
  9. Enter Vmware1! into the “Pass Phrase” field.

 

Install your vCAC 6 Identity Appliance Certificates

10. Click the “Replace Certificate” button.

 

vCloud Automation Center 6 Identity Appliance Certificates successfully installed

11- You can repeat the same steps 1-10 for the vCAC Appliance.

Comments

  1. Eiad,

    is the Windows Server You’re using to request certificates a 2003 Server? In 2008 You cannot request web UI to request computer certificates… 🙁

  2. Actually it was 2008 Certificate server. My customer as well has repeated the exercise on Windows 2008.
    I remember the interface being through http and does not work on https, not sure if that is your problem.

    Thanks,
    Eiad

  3. Eiad,

    Do you know if unique organizational unit names are required for each component? Could you have one wildcard certificate for Identity,CAFÉ, Iaas, and VCO without a specified organizational unit name?

    Thanks,
    Jason

  4. Hi Jason,

    While I have not used wildcard certificate my self. I have heard of many others inside VMware and outside VMware use it without a problem. It does work and its supported as per our documentation.

    Thanks,
    Eiad

  5. Hi Eiad,

    Thank you for the How to on certs for vCAC.

    I have a question for you, I am stuck at Step 3: Getting the Certificate from Microsoft CA, that screenshot of yours is listing vcac certificate into the drop down list for Certificate template. I had followed steps “First post: vCloud Automation Center 6 Certificates A to Z”.. only options available from me are User, Basic EFS, could you pin point where I might be having issues.

    I have MS Certificate Athourity along with web portal installed on a Windows 2008 R2
    my portal url : localhost/certsrv and its ask me to provide the user id and password(service account which I had provided for that IIS_IUSR group”, when I make a request for a certificate from that URL, it somehow makes common name as the service name.

    Thanks
    Mukesh

  6. Mukesh, This is the second post in a 3 posts series. The steps where that vCAC Cert type was added to the Microsoft CA is in the following article: http://www.virtualizationteam.com/cloud/vcloud-automation-center-6-certificates-a-to-z.html

  7. Thanks for the blog, it’s been very helpful. I’m a a standstill. If I follow your directions on a fresh 6.1.1 build, I try to import the pem/key to the identity appliance and I get an error: Unable to create SSL key store. I was able to update the vCAC appliances fine however.

    Basically I’m at the point where I can login to my default tenant but when I try to login to a newly created tenant I get an Error 400…

    DEBUG: com.vmware.identity.samlservice.impl.CasIdmAccessor – Caught exception java.lang.IllegalArgumentException: The validated object is null
    DEBUG: com.vmware.identity.samlservice.impl.CasIdmAccessor – getIdpEntityId
    DEBUG: com.vmware.identity.samlservice.impl.CasIdmAccessor – getAcsForRelyingParty https://test.com/vcac/org/test/saml/websso/metadata, index null, URL null, binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    DEBUG: com.vmware.identity.samlservice.impl.CasIdmAccessor – Caught exception java.lang.IllegalArgumentException: The validated object is null
    DEBUG: com.vmware.identity.samlservice.AuthnRequestState – Caught exception while generating response java.lang.IllegalStateException: BadRequest, will return 400
    INFO : com.vmware.identity.BaseSsoController – Responded with ERROR 400, message Unable to process request

  8. Very nice article! One question: if you have a subordinate CA, do you have to combine the root and subordinate certs together similar to how it’s done when replacing vCenter certs?

  9. Hi Todd, Actually you will need to do the same here as well.

  10. Excellent guide, thank you!

Trackbacks

  1. […] 2: Generating Certificates for the identity Appliance/vCAC Appliance Post 3: Generating Certificates for vCAC 6 IaaS Web Server & Manager […]

  2. […] Second Post: Generating Certificates for the identity Appliance/vCAC Appliance […]

  3. […] 2- Generating Certificates for the identity Appliance/vCAC Appliance <== You can follow this one as is, just skip the part for generating cert for the identity appliance as the identity appliance is not longer required in vRA 7. […]

Speak Your Mind

*