Generating Certificates for vCAC 6 IaaS Web Server & Manager Service

This post will take you through the steps you will need to generate, request, and apply the certificates for both vCloud Automation Center 6 IaaS Web Server as well the Manager Service. Please note this is the third part of a three post vCAC 6 Certificates tutorial, where the first two posts can be found at:

Note: for vRealize Automation 7, please check out following blogpost before continuing with this one: Replacing Certificates in vRealize Automation 7

Note: This article assume you are doing the large setup, where you will have to generate two different certs one for Web and one for Manager Service. If you are running the medium setup then you will need to include all the names of the Web and Manager Service machines into the same cert as vRA will only allow you to use one cert for the combined services. 

Step 1: Generating the Certificate Requests

To generate the appropriate configuration files:

1. Open a text editor on the system where OpenSSL is installed.

2. Paste the following text into a file, replacing the information in red with that specific to your environment.

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: vtvcacisweb01, IP:192.168.2.106, DNS: vtvcacisweb01.vt.com, DNS: vtvcacisweb01a, IP: 192.168.2.107, DNS: vtvcacisweb01a.vt.com, DNS: vtvcacisweb01b, IP: 192.168.2.108, DNS: vtvcacisweb01b.vt.com
[ req_distinguished_name ]
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
0.organizationName = Lab
organizationalUnitName = vCACIaaS
commonName = vtvcacisweb01.vt.com

3. Save the file as vcaciaasweb.cfg (I have saved my file in c:\certs\vcaciaasweb as you’ll note further on).

Next, generate the certificate request and corresponding key for the certificate.

To generate the certificate request:

1. Launch a command prompt and navigate to your OpenSSL directory. By default this is located in c:\OpenSSL\bin

2. Run the following commands (replacing the path with your desired location) to create the certificate request and export the private key:

openssl req -new -nodes -out c:\certs\vcaciaasweb\rui.csr -keyout c:\certs\vcaciaasweb\rui-orig.key -config c:\certs\vcaciaasweb\vcaciaasweb.cfg

3. Convert the key to the appropriate RSA format:

openssl rsa -in c:\certs\vcaciaasweb\rui-orig.key -out c:\certs\vcaciaasweb\rui.key

 

Step 2: Getting the Certificate

1. Logon to the Microsoft CA Web Interface (https://ca-server/CertSrv) or (http://ca-server/CertSrv) depending on your CA setup (Production vs LAB)
2. Click on the Request Certificate > Advanced Certificate Request
3. Open the rui.csr file for the vCAC IaaS Server and then copy and paste the contents into the Base-64-encoded certificate request field.
4. Ensure you select the correctly configured Certificate Template.

5. Click “Submit” to submit the request.
6. Select the “Base64 encoded” option on the Certificate Issued screen.
7. Click the “Download Certificate” link and save as rui.crt in the same location as your config file and CSR.
8. Navigate back to the homepage of the certificate server and click “Download a CA certificate, certificate chain or CRL”.
9. Select the “Base64 encoded” option.
10. Click the “Download a CA Certificate Chain” link.
11. Save the certificate chain as cachain.p7b in your desired location.
12. Double click the cachain.p7b file and navigate to yourlocation\cachain.p7b > Certificates
13. Right click the root certificate and select “All Actions > Export” and then click Next.
14. Select Base64-encoded X.509 (.CER) and click Next.
15. Save the export to your location/Root64.cer and click Next.

 

Step 3 (vRA 6.x): Converting the Certificates to PFX Format

1. Launch a command prompt and navigate to your OpenSSL directory. By default this is located in c:\OpenSSL\bin
2. Run the following commands (replacing the path with your desired location) to convert the certificates to the format expected of the vCAC IaaS Server.

openssl pkcs12 -export -in c:\certs\vcaciaasweb\rui.crt -inkey c:\certs\vcaciaasweb\rui.key -certfile c:\certs\Root64.cer -name “rui” -passout pass:Vmware1! -out c:\certs\vcaciaasweb\rui.pfx

Step 3 (vRA 7.x): Converting the Certificates to PEM Format

1. Launch a command prompt and navigate to your OpenSSL directory. By default this is located in c:\OpenSSL \bin
2. Run the following commands (replacing the path with your desired location and desired passphrase) to convert the certificates to the format expected by the vCAC IaaS Server.

openssl pkcs12 -export -in C:\certs\vcaciaasweb\rui.crt -inkey C:\certs\vcaciaasweb\rui.key -certfile c:\certs\Root64.cer -name “rui” -passout pass:Vmware1! -out C:\certs\vcaciaasweb\rui.pfx

openssl pkcs12 -in C:\certs\vcaciaasweb\rui.pfx -clcerts -nokeys -out C:\certs\vcaciaasweb\rui.pem

 

Note: For the Manager Service just repeat the same steps to generate the certificate for the web servers, you just need to replace items marked in red to match your environment configuration for the Manager Service.

 

Step 4 (vRA 6.x): Applying the Certificate to the vCAC IaaS Web Server

  1. Import the SAN certificate to each server
    1. mmc.exe -> Add/Remove Snap-in
    2. Certificates -> Add -> Computer account -> Finish -> Local computer -> Finish -> OK
    3. Expand Certificates -> Right-click Personal -> All Tasks -> Import… Locate SAN Certificate PFX file and import
    4. Make sure to give the certificate a friendly name
  2. During the installation of the IaaS Web Server make sure you chose the proper certificate:

     

    Make sure you check Mark the Suppress Certificate mismatch.

 

Step 5 (vRA 6.x): Applying the Certificate to the vCAC App Server (Manager Service)

 

  1. Import the SAN certificate to each server
    1. mmc.exe -> Add/Remove Snap-in
    2. Certificates -> Add -> Computer account -> Finish -> Local computer -> Finish -> OK
    3. Expand Certificates -> Right-click Personal -> All Tasks -> Import… Locate SAN Certificate PFX file and import
  2. During the installation of the vCAC App Server (Manager Service) make sure you chose the proper certificate:

 

Step 4 & 5 (vRA 7.x): Applying the Certificate to the vCAC IaaS Web Server & Manager Service

In vRA 7 the certs are added using the installation Wizard by copying and pasting the contents of the .pem and .key files.

Comments

  1. Hi-

    Great post! What would this command look like if we have an intermediate CA? “openssl pkcs12 -export -in C:\certs\vcaciaasweb\rui.crt -inkey C:\certs\vcaciaasweb\rui.key -certfile c:\certs\Root64.cer -name “rui” -passout pass:Vmware1! -out C:\certs\vcaciaasweb\rui.pfx”

    Thanks,

    Jon

Trackbacks

  1. […] the certificate requests Eiad Al-Aqqad has done two really great postings (part 1 and part 2 ) around the formats required and using openssl to create the certificate requests. For […]

  2. […] Generating Certificates for vCAC 6 IaaS Web Server & Manager Service <== You can follow this as is, just stop before step three as you no longer need to convert the […]

Speak Your Mind

*