While working on delivering vCAC 6 engagements, I have noticed that getting all the certificates required in place has always required me to jump across different information sources between VMware documentation, blogs, & other consultants work. For that I have decided to put this guide together which cover the certificates process for a new vCAC 6.x installation from A-Z to easy the process for myself and others. I start all the way from how to install your own CA and continue all the way till you assign the certificates to each component. Before I start going through the details, I have to give credits where due. This document has incorporated information from all of the below sources:
- Tomas Fojta Blog: http://fojta.wordpress.com/2013/12/12/vcac-6-how-to-generate-signed-certificates/
- Grant orchard Blog: http://grantorchard.com/vcac/implementation/replacing-vcac-6-0-appliance-certificates/
- Sky Cooper Implementation Guide
vCloud Automation Center Installation and Configuration: http://pubs.vmware.com/vCAC-60/index.jsp#com.vmware.vcac.install.doc/GUID-3CABD137-CC9A-41E4-BCB4-65A0D5919270.html
While I have used a lot of material and knowledge that I have gained from the above sources, I have incorporated these steps at different customers, and carried out the full work again in my lab to get all the screenshots being consistent across the full procedure. Hope you will find it useful.
Note: for vRealize Automation 7, please check out following blogpost: Replacing Certificates in vRealize Automation 7
Good to know
This section gives you some important vCloud Automation 6 certificates faqs and recommendations, that you will need to know before getting started.
- VMware recommends a domain certificate or a wildcard domain certificate for a distributed installation.
- The certificate in PFX (for Windows) and PEM (for Appliances and Load Balancer) formats.
While initially I will be focusing on generating and using certificates for a new vCAC 6 installation, the below is something to consider if you have an existing installation and vCAC 6 setup and you want to replace your self-signed certificates with signed certificates.
- Update components Certificates in the following order:
- Identity Appliance
- vCloud Automtation vCenter Appliance
- IaaS components
- With one exception, changes to later components do not affect earlier ones. For example, if you import a new certificate to a vCloud Automation Center Appliance, you must register this change with the IaaS server, but not with the Identity Appliance. The exception is that an updated certificate for IaaS components must be registered with vCloud Automation Center Appliance.
The following table shows registration requirements when you update a certificate.
First Step: Installing Domain CA:
1. From Windows Server Roles, Install Active Directory Certificate Services
2. Make sure to choose both Certification Authority & Certifications Authority Web Enrollment on the Role Service screen
3. Choose Enterprise at the setup Type page
4.Assuming this is your first CA, choose Root CA at the CA Type screen
5. Create a new private key
6. Configure Cryptography for CA as below screenshot
7. Configure your CA Name
8. Set validity period for the certificate generated by this CA
Second Step: Creating vCAC Certificate templates
We will need to create a non-standard Certificate Template, which is a copy of the standard Web Server template modified to allow for export of the certificate key. In addition, the Microsoft CA will be updated to allow for Subject Alternative Names (SANs) as specified in the Attributes.
Follow the below steps to create the new default template:
To create a new default template:
- Connect to the Root CA server or Subordinate CA server via RDP.
- Click Start > Run, type certtmpl.msc, and click OK. The Certificate Template Console opens.
- In the middle pane, under Template Display Name, locate Web Server.
- Right-click Web Server and click Duplicate Template.
- In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.
- Click the General tab.
- In the Template display name field, enter vCAC Certificate as the name of the new template.
- Click the Extensions tab.
- Select Key Usage and click Edit.
- Select the Signature is proof of origin (nonrepudiation) option.
- Select the Allow encryption of user data option.
- Click OK.
- Select Application Policies and click Edit.
- Click Add.
- Select Client Authentication.
- Click OK.
- Click OK again.
- Click the Subject Name tab.
- Ensure that the Supply in the request option is selected.
- Click the Request Handling tab
- Ensure that the Allow private key to be exported option is selected
- Click OK to save the template.
Adding a new template to certificate templates
To add a new template to certificate templates:
- Connect to the Root CA server or Subordinate CA server via RDP.Note: Connect to the CA server in which you are intending to perform your certificate generation.
- Click Start > Run, type certsrv.msc, and click OK. The Certificate Server console opens.
- In the left pane, if collapsed, expand the node by clicking the [+] icon.
- Right-click Certificate Templates and click New > Certificate Template to Issue.
- Locate vCAC Certificate under the Name column.
- Click OK.
A new template option is now created in your Active Directory Certificate Services node. This new template can be used in the place of Web Server for the vSphere 5.x CA certificate.
Third Step: Installing OpenSSL version 0.9.8.
Use the below steps install OpenSSL which will be used to request the required certificates:
Important: Ensure that you are using OpenSSL version 0.9.8. If you do not use this version, the SSL implementation will fail.
To setup OpenSSL:
- Ensure that the Microsoft Visual C++ 2008 Redistributable Package (x86) is installed on the system on which you want to generate the requests. To download the package, see the Microsoft Download Center.
- Download the Shining Light Productions installer for OpenSSL x86 version 0.98r or later at http://www.slproweb.com/products/Win32OpenSSL.html. This is a software developed from the OpenSSL Project.
- Launch the installer and proceed through the installation and note the appropriate directory for later use. By default, it is located at c:\OpenSSL-Win32.
This tutorial include another two posts. Below is the links for the other two posts: