Following on from vRA 7 Enterprise Deployment Part 1, this blog continues the series with some further planning and preparation before starting with the initial vRA Appliances deployment.
Generating Certificates
A production, distributed vRealize Automation deployment utilises Certificate Authority (CA) signed security certificates as each component communicates exclusively over SSL. While it is possible to import self-signed certificates on necessary components, this is not recommended in a production environment.
In my home lab, I have installed a Microsoft Certificate Authority. I followed this blog article to setup my Microsoft CA:
How to setup Microsoft Active Directory Certificate Services [AD CS]
I then referenced the VMware KB article for creating a CA template to use for my vRA deployment:
Creating and Publishing a Certificate Template
Referencing the KB article, I created the certificate template using the following steps.
Open the MMC console for Certificate Templates:
- Click File and select Add/Remove Snap-in
- Select Certificate Templates in Available Snap-Ins and click Add
- Click OK
- From the right pane, right-click Web Server template
- Click Duplicate Template
In the Properties of New Template dialog box:
- Click the General tab
- Type the name of the template in Template name text box
In the Properties of New Template dialog box:
- Click the Subject Name tab
- Select the Supply in the request radio button
In the Properties of New Template dialog box:
- Click the Security tab
- Assign Full Control privileges to the domain administrator
- Assign Full Control privileges to the computer issuing this certificate
- Click OK
Open the MMC console for Certification Authority for the domain:
- Right-click Certificate Templates
- Select New > Certificate Template to Issue
In the Enable Certificate Templates dialog box:
- Select the certificate created in the above steps
- Click OK
Now the certificate template is published and ready to use. The table below details the certificates which are required for an enterprise large deployment with HA using embedded vRO instances.
vRealize Automation Certificate Requirements for High Availability
Certificate Common Name | Application Role | Encoding Needed |
vra-portal.testlab.com | vRealize Automation Appliances | PEM and unencrypted key |
vra-web.testlab.com | IaaS Web Servers | PKCS12 |
vra-mgr.testlab.com | IaaS Manager Services | PKCS12 |
Generating SSL Certificates
Now we will create the PKCS12 formatted certificates for the vRA IaaS Windows components and the PEM encoded certificate for the vRA appliances. You will need a machine with OpenSSL installed to generate the Certificate Signing Requests and format conversions plus access to the Certificate Services server to generate the signed certificates. The process shown below uses a Microsoft Active Directory Certificate Services.
Prepare for certificate generation using the following procedure:
- Install OpenSSL on the machine where you will generate the certificates.
- Create a base folder (D:\Certs in this example) with separate sub-folders for each vRealize Automation component.
- Within the base folder, create three subfolders named as follows:
- vrava
- IaaSWeb
- IaaSMgr
Log in to the Microsoft Certificate Authority web interface, for example:
- http://dctestlab001.testlab.com/certsrv
- Click Download a CA certificate, certificate chain, or CRL.
From the Download a CA Certificate, Certificate Chain, or CRL page:
- Click Base 64
- Click the Download CA certificate chain link
- Save the certificate chain as cachain.p7b in the D:\Certs folder
- Click the Download CA certificate link
- Save the CA certificate as RootCA.crt in the D:\Certs folder
Create a configuration file for the vRealize Automation appliances using the format shown below:
- Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
- Save the configuration file to D:\Certs\vRAva\vra-portal.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: vra-portal, DNS: vra-portal.testlab.com, DNS: vratestlab01, DNS: vratestlab01.testlab.com, DNS: vratestlab02, DNS: vratestlab02.testlab.com
[ req_distinguished_name ]
countryName = UK
stateOrProvinceName = Kent
localityName = Staplehurst
0.organizationName = Testlab
organizationalUnitName = vRealizeAutomation
commonName = vra-portal.testlab.com
Run the following OpenSSL command to generate the certificate request and the private key for this certificate:
openssl req -new -nodes -out D:\Certs\vRAva\vra-portal.csr -keyout D:\Certs\vRAva\vra-portal.key -config D:\Certs\vRAva\vra-portal.cfg
NOTE: Remember to replace the path and file names as required.
Run the following OpenSSL command to convert the keys to the RSA format required by the vRA appliances:
openssl rsa -in D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.key
Go back to the home page of the Certificate Server.
Click Request a certificate.
Click advanced certificate request.
Click Submit a certificate Request by using a base- 64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
On the Submit a Certificate Request or Renewal Request page:
- Open the vra-portal.csr file, generated in the step above, in notepad or notepad++
- Copy and paste the contents into the Base-64-encoded certificate request text box
- Select the template created using the Certificate Template process, VRA
- Click Submit
Click the Base-64 encoded radio button on the certificate-issued screen. Click the Download Certificate link.
Save the certificate as vra-portal in the folder D:\Certs\vRAva\vra-portal.cer
Click the Download Certificate chain link.
Save the certificate chain as cachain.p7b file and navigate to D:\Certs\vRAva\cachain.p7b.
Go to D:\Certs\vRAva and double-click the cachain.p7b file.
Right-click the root certificate, select All Actions > Export, and click Next.
Select Base64-encoded X.509 (.CER) and click Next.
Save the export to your D:\Certs\Root64.cer
Click Next
Click Finish then OK
Run the following OpenSSL command to convert the certificates to PKCS12 format:
openssl pkcs12 -export -in D:\Certs\vRAva\vra-portal.cer -inkey D:\Certs\vRAva\vra-portal.key -certfile D:\Certs\Root64.cer -name vra-portal -passout pass:VMware1! -out D:\Certs\vRAva\vra-portal.pfx
Run the following OpenSSL command to convert the certificates to PEM format:
openssl pkcs12 -nokeys -in D:\Certs\vRAva\vra-portal.pfx -inkey D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.pem -nodes -passin pass:VMware1!
Once this has completed, you now have the CA signed SSL certificates for the vRA appliances.
Repeat the above steps to generate the certificate for the vRealize Automation IaaS Web servers, remembering you do not need to complete the last step converting the certificates to PEM format.
Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:
- Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
- Save the configuration file to D:\Certs\IaaSWeb\vra-web.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: vratestlab03, DNS:vratestlab03.testlab.com, DNS: vratestlab04, DNS:vratestlab04.testlab.com, DNS: vra-web, DNS: vra-web.testlab.com
[ req_distinguished_name ]
countryName = UK
stateOrProvinceName = Kent
localityName = Staplehurst
0.organizationName = Testlab
organizationalUnitName = vRealizeAutomationIaaSWeb
commonName = vra-web.testlab.com
Repeat the above steps to generate the certificate for the vRealize Automation IaaS Manager servers, remembering you do not need to complete the last step converting the certificates to PEM format.
Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:
- Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
- Save the configuration file to D:\Certs\IaaSMgr\vra-mgr.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: vratestlab05, DNS: vratestlab05.testlab.com, DNS: vratestlab06, DNS: vratestlab06.testlab.com, DNS: vra-mgr, DNS: vra-mgr.testlab.com
[ req_distinguished_name ]
countryName = UK
stateOrProvinceName = Kent
localityName = Staplehurst
0.organizationName = Testlab
organizationalUnitName = vRealizeAutomationIaaSMgr
commonName = vra-mgr.testlab.com
I will continue with the vRA 7 deployment in part 3 of this series, where we can now start deploying the vRA Appliances.