vRA 7 Enterprise Deployment – Part 2 – Generating Certificates

Following on from vRA 7 Enterprise Deployment Part 1, this blog continues the series with some further planning and preparation before starting with the initial vRA Appliances deployment.

Generating Certificates

A production, distributed vRealize Automation deployment utilises Certificate Authority (CA) signed security certificates as each component communicates exclusively over SSL. While it is possible to import self-signed certificates on necessary components, this is not recommended in a production environment.

In my home lab, I have installed a Microsoft Certificate Authority. I followed this blog article to setup my Microsoft CA:

How to setup Microsoft Active Directory Certificate Services [AD CS]

I then referenced the VMware KB article for creating a CA template to use for my vRA deployment:

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009)

Creating and Publishing a Certificate Template

Referencing the KB article, I created the certificate template using the following steps.

Open the MMC console for Certificate Templates:

  • Click File and select Add/Remove Snap-in
  • Select Certificate Templates in Available Snap-Ins and click Add
  • Click OK
  • From the right pane, right-click Web Server template
  • Click Duplicate Template

 

1.2.1

In the Properties of New Template dialog box:

  • Click the General tab
  • Type the name of the template in Template name text box

1.2.2

1.2.3

In the Properties of New Template dialog box:

  • Click the Subject Name tab
  • Select the Supply in the request radio button

1.2.4

In the Properties of New Template dialog box:

  • Click the Security tab
  • Assign Full Control privileges to the domain administrator
  • Assign Full Control privileges to the computer issuing this certificate
  • Click OK

1.2.5

Open the MMC console for Certification Authority for the domain:

  • Right-click Certificate Templates
  • Select New > Certificate Template to Issue

1.2.6

In the Enable Certificate Templates dialog box:

  • Select the certificate created in the above steps
  • Click OK

1.2.7

1.2.8

Now the certificate template is published and ready to use. The table below details the certificates which are required for an enterprise large deployment with HA using embedded vRO instances.

vRealize Automation Certificate Requirements for High Availability

Certificate Common Name Application Role Encoding Needed
vra-portal.testlab.com vRealize Automation Appliances PEM and unencrypted key
vra-web.testlab.com IaaS Web Servers PKCS12
vra-mgr.testlab.com IaaS Manager Services PKCS12

 

Generating SSL Certificates

Now we will create the PKCS12 formatted certificates for the vRA IaaS Windows components and the PEM encoded certificate for the vRA appliances. You will need a machine with OpenSSL installed to generate the Certificate Signing Requests and format conversions plus access to the Certificate Services server to generate the signed certificates. The process shown below uses a Microsoft Active Directory Certificate Services.

Prepare for certificate generation using the following procedure:

  • Install OpenSSL on the machine where you will generate the certificates.
  • Create a base folder (D:\Certs in this example) with separate sub-folders for each vRealize Automation component.
  • Within the base folder, create three subfolders named as follows:
    • vrava
    • IaaSWeb
    • IaaSMgr

1.2.9

Log in to the Microsoft Certificate Authority web interface, for example:

1.2.10

From the Download a CA Certificate, Certificate Chain, or CRL page:

  • Click Base 64
  • Click the Download CA certificate chain link
  • Save the certificate chain as cachain.p7b in the D:\Certs folder
  • Click the Download CA certificate link
  • Save the CA certificate as RootCA.crt in the D:\Certs folder

1.2.11

1.2.12

1.2.13

1.2.14

Create a configuration file for the vRealize Automation appliances using the format shown below:

  • Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
  • Save the configuration file to D:\Certs\vRAva\vra-portal.cfg

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vra-portal, IP: 192.168.140.24, DNS: vra-portal.testlab.com, DNS: vratestlab01, DNS: vratestlab01.testlab.com, DNS: vratestlab02, DNS: vratestlab02.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomation

commonName = vra-portal.testlab.com

 

Run the following OpenSSL command to generate the certificate request and the private key for this certificate:

openssl req -new -nodes -out D:\Certs\vRAva\vra-portal.csr -keyout D:\Certs\vRAva\vra-portal.key -config D:\Certs\vRAva\vra-portal.cfg

NOTE: Remember to replace the path and file names as required.

1.2.15

1.2.16

Run the following OpenSSL command to convert the keys to the RSA format required by the vRA appliances:

openssl rsa -in D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.key

 

1.2.17

Go back to the home page of the Certificate Server.

Click Request a certificate.

1.2.18

Click advanced certificate request.

1.2.19

Click Submit a certificate Request by using a base- 64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

1.2.20

On the Submit a Certificate Request or Renewal Request page:

  • Open the vra-portal.csr file, generated in the step above, in notepad or notepad++
  • Copy and paste the contents into the Base-64-encoded certificate request text box
  • Select the template created using the Certificate Template process, VRA
  • Click Submit

1.2.21

Click the Base-64 encoded radio button on the certificate-issued screen. Click the Download Certificate link.

Save the certificate as vra-portal in the folder D:\Certs\vRAva\vra-portal.cer

1.2.22

Click the Download Certificate chain link.

Save the certificate chain as cachain.p7b file and navigate to D:\Certs\vRAva\cachain.p7b.

Go to D:\Certs\vRAva and double-click the cachain.p7b file.

Right-click the root certificate, select All Actions > Export, and click Next.

1.2.23

Select Base64-encoded X.509 (.CER) and click Next.

 

1.2.24

Save the export to your D:\Certs\Root64.cer

Click Next

1.2.25

Click Finish then OK

1.2.26

1.2.27

Run the following OpenSSL command to convert the certificates to PKCS12 format:

openssl pkcs12 -export -in D:\Certs\vRAva\vra-portal.cer -inkey D:\Certs\vRAva\vra-portal.key -certfile D:\Certs\Root64.cer -name vra-portal -passout pass:VMware1! -out D:\Certs\vRAva\vra-portal.pfx

 

1.2.28

Run the following OpenSSL command to convert the certificates to PEM format:

openssl pkcs12 -nokeys -in D:\Certs\vRAva\vra-portal.pfx -inkey D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.pem -nodes -passin pass:VMware1!

 

1.2.29

Once this has completed, you now have the CA signed SSL certificates for the vRA appliances.

Repeat the above steps to generate the certificate for the vRealize Automation IaaS Web servers, remembering you do not need to complete the last step converting the certificates to PEM format.

Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:

  • Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
  • Save the configuration file to D:\Certs\IaaSWeb\vra-web.cfg

 

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vratestlab03, DNS:vratestlab03.testlab.com, DNS: vratestlab04, DNS:vratestlab04.testlab.com, DNS: vra-web, IP:192.168.140.25, DNS: vra-web.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomationIaaSWeb

commonName = vra-web.testlab.com

 

Repeat the above steps to generate the certificate for the vRealize Automation IaaS Manager servers, remembering you do not need to complete the last step converting the certificates to PEM format.

Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:

  • Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
  • Save the configuration file to D:\Certs\IaaSMgr\vra-mgr.cfg

 

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vratestlab05, DNS: vratestlab05.testlab.com, DNS: vratestlab06, DNS: vratestlab06.testlab.com, DNS: vra-mgr, IP: 192.168.140.26, DNS: vra-mgr.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomationIaaSMgr

commonName = vra-mgr.testlab.com

 

I will continue with the vRA 7 deployment in part 3 of this series, where we can now start deploying the vRA Appliances.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s