Using the vSphere Auto Deploy Waiter service as a Subordinate Certificate Authority
search cancel

Using the vSphere Auto Deploy Waiter service as a Subordinate Certificate Authority

book

Article ID: 308852

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides steps to configure the vSphere Auto Deploy Waiter service in vSphere 5.0, vSphere 5.1 and vSphere 5.5 to function as a Certificate Authority (CA) subordinate to sign certificates for your stateless hosts.

Environment

VMware vCenter Server 5.0.x
VMware vCenter Server 5.1.x
VMware vCenter Server 5.5.x

Resolution

Note: This article is part of a resolution path. Before proceeding with the steps in this article, see Implementing CA signed SSL certificates with vSphere 5.x (2034833).
 
Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
  • Creating the certificate request
  • Getting the certificate
  • Installation and configuration of the certificate in the vSphere Auto Deploy
  • Configuring the vSphere Auto Deploy Waiter service as Subordinate Certificate Authority (CA). This is optional.
These steps must be followed to ensure the successful implementation of a custom certificate for vSphere Auto Deploy. Before performing these steps, ensure that:

Configuring the vSphere Auto Deploy Waiter service as a Certificate Authority

To complete the configuration of the vSphere Auto Deploy Waiter as a Subordinate CA you need to have access from the Root or Subordinate CA server in the environment. Contact your security team to get the files required.
 
Replacing the rbd-ca.crt and rbd-ca.key files allows the vSphere Auto Deploy Waiter service to function as a Certificate Authority for your stateless hosts.
 
To replace the rbd-ca.crt and rbd-ca.key file:
  1. Log in to the Root Certificate Authority (CA) server.

    Note: If you are using subordinate certificate authority servers within your environment, log in to the last subordinate CA server in the chain.
     
  2. After the Certificate Authority snap-in console by clicking Start > Run > certsrv.msc.
  3. Right-click the CA server listed under Certification Authority (Local) in the left panel of the console window.
  4. Click All Tasks > Back up CA.
  5. Click Next.
  6. Click Private key and CA certificate.
  7. Select a backup location in the Back up to this location: field.
  8. Click Next.
  9. In the Select a Password window, use testpassword.
  10. Click Next.
  11. Click Finish.
  12. Rename the exported CA Server.p12 file to CA.p12.
  13. Copy the CA.p12 file to the vSphere Auto Deploy server to the c:\certs folder. This can be the same server as vCenter Server.
  14. Launch a command prompt and navigate to the OpenSSL directory. By default, this is: C:\OpenSSL-Win32\bin.
  15. Run this command to create the CA certificate file:

    openssl pkcs12 -in C:\certs\CA.p12 -clcerts -nokeys -out rbd-ca.crt

    Note: If prompted for a password, use testpassword.
     
  16. Run this command to create the CA key file in RSA format:

    openssl pkcs12 -in C:\certs\CA.p12 -nocerts -nodes | openssl.exe rsa > rbd-ca.key

    Note: If prompted for a password, use testpassword.
     
  17. Back up the current rbd-ca.crt and rbd-ca.key certificates. By default, vSphere Auto Deploy stores its certificates at the C:\ProgramData\VMware\VMware vSphere Auto Deploy\ssl.
  18. Copy the newly generated rbd-ca.crt and rbd-ca.key file at the C:\ProgramData\VMware\VMware vSphere Auto Deploy\ssl, replacing the existing rbd-ca.crt and rbd-ca.key.
  19. Remove the associated default certificates from the ESXi host by navigating to:

    C:\ProgramData\VMware\VMware vSphere Auto Deploy\ssl\host-moid

    And remove the rui.crt and rui.key. For guidance on determining a host's managed object ID (MOID), see Looking up Managed Object Reference (MoRef) in vCenter Server (1017126).
     
  20. After completion, return to Step 10 in Configuring CA signed SSL certificates for vSphere Auto Deploy in vSphere 5.x (2073588).


Additional Information

Configuring CA signed SSL certificates for vSphere Auto Deploy in vSphere 5.x
vSphere Auto Deploy Waiter サービスを下位の認証局として使用する方法

Powered by Wolken Software