Signing vRA certificates using an internal Microsoft CA signing authority
search cancel

Signing vRA certificates using an internal Microsoft CA signing authority

book

Article ID: 311473

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

These articles provide steps to sign certificates in a VMware vRealize Automation load balanced environment:

  • The instructions listed in this guide are performed using a Microsoft CA server with the Web Enrollment role installed on Windows Server 2012 R2.
  • Windows OpenSSL is used to generate the PEM files.
  • The version of Windows OpenSSL that was installed was 1.0.1i.

    Note: This procedure is not tested with other versions of OpenSSL.
     
  • In this guide we are signing a total of four certificates for a load balanced vRealize Automation environment.
  • This guide assumes that forward and reverse DNS lookup has been configured for all three appliances and the Windows Server.
  • The related vRealize Automation machines in the example environment and their DNS names and IPs are:
     
    • vRA Identity Appliance - vrasso - 10.xx.xx.xx
    • vRA Appliance 1 - vra01 - 10.xx.xx.xx
    • vRA Appliance 2 - vra02 - 10.xx.xx.xx
    • vRA IaaS Windows Server - vraiaas - 10.xx.xx.xx
       
  • This guide uses short names, IP addresses and domain.com .
  • This guide describes how to create the certificates for installation and not replacement.
  • To replace the certificates in an existing environment, replace one certificate at a time and perform all steps in the Administration Guide to fully update all servers before replacing the next certificate. Never replace all certificates at the same time as this leads to a break down in the environment trust.

Environment

VMware vRealize Automation 6.2.x
VMware vRealize Automation 7.x

Resolution

To sign the vRealize Automation certificates using the Microsoft CA:

  1. Prepare the environment

    To prepare the environment:
     
    1. Download OpenSSL Light for Windows, available at: http://slproweb.com/products/Win32OpenSSL.html

      Note: The preceding link was correct as of November 20, 2015. If you find the link is broken, provide a feedback and a VMware employee will update the link.
       
    2. Download the Visual C++ 2008 Redistributable (x86) from the same location.
    3. Install the Visual C++ Redistributable and OpenSSL to c:\OpenSSL, or open an Administrative Command Prompt and run these commands to silently install:
       
      • vcredist_x86.exe /q:a
      • Win32OpenSSL_Light-1_0_1j.exe /silent /verysilent /sp- /suppressmsgboxes
         
    4. Create the directories needed by running these commands:

      Note: Replace the short names where applicable.
       
      • mkdir c:\certs\vrasso
      • mkdir c:\certs\vra01
      • mkdir c:\certs\vra02
         
  2. Prepare configuration files required for the appliances

    To prepare the configuration files:
     
    1. Create three text files in the associated directory named:
       
      • vrasso.cfg
      • vra01.cfg
      • vra02.cfg
    2. In these files replace the commonName , subjectAltName , countryName , state , locality , org , OU with the correct values for your environment.

      Ensure that the commonName also exists in the subjectAltName :
    vrasso.cfg :
     
    [ req ]
    default_bits = 2048
    default_keyfile = rui.key
    distinguished_name = req_distinguished_name
    encrypt_key     = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName = DNS:vrasso, IP:10.xx.xx.xx, DNS:vrasso.domain.local
    [ req_distinguished_name ]
    countryName = YourCountry
    stateOrProvinceName = YourState
    localityName = YourLocal
    0.organizationName = YourOrganization
    organizationalUnitName = YourOU
    commonName = vrasso.domain.local
     
    vra01.cfg :
     
    [ req ]
    default_bits = 2048
    default_keyfile = rui.key
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName = DNS:vra01, IP:10.xx.xx.x, DNS:vra01.domain.local
    [ req_distinguished_name ]
    countryName = YourCountry
    stateOrProvinceName = YourState
    localityName = YourLocal
    0.organizationName = YourOrganization
    organizationalUnitName = YourOU
    commonName = vra01.domain.local
     
    vra02.cfg :
     
    [ req ]
    default_bits = 2048
    default_keyfile = rui.key
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName = DNS:vra02, IP:10.xx.xx.x, DNS:vra02.domain.local
    [ req_distinguished_name ]
    countryName = YourCountry
    stateOrProvinceName = YourState
    localityName = YourLocal
    0.organizationName = YourOrganization
    organizationalUnitName = YourOU
    commonName = vra02.domain.local
  3. Creating the certificate signing requests

    Run these commands to create certificate signing request:

    c:\OpenSSL\bin\openssl req -new -nodes -out c:\certs\vrasso\rui.csr -keyout c:\certs\vrasso\rui-orig.key -config c:\certs\vrasso\vrasso.cfg

    c:\OpenSSL\bin\openssl req -new -nodes -out c:\certs\vra01\rui.csr -keyout c:\certs\vra01\rui-orig.key -config c:\certs\vra01\vra01.cfg

    c:\OpenSSL\bin\openssl req -new -nodes -out c:\certs\vra02\rui.csr -keyout c:\certs\vra02\rui-orig.key -config c:\certs\vra02\vra02.cfg

    c:\OpenSSL\bin\openssl rsa -in c:\certs\vrasso\rui-orig.key -out c:\certs\vrasso\rui.key

    c:\OpenSSL\bin\openssl rsa -in c:\certs\vra01\rui-orig.key -out c:\certs\vra01\rui.key

    c:\OpenSSL\bin\openssl rsa -in c:\certs\vra02\rui-orig.key -out c:\certs\vra02\rui.key
     
  4. Sign the certificates

    To sign the certificates:
     
    1. Navigate to your CA web enrollment portal at http://FQDN/certsrv , and log in with an appropriate account such as domain admin.
    2. Submit certificate requests for all three crt certificates. Download the base-64 cert named rui.crt using the Web Server certificate template and save each to the appropriate directory.
    3. Download the root CA Certificate Chain Base64 root certificate to c:\certs\ and rename it to cachain.p7b .
    4. Open the p7b file and find the root cert, export it as base64 and save it to c:\certs\Root64.cer .
       
  5. Generate the pfx and create the PEM files

    Run these commands to generate the pfx and create the PEM files:

    Note: Create or enter a password where applicable.

    c:\OpenSSL\bin\openssl pkcs12 -export -in C:\certs\vrasso\rui.crt -inkey C:\certs\vrasso\rui.key -certfile c:\certs\Root64.cer -name “rui” -passout pass:CREATEPASSWORD -out C:\certs\vrasso\rui.pfx

    c:\OpenSSL\bin\openssl pkcs12 -export -in C:\certs\vra01\rui.crt -inkey C:\certs\vra01\rui.key -certfile c:\certs\Root64.cer -name “rui” -passout pass:CREATEPASSWORD -out C:\certs\vra01\rui.pfx

    c:\OpenSSL\bin\openssl pkcs12 -export -in C:\certs\vra02\rui.crt -inkey C:\certs\vra02\rui.key -certfile c:\certs\Root64.cer -name “rui” -passout pass:CREATEPASSWORD -out C:\certs\vra02\rui.pfx

    c:\OpenSSL\bin\openssl pkcs12 -in c:\certs\vrasso\rui.pfx -inkey c:\certs\vrasso\rui.key -out c:\certs\vrasso\rui.pem -nodes

    c:\OpenSSL\bin\openssl pkcs12 -in c:\certs\vra01\rui.pfx -inkey c:\certs\vra01\rui.key -out c:\certs\vra01\rui.pem -nodes

    c:\OpenSSL\bin\openssl pkcs12 -in c:\certs\vra02\rui.pfx -inkey c:\certs\vra02\rui.key -out c:\certs\vra02\rui.pem -nodes
     
  6. Import the certificates into the vRealize Automation SSO and Appliances

    During the installation of the vRealize Automation appliances:
     
    1. In the Host Settings tab (on vRealize Automation 6.2) or the vCAC Settings > SSL tab (on vRealize Automation 6.1 and earlier), select import.
    2. Enter the appropriate rui.key into the RSA Private Key field.
    3. Enter the appropriate rui.pem into the Certificate Chain field.
    4. Enter the Passphrase:

      Note: This is the password you entered during Step 5.
       
    5. Save settings and wait for the services to restart:

      Note: It may take 10 minutes for the services to restart.
       
  7. Sign the IaaS certificate

    To sign the IaaS certificates:
     
    1. Log in to the IaaS server with an Admin account.
    2. Open IIS and click on the host name.
    3. Open Server Certificates.
    4. Create a new signing request using the IaaS FQDN as the common name.
    5. Sign the certificate using the Web Server certificate template and download the signed certificate to the IaaS server.
    6. In IIS, click Complete Request and import the signed certificate.
    7. Install IaaS and when prompted, select the new certificate from the dropdown list.
Powered by Wolken Software