The Certificate Generation Utility for VMware Validated Solutions (CertGen-VVS) is a PowerShell script that you can use to generate custom certificates for the products that you use to build a Software-Defined Data Center (SDDC) based on VMware Validated Solutions for VMware Cloud Foundation. Use the utility to reduce the number of steps for end-to-end certificate replacement.
CertGen-VVS is written in PowerShell. It operates according to the settings in a configuration file and generates custom SSL certificates that can be signed by the following enterprise certificate authorities (CAs):
The CertGenVVD utility requires a Windows operating system with the following installed.
Platform Component | Required Version |
---|---|
Operating System | Windows Server 2022, 2019, or 2016 |
PowerShell | Windows PowerShell 5.1, PowerShell Core 7.2.2 |
OpenSSL | 1.0.2q or later |
Visual C++ Redistributable Packages | 2013 |
CertGen-VVS requires an OpenSSL binary for Windows, which can be compiled from OpenSSL.org. Additionally, the OpenSSL Wiki page (https://wiki.openssl.org/index.php/Binaries) has a list of pre-compiled windows binaries compiled by the 3rd parties. Read all security disclosures and disclaimers when using binaries compiled by 3rd parties. The recommended 3rd party binary is Win64 OpenSSL v1.0.2q Light since this does not include the unnecessary OpenSSL source code.
Before executing CertGen-VVS, ensure that the path for the OpenSSL binary for Windows is set in the PATH environment variable and that the Microsoft Visual C++ Redistributable Packages for Visual Studio 2013 is installed.
This CertGen-VVS utility is compatible with, and referenced in the documentation for specific versions of VMware Validated Solutions for VMware Cloud Foundation.
Product Version |
---|
VMware Cloud Foundation 4.x |
The CertGen-VVS utility consists of a PowerShell script and configuration files that you can update according to the requirements of your environment.
File or Folder | Description |
CertGen-VVS-1.0.version.ps1 | This PowerShell script generate certificates. |
VVS-Hosts-A.csv VVS-Hosts-B.csv | Configuration CSV to match a VMware Validated Solution for VMware Cloud Foundation. These can be used as a sample for your environment. |
To run the CertGen-VVS utility, you must meet specific requirements on the Windows system on which you run the utility.
Although non-administrator users can download and launch the tool, operations may fail if you do not have the correct permissions.
https://docs.vmware.com/en/VMware-Validated-Design/6.0/sddc-deployment-of-the-management-domain-in-the-first-region/GUID-8C4CA6F7-CEE8-45C9-83B4-09DD3EC5FFB0.html for template creation instructions.
To use the CertGen-VVS tool, from the Attachments section download the version-specific .zip that contains the configuration files for the version, and then extract and replace the content to a local directory.
Column | Description |
---|---|
Name | Description of each row. This will not be used in the configuration file and should not be altered. |
CommonName | FQDN of the common name to be used in the cert. For load balanced components this should be the FQDN of the load balancer VIP. For single node components this should be the FQDN of the node. |
SAN* | FQDNs of additional node to be added as SAN attributes in addition to the Common Name. For load balanced components this would be the FQDN of each node. IP Addresses & email addresses are also supported SAN types |
Note: You must run CertGen-VVS from a machine that is a member of the Microsoft Windows domain the certificate authority is on.
.\CertGen-VVS-1.0.ps1
The certificates are signed by a Microsoft CA according to the requirements of the validated design.
The generated certificates are saved to the certgen-vvs_home_dir\SignedByMSCACertsfolder in multiple formats according to the certificate requirements of the SDDC management components, that is, in X.509, PEM, PKCS#12 and PKCS#7.
The CertGen-VVS utility configures the certificate chain files with the password that you specified during the generation.
CertGen-VVS supports intermediate Microsoft certificate authorities and does not need access to the root certificate authority. CertGen-VVS concatenates the certificates of all of the certificate authorities into the certificate chain.
.\CertGen-VVS-1.0.ps1
Note: Inspect the intermediate CA certificate and look for the "Issued By" value. Full path will be "Issuing-CA-FQDN\Issued-By-Value."
.\CertGen-VVS-1.0.ps1
copy IntermediateCAroot01.cer+IntermediateCAroot02.cer+RootCA.cer > Root64.cer
.\CertGen-VVS-1.0.ps1
Additional options available
Option | Command |
---|---|
View help | h |
Validate the readiness of the machine on which you plan to run the CertGen-VVS utility | v |