About Certificate Generation Utility for VMware Validated Solutions

The Certificate Generation Utility for VMware Validated Solutions (CertGen-VVS) is a PowerShell script that you can use to generate custom certificates for the products that you use to build a Software-Defined Data Center (SDDC) based on VMware Validated Solutions for VMware Cloud Foundation. Use the utility to reduce the number of steps for end-to-end certificate replacement.

CertGen-VVS is written in PowerShell. It operates according to the settings in a configuration file and generates custom SSL certificates that can be signed by the following enterprise certificate authorities (CAs):

• Microsoft Certificate Authority

Supported platforms

The CertGenVVD utility requires a Windows operating system with the following installed.

OpenSSL Notes

CertGen-VVS requires an OpenSSL binary for Windows, which can be compiled from OpenSSL.org. Additionally, the OpenSSL Wiki page (https://wiki.openssl.org/index.php/Binaries) has a list of pre-compiled windows binaries compiled by the 3rd parties. Read all security disclosures and disclaimers when using binaries compiled by 3rd parties. The recommended 3rd party binary is Win64 OpenSSL v1.0.2q Light since this does not include the unnecessary OpenSSL source code.

Before executing CertGen-VVS, ensure that the path for the OpenSSL binary for Windows is set in the PATH environment variable and that the Microsoft Visual C++ Redistributable Packages for Visual Studio 2013 is installed. 
 

Compatibility

This CertGen-VVS utility is compatible with, and referenced in the documentation for specific versions of VMware Validated Solutions for VMware Cloud Foundation.

Utility File Structure

The CertGen-VVS utility consists of a PowerShell script and configuration files that you can update according to the requirements of your environment.

Prerequisites

To run the CertGen-VVS utility, you must meet specific requirements on the Windows system on which you run the utility.

• Verify that the account that you use to log in has administrative privileges.

Although non-administrator users can download and launch the tool, operations may fail if you do not have the correct permissions.

• Configure the PowerShell execution policy with the permissions required to run the commands.
  1. Run the Execute Get-ExecutionPolicycommand to get the active execution policy.
  2. If the Execute Get-ExecutionPolicycommand returns Restricted, run the Set-ExecutionPolicy RemoteSigned command.

• Create a Microsoft Certificate Authority template, called VMware, that you use to generate the certificates for the SDDC management components. See 

https://docs.vmware.com/en/VMware-Validated-Design/6.0/sddc-deployment-of-the-management-domain-in-the-first-region/GUID-8C4CA6F7-CEE8-45C9-83B4-09DD3EC5FFB0.html for template creation instructions.

Obtain the CertGen-VVS utility

1. Download the CertGen-VVS tool.
2. Copy the tool to a Windows virtual machine that has access to the infrastructure.
3. Extract the .zip to any folder and preserve the folder structure.

Use the CertGen-VVS utility with VMware Validated Solutions

To use the CertGen-VVS tool, from the Attachments section download the version-specific .zip that contains the configuration files for the version, and then extract and replace the content to a local directory.

Create Configuration Files

1. Edit the csv files included in the attached bundle to match your environment. The column descriptions are:

Use the CertGen-VVS utility to generate CA-signed certificates from an online Microsoft CA

Note: You must run CertGen-VVS from a machine that is a member of the Microsoft Windows domain the certificate authority is on.
 

1. Open a Windows PowerShell prompt as an administrator and navigate to the directory where you extracted the attached .zip.
2. Run the PowerShell script to launch the menu.

   .\CertGen-VVS-1.0.ps1

3. Select Option 1 to generate all config files, Certificate Signing Requests (CSRs) and certificates from an online Microsoft Root CA.
4. When prompted, select the path to the relevant csv file containing the hostnames for which you require certificates.
5. When prompted, enter the password to be used to encrypt the PKCS#12 certificates.

The certificates are signed by a Microsoft CA according to the requirements of the validated design.

The generated certificates are saved to the certgen-vvs_home_dir\SignedByMSCACertsfolder in multiple formats according to the certificate requirements of the SDDC management components, that is, in X.509, PEM, PKCS#12 and PKCS#7.

The CertGen-VVS utility configures the certificate chain files with the password that you specified during the generation.
 

Use the CertGen-VVS utility to create certificates that are signed by an intermediate certificate authority

CertGen-VVS supports intermediate Microsoft certificate authorities and does not need access to the root certificate authority. CertGen-VVS concatenates the certificates of all of the certificate authorities into the certificate chain.

1. Run the PowerShell script to launch the menu.

   .\CertGen-VVS-1.0.ps1

2. Select Option 2 to generate all config files, Certificate Signing Requests (CSRs) and certificates from an online Microsoft Intermediate CA.
3. When prompted, select the path to the relevant csv file containing the hostnames for which you require certificates.
4. When prompted, enter the intermediate CA path.

Note: Inspect the intermediate CA certificate and look for the "Issued By" value. Full path will be "Issuing-CA-FQDN\Issued-By-Value."

Use the CertGen-VVS utility to create certificate requests (CSRs) to request certificates from an offline or third-party CA

1. Run the PowerShell script to launch the menu..

   .\CertGen-VVS-1.0.ps1

2. Select Option 3 to generate all required CSR files for manual certificate requests from an offline or 3rd party CA
3. When prompted, select the path to the relevant csv file containing the hostnames for which you require certificates.
4. Locate the CSR files in the certgen-vvs_home_dir\CSR folder and send it to the third-party CA to get signed certificates.The CA will send you signed .cer files for each CSR and the Root certificate.
5. Rename the CA root certificate to Root64.cer.
6. If there are multiple intermediate CAs, concatenate the certificates into one certificate chain file.

   copy IntermediateCAroot01.cer+IntermediateCAroot02.cer+RootCA.cer > Root64.cer

7. Place the signed certificates in the corresponding certgenvvd_home_dir\ <product>directories, and the Root64.cer in certgen-vvs_home_dir \Root64.
8. To create the required certificate formats run the CertGen-VVS utility again.

   .\CertGen-VVS-1.0.ps1

9. Select Option 4 to generate all required certificate formats.

Additional command options that are not related to certificate generation for VMware Validated Designs

Additional options available