Update vRA certificates using certificates signed with Microsoft CA signing authority
search cancel

Update vRA certificates using certificates signed with Microsoft CA signing authority

book

Article ID: 337041

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

This article provides steps to create, sign and replace certificates in a VMware vRealize Automation load balanced environment using Microsoft CA:
  • The instructions listed in this guide are performed using a Microsoft CA server installed on Windows Server 2012 R2.
  • OpenSSL version used for certificate files generation is OpenSSL 1.0.2v
  • Always use host names (FQDN) for SAN (subject alternative name) in certificates. Using an IP address is not supported.
 
The related vRealize Automation machines in the example environment and their DNS names:  
  • vRA Appliance Load Balancer - vra-lb.domain.local
  • vRA Appliance 1 - vra-va1.domain.local
  • vRA Appliance 2 - vra-va2.domain.local
  
  • vRA IaaS Windows Web Server  Load Balancer- iaas—web-lb.domain.local
  • vRA IaaS Windows Web Server 1 - iaas-web1.domain.local
  • vRA IaaS Windows Web Server 2  - iaas-web2.domain.local
  
  • vRA IaaS Windows Manager Service  Load Balancer- iaas—ms-lb.domain.local
  • vRA IaaS Windows Manager Service 1 - iaas-ms1.domain.local
  • vRA IaaS Windows Manager Service 2  - iaas-ms2.domain.local

Note: To replace the certificates in an existing environment, replace one certificate at a time and perform all steps to fully update all servers before replacing the next certificate. Never replace all certificates at the same time as this leads to a break down in the environment trust.

Other Certificate Properties Requirements:

  • Hash Algorithm should be one of these: SHA1, SHA2, (256, 584, 512)
  • Signature Algorithms supported is: RSASSA-PKCS1_V!_5
  • Key Length: 2084, 4096
  • SubjectAltName: must include DNS names of the all nodes where the component is installed including the corresponding load-balancer.
  • Key Usages: should contain the following:  digitalSignature, keyEncipherment, dataEncipherment
  • Enhanced Key Usage: should contain Server and Client Authentication (serverAuth, clientAuth).
For more information, see : vRealize Automation 7.6 Documentation - Certificate Requirements

Environment

VMware vRealize Automation 7.6.x

Resolution

  1. Creating and Publishing a Certificate Template
    1. Connect to the CA server
    2. Open the MMC console for Certificate Templates:
    3. Click File and select Add/Remove Snap-in
    4. Select Certificate Templates in Available Snap-Ins and click Add
    5. Click OK
    6. From the right pane, right-click Web Server template
    7. Click Duplicate Template

In the Properties of New Template dialog box:
  1. Click the General tab
  2. Type the name of the template in Template name text box

In the Properties of New Template dialog box:
  1. Click the Subject Name tab
  2. Select the Supply in the request radio button

In the Properties of New Template dialog box:
  1. Click the Security tab
  2. Assign Full Control privileges to the domain administrator
  3. Assign Full Control privileges to the computer issuing this certificate
  4. Click OK
  5. Open the MMC console for Certification Authority for the domain:
  6. Right-click Certificate Templates
  7. Select New > Certificate Template to Issue

In the Enable Certificate Templates dialog box:
  1. Select the certificate created in the above steps
  2. Click OK
 
  1. Connect to the machine where OpenSSL is installed to generate the certificates.
  2. Create the directories needed by running these commands:
Note: Replace the short names where applicable.

mkdir c:\certs\vrava
mkdir c:\certs\vraiaasweb
mkdir c:\certs\vraiaasms
  1. Prepare configuration files required for the appliances
To prepare the configuration files:

Create three text files in the associated directory named:
  • vra.cfg
  • iaasweb.cfg
  • iaasms.cfg

In these files replace the commonName , subjectAltName , countryName , state , locality , org, and OU with the correct values for your environment.
 
Note: For all components, the subjectAltName fields must include all the nodes where the component is installed, and the corresponding load-balancer.
Example:
  • For iaas-web: subjectAltName = DNS: iaas-web-lb, DNS: iaas-web-lb.domain.local, DNS: iaas-web1, DNS: iaas-web1.domain.local, DNS: iaas-web2, DNS: iaas-web2.domain.local
  • For iaas-ms: subjectAltName = DNS: iaas-ms-lb, DNS: iaas-ms-lb.domain.local, DNS: iaas-ms1, DNS: iaas-ms1.domain.local, DNS: iaas-ms2, DNS: iaas-ms2.domain.local


The contents of each file:

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: vra-lb, DNS: vra-lb.domain.local, DNS: vra-va1, DNS: vra-va1.domain.local, DNS: vra-va2, DNS: vra-va2.domain.local
[ req_distinguished_name ]
countryName = YourCountry
stateOrProvinceName = YourState
localityName = YourLocal
0.organizationName = YourOrganization
organizationalUnitName = YourOU
commonName = vrava
 
    1. Creating the certificate signing requests
    Run these commands to create certificate signing request:
    Note: Replace the path and file names where applicable
     
    c:\OpenSSL\bin\openssl req -new -nodes -out c:\certs\vrava\rui.csr -keyout c:\certs\vrava\rui-orig.key -config c:\certs\vrava\vra.cfg
    c:\OpenSSL\bin\openssl req -new -nodes -out c:\certs\vraiaasweb\rui.csr -keyout c:\certs\vraiaasweb\rui-orig.key -config c:\certs\vraiaasweb\iaasweb.cfg
    c:\OpenSSL\bin\openssl req -new -nodes -out c:\certs\vraiaasms\rui.csr -keyout c:\certs\iaasms\rui-orig.key -config c:\certs\iaasms\iaasms.cfg

    c:\OpenSSL\bin\openssl rsa -in c:\certs\vrava\rui-orig.key -out c:\certs\vrava\rui.key
    c:\OpenSSL\bin\openssl rsa -in c:\certs\vraiaasweb\rui-orig.key -out c:\certs\vraiaasweb\rui.key
    c:\OpenSSL\bin\openssl rsa -in c:\certs\iaasms\rui-orig.key -out c:\certs\iaasms\rui.key
     
     
    1. Sign the certificates
    To sign the certificates:

    Navigate to your CA web enrolment portal at http://FQDN/certsrv , and log in with an appropriate account such as domain admin.
    Submit certificate requests for all three csr certificates using the certificate template created above. Download certificate file using 'Base 64' and save each to the appropriate directory as rui.cer.

    Download the root CA Certificate selecting 'Base 64' encoding and save it to c:\certs\ as root.cer.
    1. Generate the pfx and create the PEM files
    Run these commands to generate the pfx and create the PEM files:
    Note: Create or enter a password where applicable.

    c:\OpenSSL\bin\openssl pkcs12 -export -in C:\certs\vrava\rui.cer -inkey C:\certs\vrava\rui.key -certfile c:\certs\root.cer -name "rui" -passout pass:CREATEPASSWORD -out C:\certs\vrava\rui.pfx
    c:\OpenSSL\bin\openssl pkcs12 -export -in C:\certs\vraiaasweb\rui.cer -inkey C:\certs\vraiaasweb\rui.key -certfile c:\certs\root.cer -name "rui" -passout pass:CREATEPASSWORD -out C:\certs\vraiaasweb\rui.pfx
    c:\OpenSSL\bin\openssl pkcs12 -export -in C:\certs\vraiaasms\rui.cer -inkey C:\certs\vraiaasms\rui.key -certfile c:\certs\root.cer -name "rui" -passout pass:CREATEPASSWORD -out C:\certs\vraiaasms\rui.pfx

    c:\OpenSSL\bin\openssl pkcs12 -in c:\certs\vrava\rui.pfx -inkey c:\certs\vrava\rui.key -out c:\certs\vrava\rui.pem -nodes
    c:\OpenSSL\bin\openssl pkcs12 -in c:\certs\vraiaasweb\rui.pfx -inkey c:\certs\vraiaasweb\rui.key -out c:\certs\vraiaasweb\rui.pem -nodes
    c:\OpenSSL\bin\openssl pkcs12 -in c:\certs\vraiaasms\rui.pfx -inkey c:\certs\vraiaasms\rui.key -out c:\certs\vraiaasms\rui.pem -nodes
    1. Import the certificates into vRealize Automation
      1. In a browser open https://vra-lb:5480 and log in
      2. Select VRA / Certificates
      3. For each component:
        1. Select the appropriate radio button.
        2. Select Certificate Action: Import
        3. From rui.pem extract key and enter it in the 'RSA Private Key' section. It should start with ----BEGIN RSA PRIVATE KEY---- and end with ----END RSA PRIVATE KEY----
        4. In 'Certificate Chain' copy and paste the certificates from the same rui.pem file . CA certificate should be positioned last.


    Additional Information

    For information on using on signing vRA certificates using an internal Microsoft CA signing authority in older versions of vRA, see Signing vRA certificates using an internal Microsoft CA signing authority


    Powered by Wolken Software