At this post, I will go through how you Generate and import the certificates in a step by step fashion for both the Identity and vCAC Appliance. Please note this post is the second part of a three post tutorial where you can find the other two posts at:
- First post: vCloud Automation Center 6 Certificates A to Z
- Second post: Generating Certificates for vCAC 6 IaaS Web Server & Manager Service
Note: for vRealize Automation 7, please check out following blogpost: Replacing Certificates in vRealize Automation 7
Step 1: Generate the appropriate configuration files:
- Open a text editor on the system where OpenSSL is installed.
-
Paste the following text into a file, replacing the information in red with that specific to your environment.
This one I used for Identity server:
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vtid01, IP:192.168.2.101, DNS:vtid01.vt.com
[ req_distinguished_name ]
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
0.organizationName = Lab
organizationalUnitName = vCACSSO
commonName = vtid01.vt.com
This one I used for my vCAC Appliance:
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vtvcac01, IP:192.168.2.102, DNS:vtvcac01.vt.com, DNS:vtvcac01a, IP:192.168.2.103, DNS:vtvcac01a.vt.com, DNS:vtvcac01b, IP:192.168.2.104, DNS:vtvcac01b.vt.com
[ req_distinguished_name ]
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
0.organizationName = Lab
organizationalUnitName = vCACAppliance
commonName = vtvcac01.vt.com
3. Save the file as vcacid.cfg but do not close it (I have saved my file in C:\certs\identity as you’ll note further on).
4. To create the vCAC VA config file, update the fields in red with the appropriate information and save as vcaca.cfg (I have saved my file in C:\certs\vcaca as you’ll note further on).
Step 2: generate the certificate request and corresponding key for each of the certificates.
To generate a certificate request:
1. Launch a command prompt and navigate to your OpenSSL directory. By default this is located in C:\OpenSSL\bin.
2. Run the following commands (replacing the path with your desired location) to create the certificate request and export the private key:
C:\OpenSSL\bin>openssl req -new -nodes -out c:\certs\identity\rui.csr -keyout c:\certs\identity\rui-orig.key -config c:\certs\identity\vcacid.cfg
C:\OpenSSL\bin>openssl req -new -nodes -out c:\certs\vcaca\rui.csr -keyout c:\certs\vcaca\rui-orig.key -config c:\certs\vcaca\vcaca.cfg
3. Convert the keys to the appropriate RSA format required by the appliances:
openssl rsa -in c:\certs\identity\rui-orig.key -out c:\certs\identity\rui.key
openssl rsa -in c:\certs\vcaca\rui-orig.key -out c:\certs\vcaca\rui.key
Step 3: Getting the Certificate from Microsoft CA
1. Logon to the Microsoft CA Web Interface (https://ca-server/CertSrv)
2. Click on the Request Certificate > Advanced Certificate Request. Choose Submit a certificate Request by using a base- 64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
3. Open the rui.csr file for the vCAC Identity Appliance and then copy and paste the contents into the Base-64-encoded certificate request field.
4. Ensure you select the correctly configured Certificate Template.
5. Click “Submit” to submit the request.
6. Select the “Base64 encoded” option on the Certificate Issued screen.
7. Click the “Download Certificate” link and save as rui.crt in the same location as your config file and CSR.
8. Repeat the above process for the vCACVA Certificate Request.
9. Navigate back to the homepage of the certificate server and click “Download a CA certificate, certificate chain or CRL”.
10. Select the “Base64 encoded” option.
11. Click the “Download a CA Certificate Chain” link.
12. Save the certificate chain as cachain.p7b in your desired location.
13. Double click the cachain.p7b file and navigate to yourlocation\cachain.p7b > Certificates
14. Right click the root certificate and select “All Actions > Export” and then click Next.
15. Select Base64-encoded X.509 (.CER) and click Next.
16. Save the export to your location/Root64.cer and click Next.
Step 4: Converting the Certificates to PEM Format
1. Launch a command prompt and navigate to your OpenSSL directory. By default this is located in c:\OpenSSL \bin
2. Run the following commands (replacing the path with your desired location and desired passphrase) to convert the certificates to the format expected of the Virtual Appliances.
openssl pkcs12 -export -in C:\certs\identity\rui.crt -inkey C:\certs\identity\rui.key -certfile c:\certs\Root64.cer -name “rui” -passout pass:Vmware1! -out C:\certs\identity\rui.pfx
openssl pkcs12 -export -in C:\certs\vcaca\rui.crt -inkey C:\certs\vcaca\rui.key -certfile c:\certs\Root64.cer -name “rui” -passout pass:Vmware1! -out C:\certs\vcaca\rui.pfx
Use the below commands for vCAC versions previous to 6.2
openssl pkcs12 -in C:\certs\identity\rui.pfx -inkey C:\certs\identity\rui.key -out C:\certs\identity\rui.pem –nodes
openssl pkcs12 -in C:\certs\vcaca\rui.pfx -inkey C:\certs\vcaca\rui.key -out C:\certs\vcaca\rui.pem –nodes
Use the below commands instead for vRA 6.2, as using the above commands seems to give the following error “unable to create keystore” when installing the cert in the identity appliance in vRA 6.2. I found these two commands in vRA 6.2 document at http://pubs.vmware.com/vra-62/index.jsp?topic=%2Fcom.vmware.vra.install.doc%2FGUID-8E7A0EBA-FB3D-4243-90BC-AC38F108FB41.html.
openssl pkcs12 -in C:\certs\identity\rui.pfx -clcerts -nokeys -out C:\certs\identity\rui.pem
openssl pkcs12 -in C:\certs\vcaca\rui.pfx -clcerts -nokeys -out C:\certs\vcaca\rui.pem
Step 5: Importing the Certificates to your Virtual Appliances
- Login to https://vCAC.ID.VA:5480
- Click on the SSO tab.
- Click on the SSL tab.
- In the “Choose Option” field, click the drop down and select Import PEM encoded certificate.
- Open the rui.key file for your vCAC ID appliance in a text editor.
- Copy and paste the contents into the “RSA Private Key” field.
- Open the rui.pem file for you vCAC ID appliance in a text editor. (Make sure to copy all the contents)
- Copy and paste the contents into the “Certificate” field.
-
Enter Vmware1! into the “Pass Phrase” field.
10. Click the “Replace Certificate” button.
11- You can repeat the same steps 1-10 for the vCAC Appliance.
16 responses to “Generating Certificates for the identity Appliance/vCAC Appliance”
[…] 2: Generating Certificates for the identity Appliance/vCAC Appliance Post 3: Generating Certificates for vCAC 6 IaaS Web Server & Manager […]
Eiad,
is the Windows Server You’re using to request certificates a 2003 Server? In 2008 You cannot request web UI to request computer certificates… 🙁
Actually it was 2008 Certificate server. My customer as well has repeated the exercise on Windows 2008.
I remember the interface being through http and does not work on https, not sure if that is your problem.
Thanks,
Eiad
Eiad,
Do you know if unique organizational unit names are required for each component? Could you have one wildcard certificate for Identity,CAFÉ, Iaas, and VCO without a specified organizational unit name?
Thanks,
Jason
Hi Jason,
While I have not used wildcard certificate my self. I have heard of many others inside VMware and outside VMware use it without a problem. It does work and its supported as per our documentation.
Thanks,
Eiad
Hi Eiad,
Thank you for the How to on certs for vCAC.
I have a question for you, I am stuck at Step 3: Getting the Certificate from Microsoft CA, that screenshot of yours is listing vcac certificate into the drop down list for Certificate template. I had followed steps “First post: vCloud Automation Center 6 Certificates A to Z”.. only options available from me are User, Basic EFS, could you pin point where I might be having issues.
I have MS Certificate Athourity along with web portal installed on a Windows 2008 R2
my portal url : localhost/certsrv and its ask me to provide the user id and password(service account which I had provided for that IIS_IUSR group”, when I make a request for a certificate from that URL, it somehow makes common name as the service name.
Thanks
Mukesh
Mukesh, This is the second post in a 3 posts series. The steps where that vCAC Cert type was added to the Microsoft CA is in the following article: https://www.virtualizationteam.com/cloud/vcloud-automation-center-6-certificates-a-to-z.html
[…] https://www.virtualizationteam.com/cloud/generating-certificates-for-the-identity-appliancevcac-appli… […]
Thanks for the blog, it’s been very helpful. I’m a a standstill. If I follow your directions on a fresh 6.1.1 build, I try to import the pem/key to the identity appliance and I get an error: Unable to create SSL key store. I was able to update the vCAC appliances fine however.
Basically I’m at the point where I can login to my default tenant but when I try to login to a newly created tenant I get an Error 400…
DEBUG: com.vmware.identity.samlservice.impl.CasIdmAccessor – Caught exception java.lang.IllegalArgumentException: The validated object is null
DEBUG: com.vmware.identity.samlservice.impl.CasIdmAccessor – getIdpEntityId
DEBUG: com.vmware.identity.samlservice.impl.CasIdmAccessor – getAcsForRelyingParty https://test.com/vcac/org/test/saml/websso/metadata, index null, URL null, binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
DEBUG: com.vmware.identity.samlservice.impl.CasIdmAccessor – Caught exception java.lang.IllegalArgumentException: The validated object is null
DEBUG: com.vmware.identity.samlservice.AuthnRequestState – Caught exception while generating response java.lang.IllegalStateException: BadRequest, will return 400
INFO : com.vmware.identity.BaseSsoController – Responded with ERROR 400, message Unable to process request
Very nice article! One question: if you have a subordinate CA, do you have to combine the root and subordinate certs together similar to how it’s done when replacing vCenter certs?
Hi Todd, Actually you will need to do the same here as well.
[…] https://www.virtualizationteam.com/cloud/generating-certificates-for-the-identity-appliancevcac-appli… […]
[…] Second Post: Generating Certificates for the identity Appliance/vCAC Appliance […]
[…] Generating the certificates for the Identity Appliance […]
[…] 2- Generating Certificates for the identity Appliance/vCAC Appliance <== You can follow this one as is, just skip the part for generating cert for the identity appliance as the identity appliance is not longer required in vRA 7. […]
Excellent guide, thank you!