Continuing from the previous posts. Here we shall generate the certificates used for the vCAC appliances.
Step 5: Install Open SSL
VMware requires that a very specific version of Open SSL is installed for use with vCAC 220.127.116.11 appliances and components. In this instance we have to use Open SSL v0.9.8zb as anything from the 1.x stack is not supported in this version. This version of 0.9.8 is a patched version that is NOT vulnerable to the security flaws that prompted the 1.x version release.
Prior to installing Open SSL on your issuing CA (again, in my lab this is the DC running MS Certificate Services). you need to ensure the per-requisites for Installing OpenSSL have been met. In this case it is the downloading and instillation of Visual C++ 2008 Redistributable. This is available from Microsoft (vcredist_x86.exe).
So, first off install that pre-req and then download and install Win32OpenSSL-0_9_8zb.exe
The instillation of Open SSL is mostly a ‘Keep Clicking Next affair’ However, as outlined below you should ensure that the Open SSL binaries are stored in the /bin directory and NOT the Windows system directory. It makes things MUCH easier later and allows things to happen automatically.
Open a PowerShell windows and make a new directory as shown and then launch the certificates Manager console. Or do it via Windows Explorer if you like.
md C:\Certificates\vCAC certmgr.msc
Expand the Trusted Root Certification Authority and then select Certificates. You should be able to see the Root certificate for the Authority. Now, in the details pane, right click on your created Root Certificate (In my case LabDC01-EntRootCA) and select All Tasks > Export
Then save the file in the C:\Certificates\vCAC folder as Root64-1.cer and complete the wizard. Note that the names of the folders and files here refers to commands we will soon be executing. If this was in an offline root CA with an online issuing CA there would be a second root certificate in the chain of trust and this would also have to be exported (hence the ‘-1’ at the end of the certificates file name).
The requirements for vCAC certificates are long and specific. Luckily a guy called Ross Davies has created a PowerShell script that will do all the Open SSL stuff for you. All you have to do is enter a few variables and the hard work is done! (I’m really not a regular user of Open SSL so this was a godsend). Check out his post http://www.rossdavies.info/blog/2014/01/02/vcloud-automation-center-vcac-6-0-generate-certificates/ to get the script and see how he made it.
Below is the user variable area of the script with my values plugged in. Ensure you have the $CertOutputPath and $OpenSslInstallDir are correct before running the script. Also note that there are NO SPACES in the Certificate Template name as the template name is created without spaces regardless of the friendly name given.
# Path to directory to store created certificates $CertOutputPath = "C:\Certificates\vCAC" # OpenSSL location $OpenSslInstallDir = "C:\OpenSSL" # CA Name $CAName = "LabDC01\LabDC01-EntRootCA" # Certificate Template Name $CertificateTemplateName = "VMwareSSLCertificate" # $CertificateCountryName = "GB" $CertificateStateOrProvinceName = "London" $CertificateLocalityName = "London" $CertificateOrganizationName = "Lab" $CertificateOrganizationalUnitName = "Dev"
When the script is run it simply asks a few questions (shown below) all revolve around Subject Alternate Names (SAN) values for the certificates. vCAC gets really, REALLY sniffy about these values existing so it is best to put in all names you can think of here. NOTE: The common Name must be FQDN, the SANs are DNS names and entries. Normally I wouldn’t put the IP address as an entry here but this is a lab environment so I want a fail back if I mes my DNS up!The script will do some OpenSSL goodness and then ask you if the Root CA certificate is in the correct location. Check that the Root64-1.cer is there and then select Yes.
The same steps are required now for the vCAC Virtual Appliances. As before, ensure the SANs are entered correctly and thoroughly. Remember that, in a distributed environment the main address for the vCAC VA will be the load balancer address / DNS entry.
Again, a confirmation will appear (shown below) if everything has gone right.To check everything has run correctly you can take a look in c:\Certificates\vCAC and you should see two new folders created (vCAC-SSO and vCAC-vAPP). These folders will contain numerous files within making up the certificates in the right formats for importing in to the vCAC appliances.