Installing vCAC – Part 3: Certificates Prep and Configuration (Continued)

Continuing from the previous posts. Here we shall generate the certificates used for the vCAC appliances.

Step 5: Install Open SSL

VMware requires that a very specific version of Open SSL is installed for use with vCAC appliances and components.  In this instance we have to use Open SSL v0.9.8zb as anything from the 1.x stack is not supported in this version.  This version of 0.9.8 is a patched version that is NOT vulnerable to the security flaws that prompted the 1.x version release.

Prior to installing Open SSL on your issuing CA (again, in my lab this is the DC running MS Certificate Services).  you need to ensure the per-requisites for Installing OpenSSL have been met.  In this case it is the downloading and instillation of Visual C++ 2008 Redistributable.  This is available from Microsoft (vcredist_x86.exe).

So, first off install that pre-req and then download and install Win32OpenSSL-0_9_8zb.exe

The instillation of Open SSL is mostly a ‘Keep Clicking Next affair’ However, as outlined below you should ensure that the Open SSL binaries are stored in the /bin directory and NOT the Windows system directory.  It makes things MUCH easier later and allows things to happen automatically.

SnapCrab_NoName_2015-2-27_14-5-59_No-00Step 6: Issue SSL Certificates for the vCAC and SSO Appliances

Open a PowerShell windows and make a new directory as shown and then launch the certificates Manager console. Or do it via Windows Explorer if you like.

md C:\Certificates\vCAC

Expand the Trusted Root Certification Authority and then select Certificates.  You should be able to see the Root certificate for the Authority. SnapCrab_NoName_2015-2-27_14-20-37_No-00Now, in the details pane, right click on your created Root Certificate (In my case LabDC01-EntRootCA) and select All Tasks > Export

SnapCrab_NoName_2015-2-27_14-16-26_No-00The Export wizard will open up. Follow the process ensuring that the certificate is exported in Base-64 encoded X-509(.CER) format (shown below).


Then save the file in the C:\Certificates\vCAC folder as Root64-1.cer and complete the wizard. Note that the names of the folders and files here refers to commands we will soon be executing.  If this was in an offline root CA  with an online issuing CA there would be a second root certificate in the chain of trust and this would also have to be exported (hence the ‘-1’ at the end of the certificates file name).

SnapCrab_NoName_2015-2-27_14-19-13_No-00The requirements for vCAC certificates are long and specific.  Luckily a guy called Ross Davies has created a PowerShell script that will do all the Open SSL stuff for you.  All you have to do is enter a few variables and the hard work is done! (I’m really not a regular user of Open SSL so this was a godsend).  Check out his post to get the script and see how he made it.

Below is the user variable area of the script with my values plugged in. Ensure you have the $CertOutputPath and $OpenSslInstallDir are correct before running the script.  Also note that there are NO SPACES in the Certificate Template name as the template name is created without spaces regardless of the friendly name given.

# Path to directory to store created certificates
$CertOutputPath = "C:\Certificates\vCAC"

# OpenSSL location
$OpenSslInstallDir = "C:\OpenSSL"

# CA Name
$CAName = "LabDC01\LabDC01-EntRootCA"

# Certificate Template Name
$CertificateTemplateName = "VMwareSSLCertificate"
$CertificateCountryName = "GB"
$CertificateStateOrProvinceName = "London"
$CertificateLocalityName = "London"
$CertificateOrganizationName = "Lab"
$CertificateOrganizationalUnitName = "Dev"

When the script is run it simply asks a few questions (shown below) all revolve around Subject Alternate Names (SAN) values for the certificates.  vCAC gets really, REALLY sniffy about these values existing so it is best to put in all names you can think of here.  NOTE: The common Name must be FQDN, the SANs are DNS names and entries.  Normally I wouldn’t put the IP address as an entry here but this is a lab environment so I want a fail back if I mes my DNS up!SnapCrab_NoName_2015-2-27_15-1-5_No-00The script will do some OpenSSL goodness and then ask you if the Root CA certificate is in the correct location.  Check that the Root64-1.cer is there and then select Yes.

SnapCrab_NoName_2015-2-27_15-4-26_No-00Again, Magic will happen and the following confirmation should appear:

SnapCrab_NoName_2015-2-27_15-6-5_No-00The same steps are required now for the vCAC Virtual Appliances.  As before, ensure the SANs are entered correctly and thoroughly.  Remember that, in a distributed environment the main address for the vCAC VA will be the load balancer address / DNS entry.

SnapCrab_NoName_2015-2-27_15-9-5_No-00Again, a confirmation will appear (shown below) if everything has gone right.SnapCrab_NoName_2015-2-27_15-10-55_No-00To check everything has run correctly you can take a look in c:\Certificates\vCAC and you should see two new folders created (vCAC-SSO and vCAC-vAPP).  These folders will contain numerous files within making up the certificates in the right formats for importing in to the vCAC appliances.

SnapCrab_NoName_2015-2-27_15-16-44_No-00That’s it. We are now done with certificates and can get on with Installing the vCAC appliances.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s