I had another thread on IAAS distributed installation question where I received great responses. Thanks to the experts..
I'm in process of getting domain CA certificates for this deployment with help of this article -http://www.virtualizationteam.com/cloud/vcloud-automation-center-6-certificates-a-to-z.html
Couple of queries with certificates at this point -
Certificates are generated out of the subordinate CA server..
1. ID Appliance - My domain certificate chain contains the root CA server and subordinate CA server certificates embedded. When I copy and paste the certificate chain which has these two set of certificates it fails. But if I use the certificate from --Begin Certificate-- till --End Certificate-- of the subordinate CA server it works.. Will that be okay to live with this?
1. vCAC Applaince - I have the SAN names of the Load Balancer, Appliance Nodes mentioned in the certificates while I generated it. When applying the certificate to vCAC Appliance, I get a message saying "Load balancer certificate does not match local vCAC Certificate". Is this asking me to get the same certificate loaded on to the load balancer?
I must say the VMware documentation around the certificates is weak. I haven't hit the IAAS config yet so I'm sure I will get some queries there as well. Appreciate your responses. Thank you.
I remember running into that message. Buggered if I can remember what the fix was 😕 Maybe I should run through this again to check.
I'll stand up an intermediate today to test the SSO one.
Does your cfg look like this? Specifically, subject alternate name including IPs, hostnames, and DNS for nodes and LB?
Common name needs to be the LB.
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:ghetto-vcac, IP:172.16.103.111, DNS:ghetto-vcac.melb.vmware.local, DNS:ghetto-vcac1, IP:172.16.103.112, DNS:ghetto-vcac1.melb.vmware.local, DNS:ghetto-vcac2, IP:172.16.103.113, DNS:ghetto-vcac2.melb.vmware.local,
[ req_distinguished_name ]
countryName = AU
stateOrProvinceName = VIC
localityName = Melbourne
0.organizationName = Lab
organizationalUnitName = vCACVA
commonName = ghetto-sso.melb.vmware.local
Forgot to update the thread.. The issue was with the domain CA server certificate chain. The issue got fixed now.
I'm in process of getting the certificates for vRO setup now. I'm thinking 2 vRO appliance nodes configured identically and put them behind a load balancer. Any inputs on certificates for vRO please? I saw somewhere that vRO needs DER code certificates. Please confirm!!