Following KB article mentions a great way of processing CA certificates. However does anyone know if this process can be used for distributed deployment with Load Balancers?
I am not able to find any specific link / article which mentions that this process is valid for distributed deployment.
Yes, I think you should be fine using this tool. The only thing to bear in mind is that you will need to add multiple host names to the certificate (Subject Alternate Names) which this tool allows for.
Thanks for reply Alex. Yeah I can add SAN names in the certificate, however the question is, is it supported scenario to use single certificate for all vRA components? Since all the distributed environments I have seen had multiple certificates.
Yes it's supported, but not recommended. SANs for load balanced elements, not wildcards.
Grant
For my last distributed deployment I used OpenSSL to generate everything in the same manner. The customer's CA didn't allow us to use wildcards so the three certs I requested were like this, everything played well and applied to the F5.
CN =siteprefixcloud.domain.com (vcva vip)
SAN - siteprefixcloudva01.domain.com
SAN - siteprefixcloudva02.domain.com
SAN - siteprefixcloud-db.domain.com (postgres vip)
CN = siteprefixiaasweb.domain.com (iaas web vip)
SAN - siteprefixiaasweb01.domain.com
SAN - siteprefixiaasweb02.domain.com
CN = siteprefixiaasmgr.domain.com (iaas manager vip)
SAN - siteprefixiaasmgr01.domain.com
SAN - siteprefixiaasmgr02.domain.com
Sample config.cfg file
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: siteprefixcloudva01.domain.com, DNS: siteprefixcloudva02.domain.com, DNS: siteprefixcloud-db.domain.com
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = District of Columbia
localityName = Washington
0.organizationName = XXXXXX
organizationalUnitName = XXXXX
commonName = siteprefixcloud.domain.com
Then I run this command to generate a signing request and private key
openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config config.cfg
Then run this command to format the key in rsa format
openssl rsa -in rui-orig.key -out rui.key
Use that CSR to request the certificate and when it comes back you'll format accordingly. On the windows boxes I made them all PFX's, the appliances needed the full chain cert + intermediate + root all in x509/pem format in one file.
This might be better suited to a new thread, but I'm having some certificate-related headaches right now as well. I'm using the vRA appliance, and as near as I can tell the default keystore doesn't include any generally accepted root CA certificates. I'm using Google apps as our outbound email server, and since the root cert they used isn't in the keystore I'm forced to allow self-signed certificates. This is a lab server so I'm only a little bothered by that, but let's say I want to send an email via an Orchestrator flow--the ootb send notification flow doesn't provide any option for trusting all roots and just refuses to do anything at all. I crossed my fingers and did vcac-config import-certificate, but there was no noticeable effect after restarting. I even tried importing cacerts from my workstation's Java install, but I haven't been able to guess the keystore password. The system admin and hardening guides only talk about replacing certificates for the various vRA components, and I'm frankly at a loss for what to try next. Have any of you addressed this before?
A little bit of progress on this--I was able to import the root CA cert that Google uses into the appliance's vRO instance and have successfully sent an email using that workflow. Here's what I had to do:
Unfortunately that only allows you one import at a time, and the cacerts file in my jdk install has 89 entries. I'm not about to go through that process so many times, so hopefully there's some means of streamlining the process. It also doesn't put the cert into vRA's keystore, and I don't see any similar functionality in the vRA configuration portal.
Thanks for reply, Can you please confirm is there is any VMware KB / document which outlines what is supported and recommended?
There are tools through which you can browse / explore / import the certs of a keystore. Thought to share it might help you.
If someone has used this tool with such scenarios might be able to help you with.
I am referring to followingKB article from VMware. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=206210...
It talks about template to be used of MS Certificate Authority server. However i am not able to find documentation about 3rd Party Certificates.
Does anyone have any experience with 3rd party certificates configuration with vRA?
I am referring to followingKB article from VMware. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=206210...
It talks about template to be used of MS Certificate Authority server. However i am not able to find documentation about 3rd Party Certificates.
Does anyone have any experience with 3rd party certificates configuration with vRA?
That is true, but without the password to the keystore they are not very useful.