Kedar_D
Enthusiast
Enthusiast

vRA Distributed Deployment Certificates

Following KB article mentions a great way of processing CA certificates.  However does anyone know if this process can be used for distributed deployment with Load Balancers?

I am not able to find any specific link / article which mentions that this process is valid for distributed deployment.

VMware KB: Using the vRealize Certificate Generation tool to assist with creating signed certificate...

------------------------------------------------------------ If you find this or any other answer useful please mark the answer as correct or helpful. Kedar http://virtualtechknow.wordpress.com/ ------------------------------------------------------------
0 Kudos
11 Replies
AlexJudge
VMware Employee
VMware Employee

Yes, I think you should be fine using this tool. The only thing to bear in mind is that you will need to add multiple host names to the certificate (Subject Alternate Names) which this tool allows for.

0 Kudos
Kedar_D
Enthusiast
Enthusiast

Thanks for reply Alex. Yeah I can add SAN names in the certificate, however the question is, is it supported scenario to use single certificate for all vRA components? Since all the distributed environments I have seen had multiple certificates.

------------------------------------------------------------ If you find this or any other answer useful please mark the answer as correct or helpful. Kedar http://virtualtechknow.wordpress.com/ ------------------------------------------------------------
0 Kudos
GrantOrchardVMw
Commander
Commander

Yes it's supported, but not recommended. SANs for load balanced elements, not wildcards.

Grant

Grant http://grantorchard.com
0 Kudos
slaclair
VMware Employee
VMware Employee

For my last distributed deployment I used OpenSSL to generate everything in the same manner.  The customer's CA didn't allow us to use wildcards so the three certs I requested were like this, everything played well and applied to the F5.

CN =siteprefixcloud.domain.com (vcva vip)

SAN - siteprefixcloudva01.domain.com

SAN - siteprefixcloudva02.domain.com

SAN - siteprefixcloud-db.domain.com (postgres vip)

CN = siteprefixiaasweb.domain.com  (iaas web vip)  

SAN - siteprefixiaasweb01.domain.com

SAN - siteprefixiaasweb02.domain.com

CN = siteprefixiaasmgr.domain.com (iaas manager vip)

SAN - siteprefixiaasmgr01.domain.com

SAN - siteprefixiaasmgr02.domain.com

Sample config.cfg file

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: siteprefixcloudva01.domain.com, DNS: siteprefixcloudva02.domain.com, DNS: siteprefixcloud-db.domain.com

[ req_distinguished_name ]

countryName = US

stateOrProvinceName = District of Columbia

localityName = Washington

0.organizationName = XXXXXX

organizationalUnitName = XXXXX

commonName = siteprefixcloud.domain.com

Then I run this command to generate a signing request and private key

openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config config.cfg

Then run this command to format the key in rsa format

openssl rsa -in rui-orig.key -out rui.key

Use that CSR to request the certificate and when it comes back you'll format accordingly.  On the windows boxes I made them all PFX's, the appliances needed the full chain cert + intermediate + root all in x509/pem format in one file.

VCAP5-DCD/DCA/CIA, VCA4-DT
0 Kudos
mikestevenson00
Contributor
Contributor

This might be better suited to a new thread, but I'm having some certificate-related headaches right now as well.  I'm using the vRA appliance, and as near as I can tell the default keystore doesn't include any generally accepted root CA certificates.  I'm using Google apps as our outbound email server, and since the root cert they used isn't in the keystore I'm forced to allow self-signed certificates.  This is a lab server so I'm only a little bothered by that, but let's say I want to send an email via an Orchestrator flow--the ootb send notification flow doesn't provide any option for trusting all roots and just refuses to do anything at all.  I crossed my fingers and did vcac-config import-certificate, but there was no noticeable effect after restarting.  I even tried importing cacerts from my workstation's Java install, but I haven't been able to guess the keystore password.  The system admin and hardening guides only talk about replacing certificates for the various vRA components, and I'm frankly at a loss for what to try next.  Have any of you addressed this before?

0 Kudos
mikestevenson00
Contributor
Contributor

A little bit of progress on this--I was able to import the root CA cert that Google uses into the appliance's vRO instance and have successfully sent an email using that workflow.  Here's what I had to do:

  1. Start the vRO configuration interface.  The vcac-vami tool can't do this for you so I had to run service vco-configurator start
  2. Log into the configurator at https://<vra host>:8283/vco-config.  The default credentials of vmware/vmware are still in place, and it will force you to change the password before doing anything else.
  3. Click the Network button on the left, then the SSL Trust Manager tab up top.
  4. Import the certificate.  I copied the root certificate to a local file using my web browser and imported that, but importing from URL will work as well if you don't mind having a bunch of intermediate and endpoint certs in your keystore
  5. Restart the vRO service.  Since you're already connected, the Startup Options tab in the configurator is probably the most convenient way of doing this.

Unfortunately that only allows you one import at a time, and the cacerts file in my jdk install has 89 entries.  I'm not about to go through that process so many times, so hopefully there's some means of streamlining the process.  It also doesn't put the cert into vRA's keystore, and I don't see any similar functionality in the vRA configuration portal.

0 Kudos
Kedar_D
Enthusiast
Enthusiast

Thanks for reply, Can you please confirm is there is any VMware KB / document which outlines what is supported and recommended?

------------------------------------------------------------ If you find this or any other answer useful please mark the answer as correct or helpful. Kedar http://virtualtechknow.wordpress.com/ ------------------------------------------------------------
0 Kudos
Kedar_D
Enthusiast
Enthusiast

There are tools through which you can browse / explore / import the certs of a keystore. Thought to share it might help you.

If someone has used this tool with such scenarios might be able to help you with.

------------------------------------------------------------ If you find this or any other answer useful please mark the answer as correct or helpful. Kedar http://virtualtechknow.wordpress.com/ ------------------------------------------------------------
0 Kudos
Kedar_D
Enthusiast
Enthusiast

I am referring to followingKB article from VMware. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=206210...

It talks about template to be used of MS Certificate Authority server. However i am not able to find documentation about 3rd Party Certificates.


Does anyone have any experience with 3rd party certificates configuration with vRA?

------------------------------------------------------------ If you find this or any other answer useful please mark the answer as correct or helpful. Kedar http://virtualtechknow.wordpress.com/ ------------------------------------------------------------
0 Kudos
Kedar_D
Enthusiast
Enthusiast

I am referring to followingKB article from VMware. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=206210...

It talks about template to be used of MS Certificate Authority server. However i am not able to find documentation about 3rd Party Certificates.


Does anyone have any experience with 3rd party certificates configuration with vRA?

------------------------------------------------------------ If you find this or any other answer useful please mark the answer as correct or helpful. Kedar http://virtualtechknow.wordpress.com/ ------------------------------------------------------------
0 Kudos
mikestevenson00
Contributor
Contributor

That is true, but without the password to the keystore they are not very useful.

0 Kudos