VMware Cloud Community
VMSavvy
Enthusiast
Enthusiast
‎02-06-2015 02:45 AM

vRAC Certificates in Distributed Installation

Hello community,

I had another thread on IAAS distributed installation question where I received great responses. Thanks to the experts..

I'm in process of getting domain CA certificates for this deployment with help of this article -http://www.virtualizationteam.com/cloud/vcloud-automation-center-6-certificates-a-to-z.html

Couple of queries with certificates at this point -

Certificates are generated out of the subordinate CA server..

1. ID Appliance - My domain certificate chain contains the root CA server and subordinate CA server certificates embedded. When I copy and paste the certificate chain which has these two set of certificates it fails. But if I use the certificate from --Begin Certificate-- till --End Certificate-- of the subordinate CA server it works.. Will that be okay to live with this?

1. vCAC Applaince - I have the SAN names of the Load Balancer, Appliance Nodes mentioned in the certificates while I generated it. When applying the certificate to vCAC Appliance, I get a message saying "Load balancer certificate does not match local vCAC Certificate". Is this asking me to get the same certificate loaded on to the load balancer?

I must say the VMware documentation around the certificates is weak. I haven't hit the IAAS config yet so I'm sure I will get some queries there as well. Appreciate your responses. Thank you.

VMSavvy Smiley Happy

0 Kudos
2 Replies
GrantOrchardVMw
Commander
Commander
‎02-11-2015 01:24 PM

I remember running into that message. Buggered if I can remember what the fix was 😕  Maybe I should run through this again to check.

I'll stand up an intermediate today to test the SSO one.

Does your cfg look like this? Specifically, subject alternate name including IPs, hostnames, and DNS for nodes and LB?

Common name needs to be the LB.

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS:ghetto-vcac, IP:172.16.103.111, DNS:ghetto-vcac.melb.vmware.local, DNS:ghetto-vcac1, IP:172.16.103.112, DNS:ghetto-vcac1.melb.vmware.local, DNS:ghetto-vcac2, IP:172.16.103.113, DNS:ghetto-vcac2.melb.vmware.local,

[ req_distinguished_name ]

countryName = AU

stateOrProvinceName = VIC

localityName = Melbourne

0.organizationName = Lab

organizationalUnitName = vCACVA

commonName = ghetto-sso.melb.vmware.local

Grant http://grantorchard.com
VMSavvy
Enthusiast
Enthusiast
‎02-11-2015 10:02 PM

Forgot to update the thread.. The issue was with the domain CA server certificate chain. The issue got fixed now.

I'm in process of getting the certificates for vRO setup now. I'm thinking 2 vRO appliance nodes configured identically and put them behind a load balancer. Any inputs on certificates for vRO please? I saw somewhere that vRO needs DER code certificates. Please confirm!!

VMSavvy Smiley Happy

0 Kudos