Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center 4.x and 5.0.x
Article ID: 319752
Updated On:
Products
VMware
Issue/Introduction
About Certificate Generation Utility for VMware Validated Designs
The Certificate Generation Utility for VMware Validated Designs (CertGenVVD) is a command-line utility that you can use to generate custom certificates for the products that you use to build a Software-Defined Data Center (SDDC) based on VMware Validated Design for Software-Defined Data Center. Use the utility to reduce the number of steps for end-to-end certificate replacement.
CertGenVVD is written in PowerShell. It operates according to the settings in a configuration file and generates custom SSL certificates that can be signed by the following enterprise certificate authorities (CAs):
- Microsoft Certificate Authority
- OpenSSL Certificate Authority
For information about certificate replacement during SDDC deployment, see VMware Validated Design Architecture and Design and VMware Validated Design Planning and Preparation from the VMware Validated Designs Documentation.
What's new in the CertGenVVD utility?
Version 3.0.4 of the CertGenVVD utility provides the following new features:
- Support for VMware Validated Design's Consolidated design add-on
- Updates for CertConfig tool for easier configuration files creation
Supported platforms
The CertGenVVD utility requires a Windows operating system that has the Java SE Development Kit and OpenSSL installed.
|
Platform Component
|
Required Version
|
| Operating system | Windows Server 2016 or 2012 R2 Standard Windows Server 2016 or 2012 R2 Datacenter |
| Java SE Development Kit (JDK) | 1.7 or later |
| OpenSSL | 1.0.2q or later |
OpenSSL Notes
CertGenVVD requires an OpenSSL binary for Windows, which can be compiled from OpenSSL.org. Additionally, the OpenSSL Wiki page (https://wiki.openssl.org/index.php/Binaries) has a list of pre-compiled windows binaries compiled by the 3rd parties. Read all security disclosures and disclaimers when using binaries compiled by 3rd parties. The recommended 3rd party binary is Win64 OpenSSL v1.0.2q Light since this does not include the unnecessary OpenSSL source code.Before executing CertGenVVD, ensure that the path for the OpenSSL binary for Windows is set in the PATH environment variable and that the Microsoft Visual C++ Redistributable Packages for Visual Studio 2013 is installed.
Compatibility
The CertGenVVD utility is compatible with certain versions of VMware Validated Design for Software-Defined Data Center.
| Product Version | Compatibility | CertGenVVD Version |
| VMware Validated Design for Software-Defined Data Center 5.0.x | Yes | CertGenVVD 3.0.4 |
| VMware Validated Design for Software-Defined Data Center 4.x | Yes | CertGenVVD 3.0.4 |
Utility File Structure
The CertGenVVD utility consists of a PowerShell script and configuration files that you can update according to the requirements of your environment.
|
File or Folder
|
Description
|
|
default.txt
|
This file contains default values for the attributes Organization, Organization Unit, Location, State, Country, Common Name and Certificate Key Size for CSR generation.
|
|
CertgenVVD-3.0.4.ps1
|
This PowerShell script generate certificates.
|
| CertConfig-1.1.3.ps1 | This PowerShell script generates configuration files for the certificates. |
| RegionA-Hosts.csv RegionB-Hosts.csv | Configuration CSVs to match a VMware Validated Design. These can be used as a sample for your environment. |
|
ConfigFilesSamples
|
This folder contains a configuration file samples for each product. You can use the configuration files without modifications unless you use different hostnames or cluster IP addresses in your deployment. For example, the configuration file for VMware vCenter Server contains the following settings: [CERT] NAME=default ORG=default OU=default LOC=SFO ST=default CC=default CN=sfo01m01vc01.sfo01.rainpole.local keysize=default [SAN] sfo01m01vc01 sfo01m01vc01.sfo01.rainpole.local In the [CERT] section, if a property value is equal to default, the utility uses the value that is defined in default.txt. Default certificate key size is set to 2048, except for the vRealize Operations Manager certificate. In vrops.txt, the key size for the vRealize Operations Manager is set to 4096. |
Certificate Requirements
The CertGenVVD utility is compliant with the certificate requirements of the SDDC management products that are used in VMware Validated Designs.
Certificate Requirements for VMware Validated Design for Software-Defined Data Center 5.0.x
For more information about the certificate requirements of each product in this VMware Validated Design, see the documentation for the VMware product versions included in this design using the links in this table. For information about the product versions that are included in VMware Validated Design 5.0.x, see VMware Validated Design for Software-Defined Data Center 5.0.x Release Notes
| Product Name | Certificate Requirements |
| ESXi | Replacing ESXi SSL Certificates and Keys in the vSphere Security documentation |
| vCenter Server and Platform Services Controller | Use Custom Certificates with vSphere in the Platform Services Controller Administration documentation |
| NSX for vSphere | NSX Manager SSL Certification in NSX Administration Guide |
| vRealize Automation | Updating vRealize Automation Certificates in the Managing vRealize Automation documentation |
| vRealize Orchestrator | Manage Certificates in the Installing and Configuring VMware vRealize Orchestrator documentation |
| vRealize Business | Change or Replace the SSL Certificate of vRealize Business for Cloud in the vRealize Business Install Guide |
| vRealize Operations Manager | Custom vRealize Operations Manager Certificate Requirements in the Installing vRealize Operations Manager documentation |
| vRealize Log Insight | Install a Custom SSL Certificate from the Administering vRealize Log Insight documentation |
|
vRealize Suite Lifecycle Manager | Replace Certificate on the vRealize Suite Lifecycle Manager Appliance from the VMware Validated Design documentation |
| vSphere Replication | Change the SSL Certificate of the vSphere Replication Appliance in the vSphere Replication Administration documentation |
| Site Recovery Manager | Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager in the Site Recovery Manager Installation and Configuration documentation |
Symptoms:
- Your VMware SDDC environment requires custom SSL certificates that must be signed by a trusted third-party CA, you can use the CertGenVVD tool to generate a Certificate Signing Request (CSR) and have it signed.
Environment
VMware Validated Design for Software-Defined Data Center (SDDC) 4.2.x
VMware Validated Design for Software-Defined Data Center (SDDC) 4.1.x
VMware Validated Design for Software-Defined Data Center (SDDC) 5.0.x
VMware Validated Design for Software-Defined Data Center (SDDC)
VMware Validated Design for Software-Defined Data Center (SDDC) 4.3.x
VMware Validated Design for Software-Defined Data Center (SDDC) 4.0.x
VMware Validated Design for Software-Defined Data Center (SDDC) 4.1.x
VMware Validated Design for Software-Defined Data Center (SDDC) 5.0.x
VMware Validated Design for Software-Defined Data Center (SDDC)
VMware Validated Design for Software-Defined Data Center (SDDC) 4.3.x
VMware Validated Design for Software-Defined Data Center (SDDC) 4.0.x
Resolution
Prerequisites
To run the CertGenVVD utility, you must meet specific requirements on the Windows system on which you run the utility.
- Verify that the account that you use to log in has administrative privileges.
Although non-administrator users can download and launch the tool, all operations fail if you do not have the proper permissions.
- Verify that the Windows system has access to the data center infrastructure nodes that are designated to host the SDDC management components.
- Configure the PowerShell execution policy with the permissions required to run the commands.
- Run the Execute Get-ExecutionPolicy command to get the active execution policy.
- If the Execute Get-ExecutionPolicy command returns Restricted, run the Set-ExecutionPolicy RemoteSigned command.
- Update the default.txt file with values according to the certificate requirements of your organization.
- Update the configuration files in the ConfigFiles folder with product details if the SDDC deployment uses different hostnames and IP addresses, or requires certificate attributes different from the default ones.
- List all hostnames under the [SAN] section in the product-specific configuration file.
- Configure product-specific certificate attributes under the [CERT] section in the product-specific configuration file.
- Create a Microsoft Certificate Authority template, called VMware, that you use to generate the certificates for the SDDC management components. See VMware Validated Design Planning and Preparation from the VMware Validated Designs Documentation.
Install the CertGenVVD utility
- Download the CertGenVVD tool.
- Copy the tool to a Windows virtual machine that has access to the infrastructure nodes.
- Extract the ZIP file to any folder and preserve the folder structure.
Use the CertGenVVD utility with VMware Validated Design
To use the CertGenVVD 3.0.4 tool with versions 5.x and 4.x of VMware Validated Design, from the Attachments section download the version-specific ZIP file that contains the configuration files for the version, and then extract and replace the content in the certgenvvd_home_dir\CertGenVVD-3.0.4\ConfigFiles directory.
Create Configuration Files
- Edit RegionA-Hosts.csv to match your environment. The columns descriptions are:
Column Description Name Description of row. This will not be used in the configuration file. DNS* Short names of the components. Can be added as many as necessary. DOMAIN Domain name for your organization. IPAddress Certain products require IP addresses in the Certificate. Use this section if necessary. FileName Folder and file names of the generated configuration file. It will not affect the actual contents of the certificate. - Run CertConfig:
.\CertConfig-1.1.3.ps1 RegionA-Hosts.csv
Use the CertGenVVD utility to create CA-signed certificates
- Open a Windows PowerShell prompt as an administrator and navigate to the certgenvvd_home_dir\CertGenVVD-3.0.4 folder.
- Run the command for generating certificates for the SDDC management components in VMware Validated Design according to the version of the CertGenVVD utility.
.\CertGenVVD-3.0.4.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware'
The certificates are signed by a Microsoft CA according to the requirements of the validated design.
The generated certificates are saved to the certgenvvd_home_dir\SignedByMSCACerts folder in multiple formats according to the certificate requirements of the SDDC management components, that is, in X.509, PEM, PKCS#12 and PKCS#7.
The CertGenVVD utility configures the certificate chain files with the password that you specified during the generation.
Use the CertGenVVD utility to create certificates that are signed by an intermediate certificate authority
CertGenVVD supports intermediate Microsoft certificate authorities and does not need access to the root certificate authority. CertGenVVD concatenates the certificates of all of the certificate authorities into the certificate chain.
To use this feature, run the CertGenVVD utility in the same workflow sequence that you use in the root only CA case using the additional –intermediate option.
.\CertGenVVD-3.0.4.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware' -intermediate
Use the CertGenVVD utility to create certificate requests to a third-party CA
- Open a Windows PowerShell prompt as an administrator and navigate to the certgenvvd_home_dir\CertGenVVD-3.0.4 folder.
- Run the command for generating certificates for the SDDC management components in VMware Validated Design according to the version of the CertGenVVD utility.
.\CertGenVVD-3.0.4.ps1 -CSR
- Locate the CSR files in the certgenvvd_home_dir\CertGenVVD-3.0.4\CSRCerts folder and send it to the third-party CA to get signed certificates.
The CA will send you signed .cer files for each CSR and the Root certificate.
- Rename the CA root certificate to Root64.cer.
- If there are multiple intermediate CAs, concatenate the certificates into one certificate chain file.
copy IntermediateCAroot01.cer+IntermediateCAroot02.cer+RootCA.cer > Root64.cer
- Place the signed certificates in the corresponding CertGenVVD-3.0.4\CSRCerts\<product> directories, and the Root64.cer one in CertGenVVD-3.0.4\CSRCerts\Root64.
- Run CertGenVVD 3.0.4 one more time with the -CSR and -extra command options.
You generate all the required certificates that are required for the SDDC management components in VMware Validated Designs.
.\CertGenVVD-3.0.4.ps1 –CSR -extra
Certificates files that are generated for VMware Validated Design
The CertGenVVD utility creates the following certificate chain files in the certgenvvd_home_dir\SignedByMSCACerts folder.
Note: You generate certificates for Site Recovery Manager and vSphere Replication only if you deploy a dual-region SDDC.
Additional command options that are not related to certificate generation for VMware Validated Designs
The CertGenVVD utility also supports options for generating certificate-related files that do not strictly comply with VMware Validated Designs.
|
Option
|
Command
|
| View help | .\CertgenVVD-3.0.4.ps1 -help|h |
| Validate the readiness of the machine on which you plan to run the CertGenVVD utility | .\CertgenVVD-3.0.4.ps1 -validate|v |
| Only generate a certificate signed by OpenSSL Root CA | .\CertgenVVD-3.0.4.ps1 -openSSL | openSSLCASigned |
| Generate all supported certificate file types, that is, CSRs, OpenSSL CA-signed certificates, and Microsoft CA-signed certificates | .\CertgenVVD-3.0.4.ps1 -all |
Attachments
Feedback
Yes
No
Powered by
