Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center 5.1.x
search cancel

Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center 5.1.x

book

Article ID: 322378

calendar_today

Updated On:

Products

VMware

Issue/Introduction

About Certificate Generation Utility for VMware Validated Designs

The Certificate Generation Utility for VMware Validated Designs (CertGenVVD) is a PowerShell utility that you can use to generate custom certificates for the products that you use to build a Software-Defined Data Center (SDDC) based on VMware Validated Design for Software-Defined Data Center. Use the utility to reduce the number of steps for end-to-end certificate replacement.

CertGenVVD is written in PowerShell. It operates according to the settings in a configuration file and generates custom SSL certificates that can be signed by the following enterprise certificate authorities (CAs):

  • Microsoft Certificate Authority

For information about certificate replacement during SDDC deployment, see VMware Validated Design Architecture and Design and VMware Validated Design Planning and Preparation from the VMware Validated Designs Documentation.

What's new in the CertGenVVD utility?

Version 5.0 of the CertGenVVD utility provides the following new features:

  • New menu providing the following options:
    • Validate Environment Before Running
    • Create & Submit CSRs, Download & Generate VVD Certificate Files (For use with an online Microsoft Root CA)
    • Create & Submit CSRs, Download & Generate VVD Certificate Files (For use with an online Microsoft Intermediate CA)
    • Create CSRs for manual certificate requests (For use with Offline or Non MS CA)
    • Process manually generated certificates into required formats (For use with the certs generated in previous step)
    • Display Help
    • Quit
  • CertConfig script integrated into CertGen
  • IP Addresses removed from certificate SAN attributes

Supported platforms

The CertGenVVD utility requires a Windows operating system with the following installed.

Platform ComponentRequired Version 
Operating systemWindows Server 2016 or 2012 R2
OpenSSL1.0.2q or later
Visual C++ Redistributable Packages2013

OpenSSL Notes

CertGenVVD requires an OpenSSL binary for Windows, which can be compiled from OpenSSL.org. Additionally, the OpenSSL Wiki page (https://wiki.openssl.org/index.php/Binaries) has a list of pre-compiled windows binaries compiled by the 3rd parties. Read all security disclosures and disclaimers when using binaries compiled by 3rd parties. The recommended 3rd party binary is Win64 OpenSSL v1.0.2q Light since this does not include the unnecessary OpenSSL source code.

Before executing CertGenVVD, ensure that the path for the OpenSSL binary for Windows is set in the PATH environment variable and that the Microsoft Visual C++ Redistributable Packages for Visual Studio 2013 is installed. 

Compatibility

The CertGenVVD utility is compatible with certain versions of VMware Validated Design for Software-Defined Data Center.

Product VersionCompatibilityCertGenVVD Version
VMware Validated Design for Software-Defined Data Center 5.1.xYesCertGenVVD 5.0

Utility File Structure

The CertGenVVD utility consists of a PowerShell script and configuration files that you can update according to the requirements of your environment.

File or FolderDescription
CertgenVVD-5.0.version.ps1This PowerShell script generate certificates.
RegionA-Hosts.csv
RegionB-Hosts.csv
Consolidated-Hosts.csv
Robo-Hosts.csv
Configuration CSVs to match a VMware Validated Design. These can be used as a sample for your environment.

Certificate Requirements

The CertGenVVD utility is compliant with the certificate requirements of the SDDC management products that are used in VMware Validated Designs.

 

Certificate Requirements for VMware Validated Design for Software-Defined Data Center 5.1.x

For more information about the certificate requirements of each product in this VMware Validated Design, see the documentation for the VMware product versions included in this design using the links in this table. For information about the product versions that are included in VMware Validated Design 5.1.x, see VMware Validated Design for Software-Defined Data Center 5.1.x Release Notes .

Product NameCertificate Requirements
vCenter Server and Platform Services ControllerUse Custom Certificates with vSphere in the Platform Services Controller Administration documentation
NSX for vSphereNSX Manager SSL Certification in the NSX Administration Guide
vRealize AutomationUpdating vRealize Automation Certificates in the Managing vRealize Automation documentation
vRealize BusinessChange or Replace the SSL Certificate of vRealize Business for Cloud in the vRealize Business Install Guide
vRealize Operations ManagerCustom vRealize Operations Manager Certificate Requirements in the Installing vRealize Operations Manager documentation
vRealize Log InsightInstall a Custom SSL Certificate in the Administering vRealize Log Insight documentation
vRealize Suite Lifecycle ManagerReplace Certificate on the vRealize Suite Lifecycle Manager Appliance  in the vRealize Suite Lifecycle Manager documentation
vSphere ReplicationChange the SSL Certificate of the vSphere Replication Appliance  in the vSphere Replication Administration documentation
Site Recovery ManagerRequirements When Using Custom SSL/TLS Certificates with Site Recovery Manager  in the Site Recovery Manager Installation and Configuration documentation


Symptoms:
  • Your VMware SDDC environment requires custom SSL certificates that must be signed by a trusted CA, you can use the CertGenVVD tool to generate a Certificate Signing Request (CSR) and have it signed.


Environment

VMware Validated Design for Software-Defined Data Center (SDDC) 5.1.x
VMware Validated Design for Software-Defined Data Center (SDDC)

Resolution

Prerequisites

To run the CertGenVVD utility, you must meet specific requirements on the Windows system on which you run the utility.

  • Verify that the account that you use to log in has administrative privileges.

Although non-administrator users can download and launch the tool, operations may fail if you do not have the correct permissions.

  • Configure the PowerShell execution policy with the permissions required to run the commands.
    1. Run the Execute Get-ExecutionPolicycommand to get the active execution policy.
    2. If the Execute Get-ExecutionPolicycommand returns Restricted, run the Set-ExecutionPolicy RemoteSigned command.
  • Create a Microsoft Certificate Authority template, called VMware, that you use to generate the certificates for the SDDC management components. See VMware Validated Design Planning and Preparation from the VMware Validated Designs Documentation.

Obtain the CertGenVVD utility

  1. Download the CertGenVVD tool.
  2. Copy the tool to a Windows virtual machine that has access to the infrastructure.
  3. Extract the ,.zipfile to any folder and preserve the folder structure.

Use the CertGenVVD utility with VMware Validated Design

To use the CertGenVVD tool with versions 5.1.x of VMware Validated Design, from the Attachments section download the version-specific .zipfile that contains the configuration files for the version, and then extract and replace the content to a local directory.

Create Configuration Files

  1. If you are using VMware Cloud Builder to deploy your VMware Validated Design, copy the CertConfig tab from the VMware Cloud Builder Deployment Parameters excel spreadsheet, save as csv, and use in the following steps. Otherwise edit the csv files included in the attached bundle to match your environment. The column descriptions are:
ColumnDescription
NameDescription of each row. This will not be used in the configuration file and should not be altered.
DNS*Short names of the components. Add the NET Bios name for each component node.
DOMAINDomain name for your organization.
FileNameFolder name for all generated files. It will not affect the actual contents of the certificate.

Use the CertGenVVD utility to generate CA-signed certificates from an online Microsoft CA

  1. Open a Windows PowerShell prompt as an administrator and navigate to the directory where you extracted the attached .zip.
  2. Run the PowerShell script to launch the menu.
    .\CertGenVVD-5.0.ps1
  3. Select Option 1to generate all config files, Certificate Signing Requests (CSRs) and certificates from an online Microsoft Root CA.
  4. When prompted, enter the path to the relevant csv file containing the hostnames for which you require certificates. Note:Use quotes if there are spaces in the path.
  5. When prompted, enter the password to be used to encrypt the PKCS#12 certificates.

Note:If you are using VMware Cloud Builder to deploy your VMware Validated Design, this password should match the password entered in the Certificate Management section of the Deploy Parameters tab in the Cloud Builder Deployment Parameters spreadsheet.

The certificates are signed by a Microsoft CA according to the requirements of the validated design.

The generated certificates are saved to the certgenvvd_home_dir\SignedByMSCACertsfolder in multiple formats according to the certificate requirements of the SDDC management components, that is, in X.509, PEM, PKCS#12 and PKCS#7.

The CertGenVVD utility configures the certificate chain files with the password that you specified during the generation.

Use the CertGenVVD utility to create certificates that are signed by an intermediate certificate authority

CertGenVVD supports intermediate Microsoft certificate authorities and does not need access to the root certificate authority. CertGenVVD concatenates the certificates of all of the certificate authorities into the certificate chain.

  1. Run the PowerShell script to launch the menu.
    .\CertGenVVD-5.0.ps1
  2. Select Option 2to generate all config files, Certificate Signing Requests (CSRs) and certificates from an online Microsoft Intermediate CA.
  3. When prompted, enter the path to the relevant csv file containing the hostnames for which you require certificates. Note:Use quotes if there are spaces in the path.
  4. When prompted, enter the intermediate CA path.

Note: Inspect the intermediate CA certificate and look for the "Issued By" value. Full path will be "Issuing-CA-FQDN\Issued-By-Value."

Use the CertGenVVD utility to create certificate requests (CSRs) to request certificates from an offline or third-party CA

  1. Run the PowerShell script to launch the menu..
    .\CertGenVVD-5.0.ps1
  2. Select Option 3 to generate all required CSR files for manual certificate requests from an offline or 3rd party CA
  3. When prompted, enter the path to the relevant csv file containing the hostnames for which you require certificates. Note: Use quotes if there are spaces in the path
  4. Locate the CSR files in the certgenvvd_home_dir\CSR folder and send it to the third-party CA to get signed certificates.The CA will send you signed .cer files for each CSR and the Root certificate.
  5. Rename the CA root certificate to Root64.cer.
  6. If there are multiple intermediate CAs, concatenate the certificates into one certificate chain file.
    copy IntermediateCAroot01.cer+IntermediateCAroot02.cer+RootCA.cer > Root64.cer
  7. Place the signed certificates in the corresponding certgenvvd_home_dir\ <product>directories, and the Root64.cerin certgenvvd_home_dir \Root64.
  8. To create the required certificate formats run the CertGenVVD utility again.
    .\CertGenVVD-5.0.ps1
  9. Select Option 4 to generate all required certificate formats.

Additional command options that are not related to certificate generation for VMware Validated Designs

Additional options available

OptionCommand
View helph
Validate the readiness of the machine on which you plan to run the CertGenVVD utility

 

 



Attachments

CertGenVVD-5.0.006 get_app