• hi@yahyazahedi.com
  • Germany

Step-by-Step Guide to Managing Certificates in VMware Cloud Foundation (VCF)

VMware Cloud Foundation (VCF) enables us to manage certificates for different components, including integrating a certificate authority, generating CSRs and generating signed certificates and installing signed certificates. In this post, I want to show how I managed certificates for the following components:

  • vCenter Server
  • NSX Manager
  • SDDC Manager
  • VMware Aria Suite Lifecycle

Today, I successfully integrated Microsoft Certificate Authority with VCF and below are the steps I followed to accomplish this task.

  • Install Certificate Authority Roles
  • Configure the CA for Basic Authentication
  • Create a New Certificate Template
  • Create a User with Certificate Management Privileges
  • Configure a CA in SDDC Manager
  • Manage Certificates using SDDC Manager

Install Microsoft Certificate Authority Roles

You might already have a Microsoft CA in your environment, so make sure the you installed these roles “Certificate Authority and Certificate Authority Web Enrollment ” otherwise, follow me to install them.

  • Log in to the Microsoft Certificate Authority.
  • Open Server Manager and from the Dashboard, click Add roles and features.
  • On the Before you begin page, click Next.
  • On the Select installation type page, click Next.
  • On the Select destination server page, click Next.
  • On the Select server roles page, under Active Directory Certificate Services, select Certification Authority and Certification Authority Web Enrollment and click Next.
  • A pop-up window will appear requesting confirmation to install additional features (such as IIS with required features). Click on Add Features.
  • Under Web Server (IIS) > Web Server > Security, select Basic Authentication and click Next.
  • On the Select features page, click Next.
  • On the Confirm installation selections page, click Install.

Configure the CA for Basic Authentication

  • Open Server Manager and from the Dashboard, click ToolsInternet Information Services (IIS) Manager.
  • Navigate to your_server > Sites > Default Web Site > CertSrv. Under IIS, double-click Authentication.
  • On the Authentication page, right-click Basic Authentication and click Enable.
  • In the navigation pane, select Default Web Site. Under Manage Website, click Restart to apply changes.

Create a New Certificate Template

  • Open Server Manager and from the Dashboard, click ToolsCertificate Authority.
  • Under your CA, right-click Certificate Templates and select Manage.
  • In the Certificate Template Console window, under Template Display Name, right-click Web Server and select Duplicate Template.
  • Under the Compatibility tab, configure the following values.
  • Under the General tab, enter a name (e.g, “VCF”) in the Template display name text box.
  • Under the Extensions tab and configure Application Policies and remove Server Authentication, and click OK.
  • Under the same tab, edit Basic Constraints and click the Enable this extension check box and click OK.
  • Last but not least, edit Key Usage and click the Signature is proof of origin (nonrepudiation) check box and click OK.
  • Under the Subject Name tab, ensure that the Supply in the request option is selected, and click OK to save the template.
  • Close the Certificate Template Console and return to Certificate Authority.
  • Right-click Certificate Templates, and select New > Certificate Template to Issue.
  • In the Enable Certificate Templates dialog box, select the newly created VCF template, and click OK.

Create a User with Certificate Management Privileges

  • In Active Directory, create a user account (e.g., svc-ca-vcf ).
  • Open Microsoft Certificate Authority and right-click the certificate authority server and click Properties.
  • Under Security tab, click Add, select the new user account, and configure the following permissions for this account. Click OK.
  • Open Microsoft Certificate Authority Template, by right-click Certificate Templates and select Manage.
  • Right-click the VCF template and click Properties.
  • Under the Security tab, click Add, add the service account and configure the following permissions and click OK.

Configure a CA in SDDC Manager

  • In SDDC Manager, click Security > Certificate Authority and then click Edit.
  • Configure the settings and click Save.

Manage Certificates using SDDC Manager

  • In the SDDC Manager, click Inventory > Workload Domains and select your workload domain.
  • Click the Certificates tab, select a component and click Generate CSRs.
  • Configure the CSR settings and click Next.
  • (Optional) Add Subject Alternative Names in the corresponding dialog, then click Next.
  • Review the summary and click Generate CSRs.
  • Once the CSR is generated successfully, Generate Signed Certificates option will be available. Click on it and from the Select Certificate Authority drop-down menu, select Microsoft and click Generate Certificates.
  • Once the Certificate is generated successfully, Install Certificates option will be available, click on it to install the new certificate for the component.

Congratulations! You have successfully installed the new certificate for your desired component.

Share Post on:

Leave a Reply

Your email address will not be published. Required fields are marked *