Preparing Certificates for VMware vRA Enterprise deployment

Hi Guys, as i promised this article will be about preparing certificates for our vRA Enterprise Deployment.

Installation of AD Certification Services on MS Windows Server 2016

  1. Open Server Manager and select Add Roles and Features.
  2. Read the information and press Next.
  3. Press next.
  4. Choose server and press Next
  5. Tick the box for AD CS and agree to Add Features. Press Next.
  6. We don’t need to select any additional features so just press next.
  7. Review the page of AD CS.
  8. Choose CA web enrollment in addition to CA. And add required features.
  9. As web enrollment require IIS we need to install services.
  10. Use default ones and press next.
  11. Review the confirmation page and if everything is correct press Install.
  12. Wait for some time while installation is running.

Configuration of AD CS

  1. After Installation completed we have to configure the role.
  2. Confirm the credentials and press Next.
  3. Choose Enterprise CA
  4. As we don’t have it in our lab choose Root CA
  5. We shall create new Private Key
  6. I changed it to 5 years from 2
  7. Review the config and if everything is good go on with Confirmation.
  8. Wait for configuration to complete
  9. Confirm that webpage is available
  10. Now we have to prepare our template for vSphere go to certtmpl.msc snapin and clone Web Server template.
  11. Change the name
  12. Go to Extension tab choose to Edit Application Policies and remove everything press OK. Go to Key Usage and use check box Signature is proof of origin. Press OK.
  13. Confirm that you have Subject Name Supply in the request. Press Apply and OK.
  14. Go to certsrv.msc snap-in and go to Certificate Templates (rigt-click) ->new->certificate template to issue. Find our vSphere 6.5 template and press OK. Confirm that you can see the template on the web page.

Creating certificates for vRA

  1. Login to Linux machine and create a similar config file. I’ve called it vra.cfg
  2. Create CSR request and save the private key. You will have 4 files in the folder.
    openssl req -new -nodes -out req.csr -keyout req-orig.key -config conf.cfg

    openssl rsa -in req-orig.key -out req.key

  3. Copy the CSR file data and paste it into CSR request in browser (caaddress/certsrv/certqxt.asp) and choose vSphere 6.5 template which we created previously.
  4. Download the certificate Base 64 encoded and copy it to the Linux machine where you created the request.
  5. Press home button – Download a CA certificate, certificate chain, or CRL. and choose Base 64. Download CA certificate chain.
  6. Open the certificate and choose export
  7. As usual choose Base-64
  8. Choose the path for the certif
  9. Confirm and press Finish
  10. Export successful. Transfer it to Linux machine where you made original request
  11. Export certificate to pfx.
    openssl pkcs12 -export -in req.cer -inkey req.key -certfile Root64.cer -name "somename" -passout pass:somepassword -out req.pfx

  12. Create .pem certif.
    openssl pkcs12 -in req.pfx -inkey req.key -out req.pem -nodes

  13. We have 2 files rui.pem and rui.key which we will need in further installation of vRA


Thank you for reading, Next article will be regarding vRA deployment itself.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.