Unless you are performing a simple proof of concept installation, signed certificates are a required component for a successful implementation. There is some confusion about the different types of certificates required for vRA, and although I’m not a certificate expert, I hope this post can provide some information to help you with your vRA certificate issues.

I’m utilizing a very base Microsoft Certificate Authority installed on a dedicated Windows 2012 server joined to the domain. The commands I’m utilizing for generating the Certificate Signing Request (CSR) is using OpenSSL on my Mac, they may differ slightly for Windows based openssl commands but appear to work as well.

PEM Format – I believe technically PEM refers to the encoding of the certificate? This is the format that the appliances will utilize; it includes sections for the private key as well as the certificate chain. We will create this first in the steps below and then convert it to the format required for the Infrastructure as a Service components (Windows).

PFX Format – We will include the private key along with the certificate information to import, this will allow the traffic to be signed as required for use with vRA.

Generate the Certificate Signing Request

You can use wildcard or SAN certificates for your vRA deployment. Many organizations will not allow you to use wildcards, so I will provide instructions for both types in this section. Select one of the options below before continuing to the next sections, they will be the same regardless of the type of certificate requested.

Option 1 – Generate Wildcard CSR

1. Open up a terminal session or command prompt, change directories if required to execute the openssl commands. I would recommend making a folder for the files that are created during the process.
2. Issue the following command, optionally replace wildcard with the name of the key and csr file names you wish to use.
   openssl req -new -nodes -newkey rsa:2048 -keyout vcaccert.key -out vcaccert.csr
3. You must provide the following information: Country Name, State, Locality Name, Organization Name, Organizational Unit Name, Common Name, and email address.
   
4. This creates two files, the vcaccert.key containing the private key, and vcaccert.csr that will be used to request the certificate from the certificate authority.
5. Keep both files in an accessible area, the CSR will be used in the next step and the key will be used later when importing the key to the vRA Appliances as well as when generating the PFX file for the IaaS components.

Option 2 – Generate SAN CSR

1. Open up a terminal session or command prompt, change directories if required to execute the openssl commands. I would recommend making a folder for the files that are created during the process.
2. Create a configuration file in your working directory to add additional configuration options that aren’t available from the OpenSSL interactive CSR generation. Use a text editor to create the file with the following information, the commands below assume the file is named sancert.cnf (just an example, update as appropriate – example below is a SAN certificate to cover the vCAC appliances and IaaS Web and Manager Service servers).

   [ req ]
   default_bits = 2048
   default_keyfile = sankey.key
   distinguished_name = req_distinguished_name
   req_extensions = req_ext # The extentions to add to the self signed cert
   
   [ req_distinguished_name ]
   countryName = Country Name (2 letter code)
   countryName_default = US
   stateOrProvinceName = State or Province Name (full name)
   stateOrProvinceName_default = Arizona
   localityName = Locality Name (eg, city)
   localityName_default = Chandler
   organizationName = Organization Name (eg, company)
   organizationName_default = Realize.net
   commonName = Common Name (eg, YOUR name)
   commonName_max = 64
   
   [ req_ext ]
   subjectAltName = @alt_names
   
   [alt_names]
   DNS.1 = cloud.realize.net
   DNS.2 = vcacsso.realize.net
   DNS.3 = vcacapp01.realize.net
   DNS.4 = vcacapp02.realize.net
   DNS.5 = vcac-web.realize.net
   DNS.6 = vcacweb01.realize.net
   DNS.7 = vcacweb02.realize.net
   DNS.8 = vcac-mgr.realize.net
   DNS.9 = vcacmgr01.realize.net
   DNS.10 = vcacmgr02.realize.net

3. Issue the following command, optionally replace sancert with the name of the key and csr file names you wish to use.
   openssl req -new -nodes -newkey rsa:2048 -config sancert.cnf -reqexts req_ext -keyout vcaccert.key -out vcaccert.csr
4. You must confirm / provide the following information: Country Name, State, Locality Name, Organization Name, Organizational Unit Name,  and Common Name.
   
5. This creates two files, the vcaccert.key containing the private key, and vcaccert.csr that will be used to request the certificate from the certificate authority.
6. Keep both files in an accessible area, the CSR will be used in the next step and the key will be used later when importing the key to the vCAC Appliances as well as when generating the PFX file for the IaaS components.

Submit the Certificate Request

1. Login to the certificate web interface with a user that has permission – this is https://certserv.your.domain/Certsrv, you will have to login with a domain user that has permissions to request certificates. (I’ve seen limited options of available certificate types if you login to the portal from the certificate server).
2. Click on Request a certificate
3. Click on advanced certificate request
4. Open the vcaccert.csr created in the previous section in a text editor and copy the contents. Paste them into the Saved Request section.
5. Select Web Server in the Certificate Template area.
6. Click Submit
7. Select the Base 64 encoded option and click Download certificate chain. Save this file (certnew.p7b) to the same folder as the private key is located.

Convert the Certificate to Required Formats

1. Return to the terminal or command prompt that has access to OpenSSL, convert the .p7b to a .cer in PEM encoded format by running the following command (this assumes that you are in the folder that has the certnew.p7b that was downloaded previously):
   openssl pkcs7 -print_certs -in certnew.p7b -out chain.cer
2. The contents of the chain.cer, along with the wildcard.key are the two things you need for the SSO and vCAC virtual appliances.
3. Combine the private key and certificate to a Windows friendly format to be used on the IaaS components by running the following command (this assumes that you are in the folder that has the wildcard.key and chain.cer):
   openssl pkcs12 -export -out vcaccert.pfx -inkey vcaccert.key -in chain.cer
4. You will be prompted for a passphrase that will be used when importing the certificate into the Windows servers and use the wildcard.pfx certificate file.