Replacing vCAC 6.0 Appliance Certificates

I noticed while reading the vCAC documentation that the information to replace your certificates on the appliances was a little light on so decided to take a leaf out of Derek Seaman’s book. This post shamelessly follows the format of the VMware KBs for replacing your vSphere certificates.

I’m making a couple of assumptions in this article:

  1. You have OpenSSL installed and configured on your system

  2. You are using a Microsoft CA; and

  3. You have configured a Template Authority with the appropriate extensions.

 

Generating the Certificate Requests

To generate the appropriate configuration files:

  1. Open a text editor on the system where OpenSSL is installed.

  2. Paste the following text into a file, replacing the information in red with that specific to your environment.

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS:ghetto-sso, IP:172.16.103.111, DNS:ghetto-sso.melb.vmware.local

[ req_distinguished_name ]

countryName = AU

stateOrProvinceName = VIC

localityName = Melbourne

0.organizationName = Lab

organizationalUnitName = vCACSSO

commonName = ghetto-sso.melb.vmware.local

3. Save the file as vcacid.cfg but do not close it (I have saved my file in h:\certs\vcacid as you’ll note further on).
4. To create the vCAC VA config file, update the fields in red with the appropriate information and save as vcacva.cfg (I have saved my file in h:\certs\vcacva as you’ll note further on).

Next, generate the certificate request and corresponding key for each of the certificates.

To generate a certificate request:

1. Launch a command prompt and navigate to your OpenSSL directory. By default this is located in c:\OpenSSL-Win32\bin
2. Run the following commands (replacing the path with your desired location) to create the certificate request and export the private key:

openssl req -new -nodes -out h:\certs\vcacid\rui.csr -keyout h:\certs\vcacid\rui-orig.key -config h:\certs\vcacid\vcacid.cfg
openssl req -new -nodes -out h:\certs\vcacva\rui.csr -keyout h:\certs\vcacva\rui-orig.key -config h:\certs\vcacva\vcacva.cfg

3. Convert the keys to the appropriate RSA format required by the appliances:

openssl rsa -in h:\certs\vcacid\rui-orig.key -out h:\certs\vcacid\rui.key
openssl rsa -in h:\certs\vcacva\rui-orig.key -out h:\certs\vcacva\rui.key

Getting the Certificate

1. Logon to the Microsoft CA Web Interface (https://ca-server/CertSrv)
2. Click on the Request Certificate > Advanced Certificate Request
3. Open the rui.csr file for the vCAC Identity Appliance and then copy and paste the contents into the Base-64-encoded certificate request field.
4. Ensure you select the correctly configured Certificate Template.

NewImage

5. Click “Submit” to submit the request.
6. Select the “Base64 encoded” option on the Certificate Issued screen.
7. Click the “Download Certificate” link and save as rui.crt in the same location as your config file and CSR.
8. Repeat the above process for the vCACVA Certificate Request.
9. Navigate back to the homepage of the certificate server and click “Download a CA certificate, certificate chain or CRL”.
10. Select the “Base64 encoded” option.
11. Click the “Download a CA Certificate Chain” link.
12. Save the certificate chain as cachain.p7b in your desired location.
13. Double click the cachain.p7b file and navigate to yourlocation\cachain.p7b > Certificates
14. Right click the root certificate and select “All Actions > Export” and then click Next.
15. Select Base64-encoded X.509 (.CER) and click Next.
16. Save the export to your location/Root64.cer and click Next.

 

Converting the Certificates to PEM Format

1. Launch a command prompt and navigate to your OpenSSL directory. By default this is located in c:\OpenSSL-Win32\bin
2. Run the following commands (replacing the path with your desired location) to convert the certificates to the format expected of the Virtual Appliances.

openssl pkcs12 -export -in h:\certs\vcacid\rui.crt -inkey h:\certs\vcacid\rui.key -certfile h:\certs\Root64.cer -name “rui” -passout pass:testpassword -out h:\certs\vcacid\rui.pfx
openssl pkcs12 -export -in h:\certs\vcacva\rui.crt -inkey h:\certs\vcacva\rui.key -certfile h:\certs\Root64.cer -name “rui” -passout pass:testpassword -out h:\certs\vcacva\rui.pfx

openssl pkcs12 -in h:\certs\vcacid\rui.pfx -inkey h:\certs\vcacid\rui.key -out h:\certs\vcacid\rui.pem -nodes
openssl pkcs12 -in h:\certs\vcacva\rui.pfx -inkey h:\certs\vcacva\rui.key -out h:\certs\vcacva\rui.pem -nodes

Importing the Certificates to your Virtual Appliances

1. Login to https://vCAC.ID.VA:5480 
2. Click on the SSO tab.
3. Click on the SSL tab.
4. In the “Choose Option” field, click the drop down and select Import PEM encoded certificate.
5. Open the rui.key file for your vCAC ID appliance in a text editor.
6. Copy and paste the contents into the “RSA Private Key” field.
7. Open the rui.pem file for you vCAC ID appliance in a text editor.
8. Copy and past the contents into the “Certificate” field.
9. Enter testpassword into the “Pass Phrase” field.
10. Click the “Replace Certificate” button.

NewImage

 

1. Login to https://vCAC.VA:5480 
2. Click on the vCAC Settings tab.
3. Click on the SSL tab.
4. In the “Choose Option” field, click the drop down and select Import PEM encoded certificate.
5. Open the rui.key file for your vCAC ID appliance in a text editor.
6. Copy and paste the contents into the “RSA Private Key” field.
7. Open the rui.pem file for you vCAC ID appliance in a text editor.
8. Copy and past the contents into the “Certificate” field.
9. Enter testpassword into the “Pass Phrase” field.
10. Click the “Replace Certificate” button.

NOTE: If you are replacing the certificates after having registered the vCAC VA against the vCAC ID VA you will need to re-enter the SSO settings on the vCAC Server to ensure that communications between the VAs are trusted.

1. Login to https://vCAC.VA:5480 
2. Click on the vCAC Settings tab.
3. Click on the SSO tab.
4. Re-enter the SSO Admin User and SSO Admin Password details and then click “Save Settings”.

Not performing this step will result in an error as shown below.

NewImage