PowerVCF - Generate Certificate Signing Request (CSR) Files for Each Component Managed by SDDC Manager (Part 3)

This is the third of five blogs in the series that discusses the process of Certificate Management with VMware Cloud Foundation. The series looks at the end to end process that you follow to take a freshly installed VMware Cloud Foundation platform (Management Domain) and replace the components with signed certificates using a Microsoft Certificate Authority.

In this post we will look at the process of generating the Certificate Signing Request (CSR) files using SDDC Manager.

Generate Certificate Signing Request (CSR) Files using the User Interface

The following procedure demonstrates the process through the SDDC Manager User Interface.

Procedure

  • Log in to SDDC Manager using a web browser.
  • Navigate to Inventory > Workload Domains.
  • In the Workload Domains window, under Virtual Infrastructure VI select View Details.
  • In the Virtual Infrastructure (VI) window, select MGMT from the Domain column.
  • Select the Security tab.
  • Select the checkbox in the table header to select all resource types and click Generate CSR.
  • In the Generate CSR dialog, configure the values as appropriate and click Generate CSR.

Once complete the User Interface is updated with a status message.

Generate Certificate Signing Request (CSR) Files using using PowerVCF

The following procedure demonstrates the process through PowerVCF.

Assumption: You have already installed or imported PowerVCF on your system.

Procedure

Before performing any operations on SDDC Manager using PowerVCF you must enter the credentials, the PowerVCF cmdlet Connect-VCFManager takes these credentials and stores them as a base64 string which is then used for each subsequent cmdlet. Enter the following syntax.

Connect-VCFManager -fqdn lax01mgr01.lax.rainpole.local -username admin -password "VMw@re1!"

The process of generating the Certificate Signing Request (CSR) files via PowerVCF requires passing a JSON spec containing the required input details as follows:

{
    "csrGenerationSpec": {
        "country": "",
        "email": "",
        "keyAlgorithm": "",
        "keySize": "",
        "locality": "",
        "organization": "",
        "organizationUnit": "",
        "state": ""
    },
    "resources": [ {
        "fqdn": "",
        "name": "",
        "resourceId": "",
        "type": ""
    } ]
}

The csrGenerationSpec maps directly to the same details we entered via the User Interface and would look like this:

{
    "csrGenerationSpec": {
        "country": "US",
        "email": "",
        "keyAlgorithm": "RSA",
        "keySize": "2048",
        "locality": "Palo Alto",
        "organization": "VMware",
        "organizationUnit": "HCIBU",
        "state": "CA"
    }
}

Next we need to populate the resources part of the JSON spec for each component we want to generate a CSR for. To achieve this we need the following four elements of information for each component:

  • fqdn - The fully distinguished domain name as it relates to the information stored in the SDDC Manager inventory.
  • name - The hostname which can be derived from the fqdn
  • resourceId - The unique id assigned to the component and stored in the SDDC Manager inventory.
  • type - The flag to identify what type of component the resources is, SDDC Manager has the following resource types SDDC_MANAGER, PSC, VCENTER, NSX_MANAGER, NSXT_MANAGER, VRA, VRLI, VROPS, VRSLCM, VXRAIL_MANAGER

In this example we are going to include VCENTER and SDDC_MANAGER resource types, and using the Get-VCFvCenter and Get-VCFManager cmdlets we can obtain the fqdn and resourceIds details.

First lets look at the Get-VCFvCenter cmdlet. Enter the following syntax:

Get-VCFvCenter | select id,fqdn

Using the select command we can return just the id and fqdn details which is all we need for the JSON spec, using this information we can now build the resource section like this:

{
    "csrGenerationSpec": {
        "country": "US",
        "email": "",
        "keyAlgorithm": "RSA",
        "keySize": "2048",
        "locality": "Palo Alto",
        "organization": "VMware",
        "organizationUnit": "HCIBU",
        "state": "CA"
    },
    "resources": [ {
        "fqdn": "lax01m01vc01.lax.rainpole.local",
        "name": "lax01m01vc01",
        "resourceId": "a0652869-dc9b-426a-a9f6-f2866830dceb",
        "type": "VCENTER"
    } ]
}

Next we want to do the same for SDDC Manager using the Get-VCFManager cmdlet. Enter the following syntax:

Get-VCFManager | select id,fqdn

Add this additional information to our JSON spec file as follows, and then save the file in this example I call it requestCsrSpec.json.

{
    "csrGenerationSpec": {
        "country": "US",
        "email": "",
        "keyAlgorithm": "RSA",
        "keySize": "2048",
        "locality": "Palo Alto",
        "organization": "VMware",
        "organizationUnit": "HCIBU",
        "state": "CA"
    },
    "resources": [ {
        "fqdn": "lax01m01vc01.lax.rainpole.local",
        "name": "lax01m01vc01",
        "resourceId": "a0652869-dc9b-426a-a9f6-f2866830dceb",
        "type": "VCENTER"
    },{
        "fqdn": "lax01mgr01.lax.rainpole.local",
        "name": "lax01mgr01",
        "resourceId": "41290562-a6a5-4d3b-8f3c-25b0dd5535f6",
        "type": "SDDC_MANAGER" 
    } ]
}

Now we have our JSON spec ready we can perform the process of creating the Certificate Signing Request (CSR) files using the Request-VCFCertificateCSRs cmdlet. When executing this cmdlet we need to provide two inputs, first the name of the Workload Domain, in this example we are using MGMT and the json file we have just created. Enter the following syntax:

Request-VCFCertificateCSRs -domainName MGMT -json E:\MyLab\requestCsrSpec.json

After executing this command you are presented with a response which relates to a Task ID and the status, the generation is pretty quick but you can check the status of the task using the Get-VCFTask cmdlet. Enter the following synatx:

Get-VCFTask e87379ea-ad57-422d-bbfa-bff8c39c810a | select id,name,status

Here we can see a task is named Certificate Operation: GENERATE_CSR and it has a status of SUCCESSFUL. So there you have it we have successfully generated the Certificate Signing Request (CSR) files using PowerVCF.


If you would like to learn more about VMware Cloud Foundation or PowerVCF, check out these links:

Posts in this Series