PowerVCF - Request Signed Certificates from Microsoft Certificate Authority (Part 4)
This is the fourth of five blogs in the series that discusses the process of Certificate Management with VMware Cloud Foundation. The series looks at the end to end process that you follow to take a freshly installed VMware Cloud Foundation platform (Management Domain) and replace the components with signed certificates using a Microsoft Certificate Authority.
In this post we will look at the process of requesting the signed certificates from the Microsoft Certificate Authority using SDDC Manager either using the SDDC Manager User Interface or via the Public APIs using PowerVCF.
- Generate Signed Certificates using the User Interface
- Generate Signed Certificates using using PowerVCF
Generate Signed Certificates using the User Interface
Procedure
- Log in to SDDC Manager using a web browser.
- Open a Web browser and go to https://lax01mgr01.lax.rainpole.local.
- Log in using the [email protected] user account
- Navigate to Inventory > Workload Domains.
- In the Workload Domains window, under Virtual Infrastructure VI select View Details.
- In the Virtual Infrastructure (VI) window, select MGMT from the Domain column.
- Select the Security tab.
- Select the checkbox in the table header to select all resource types and click Generate Signed Certificates.
NOTE: If you have not completed the Generate CSR step then the Generate Signed Certificates option is not available. See my PowerVCF - Generate Certificate Signing Request (CSR) Files for Each Component Managed by SDDC Manager (Part 3) post.
- In the Generate Certificates dialog, using the Select Certificate Authority dropdown and select Microsoft, then click Generate Certificates.
Once complete the User Interface is updated with a status message of Certificate Generation is successful.
Generate Signed Certificates using using PowerVCF
Assumption: You have already installed or imported PowerVCF on your system.
Procedure
Before performing any operations on SDDC Manager using PowerVCF you must enter the credentials, the PowerVCF cmdlet Connect-VCFManager takes these credentials and stores them as a base64 string which is then used for each subsequent cmdlet. Enter the following syntax.
Connect-VCFManager -fqdn lax01mgr01.lax.rainpole.local -username admin -password "VMw@re1!"
The process of generating the signed certificates via PowerVCF requires passing a JSON spec containing the required input details as follows:
{
"caType": "",
"resources": [ {
"fqdn": "",
"name": "",
"resourceId": "",
"type": ""
} ]
}The caType element supports only Microsoft or OpenSSL. In this example we will enter Microsoft as follows.
{
"caType": "Microsoft",
"resources": [ {
"fqdn": "",
"name": "",
"resourceId": "",
"type": ""
} ]
}Next we need to populate the resources part of the JSON spec for each component we want to generate the certificate for. To achieve this we need the following four elements of information for each component (just like we did for generating the CSR files):
- fqdn - The fully distinguished domain name as it relates to the information stored in the SDDC Manager inventory.
- name - The hostname which can be derived from the fqdn
- resourceId - The unique id assigned to the component and stored in the SDDC Manager inventory.
- type - The flag to identify what type of component the resources is, SDDC Manager has the following resource types SDDC_MANAGER, PSC, VCENTER, NSX_MANAGER, NSXT_MANAGER, VRA, VRLI, VROPS, VRSLCM, VXRAIL_MANAGER
In this example we are going to include VCENTER and SDDC_MANAGER resource types, and using the Get-VCFvCenter and Get-VCFManager cmdlets we can obtain the fqdn and resourceIds details.
First lets look at the Get-VCFvCenter cmdlet. Enter the following syntax:
Get-VCFvCenter | select id,fqdn
Using the select command we can return just the id and fqdn details which is all we need for the JSON spec, using this information we can now build the resource section like this:
{
"caType": "Microsoft",
"resources": [ {
"fqdn": "lax01m01vc01.lax.rainpole.local",
"name": "lax01m01vc01",
"resourceId": "a0652869-dc9b-426a-a9f6-f2866830dceb",
"type": "VCENTER"
} ]
}Next we want to do the same for SDDC Manager using the Get-VCFManager cmdlet. Enter the following syntax:
Get-VCFManager | select id,fqdn
Add this additional information to our JSON spec file as follows, and then save the file in this example I call it requestCertificateSpec.json.
{
"caType": "Microsoft",
"resources": [ {
"fqdn": "lax01m01vc01.lax.rainpole.local",
"name": "lax01m01vc01",
"resourceId": "a0652869-dc9b-426a-a9f6-f2866830dceb",
"type": "VCENTER"
},{
"fqdn": "lax01mgr01.lax.rainpole.local",
"name": "lax01mgr01",
"resourceId": "41290562-a6a5-4d3b-8f3c-25b0dd5535f6",
"type": "SDDC_MANAGER"
} ]
}Now we have our JSON spec ready we can perform the process of creating the signed certificates using the Request-VCFCertificates cmdlet. When executing this cmdlet we need to provide two inputs, first the name of the Workload Domain, in this example we are using MGMT and the json file we have just created. Enter the following syntax:
Request-VCFCertificate -domainName MGMT -json E:\MyLab\requestCertificateSpec.json
After executing this command you are presented with a response which relates to a Task ID and the status of the request, you can check the status of the request using the Get-VCFTask cmdlet. Enter the following synatx:
Get-VCFTask 4b8f38fc-3c8f-4df5-9228-639a5af5b5d3 | select id,name,status
Here we can see a task is named Certificate Operation: GENERATE_CERTIFICATE and it has a status of SUCCESSFUL. So there you have it we have successfully generated the signed certificates using PowerVCF.
Useful Links
If you would like to learn more about VMware Cloud Foundation or PowerVCF, check out these links: