vRA 7 / vRO 7 REST error (java.security.cert.CertificateException)

Whilst I was with a customer recently, I hit an SSL related issue whilst trying to put together a vRO workflow to orchestrate the creation of a load-balancer configuration on a Citrix Netscaler VPX. Adding the REST host(s) to vRO was accomplished without any issue, but when I came to use them my workflow failed with the following error:

As this vRO instance was running on a vRA appliance, my first port of call was starting the vRO Control Center service and make sure that the REST host certificates had indeed been imported in to vRO and were trusted.¬†They were. Looking at the certificates themselves (as I had blindly accepted them up until that point) I noticed that they were self-signed and the cause of the error became clearer. Some software solutions generate fairly weak SSL certificates by default to […]

Read More

Howto: Creating a CA template for VMware services

Having setup my lab’s PKI infrastructure previously, one of the next steps I needed to complete was to create a template for certificates for VMware’s products to use as they require certain properties to be present in the certificates used. There is a KB article that covers this but I wanted to run through it and use some of the specifics for my lab. Template for VMware SSL Certificates This template will provide certificates for ESXi hosts, vCenter, vRA, vRO etc. To create it, we first need the Certificate Templates Console. This can be opened by running certtmpl.msc. Per the KB article, I duplicated the “Web Server” template as a starting point. My first task was to give the template a new name and set the validity to 4 years: On the Extensions tab, although it’s possibly not required for […]

Read More

Howto: Configuring a homelab online subordinate CA

A quick recap of where I got to. I have an offline Root CA (well, it’s still online because I’ll need it in a minute) and I’ve created a website on my online subordinate CA server to host the Root CA certificate and CRL files. The purpose of the subordinate CA is to handle certificate signing and repudiation for all services in my infrastructure that require them. It will be granted the authority to do so by the Root CA. So this post covers the remaining steps of the process, which are: Installing and configuring the subordinate CA Signing the subordinate CA’s certificate using the Root CA Delegating control of the subordinate CA to someone other than Domain Admins Some elements of this process are very similar to the process of setting up the Root CA in the first place […]

Read More

Howto: Publishing offline Root CA certs and CRLs

Previously, I setup an offline Root CA in my homelab with the intention emulating a PKI setup that many enterprises seem to run. The second stage of this process is publishing the Root CA certificate and CRL in a place that they can be accessed when the Root CA is offline. If you recall, I configured the Root CA to publish its CRL etc to a location on pki.o11n.lab. I now need to create that. The Server Rather than run my lab’s online CA on a domain controller, which might be tempting but causes other issues, I have a domain joined server setup that will eventually become my online subordinate CA. It’s a vanilla Windows 2012 R2 server as before and a domain member. DNS The VM is called “ca-01”, but I need to have pki.o11n.lab pointed to it too. […]

Read More

Howto: Configuring a homelab offline Root CA

Self-signed SSL certificates are all well and good but they’re not meant to be for the real world. The trust issues they cause can be a headache on customer projects and anything that’s going in to production shouldn’t be using them. For that reason, I thought it’d be better to change my homelab so that it uses a slightly more realistic PKI setup. The first phase of that is creating an offline Root CA as it’s something that a good number of customers use too. Step 1: DNS From a DNS perspective, my homelab is split up so that anything physical and fundamental to the lab (e.g. storage / NAS, physical hosts, switches etc) lives in its own DNS domain (home.lab). Everything else from vCenter and AD downwards is in one or more other DNS domains and on separate VLANs […]

Read More