Written by Sam McGeown on 6/11/2012 · Read in about 2 min (340 words)
Published under VMware

The process of requesting certificates for vSphere 5.1 is a fairly grim, manual process. It’s repetitive and easy to make a mistake on any step of the way. Since I’ve got to do this for quite a few VirtualCenter Servers, I thought I’d script the certificate generation if nothing else. I am following the excellent documentation provided in Implementing CA signed SSL certificates with vSphere 5.1 and more specifically in Creating certificate requests and certificates for vCenter Server 5.1 components.

The script assumes that:

  1. You have a working Certificate Authority
  2. You are in an Active Directory domain environment
  3. You have the relevant permissions to modify Certificate Templates, Request and Issue certificates.
  4. You have installed OpenSSL v1.0.1c or later.

You will need to modify the configuration section to suit your environment and the $WorkingDir folder should exist before you run the script.

Creating the Certificate Template

You need to modify the standard Microsoft Web Server template to allow the encryption of user data. Since you can’t edit these templates, you have to duplicate the  template and modify the settings.

<dd class='wp-caption-text gallery-caption' id='gallery-2-1403'>
  Log on to the Certificate Authority and Open the Certification Authority console. Right click on the Certificate Templates folder and select Manage.
<dd class='wp-caption-text gallery-caption' id='gallery-2-1404'>
  Name the certificate meanfully - I used "Virtual Center Web Server" and note the shortened template name, in this case "VirtualCenterWebServer".
<dd class='wp-caption-text gallery-caption' id='gallery-2-1405'>
  Select the "Extensions" tab, select "Key Usage" and click the "Edit&#8230;" button. Tick the "Allow encryption of user data" and click OK, and OK again to save the new template.

Download the CA’s certificate as per the instructions in the linked KB above:

  • Navigate back to the home page of the certificate server and click on Download a CA certificate, certificate chain or CRL.

Running the script

The script itself is fairly simple, creating a folder structure for the individual certificates, wrestling with OpenSSL and handling the requests to the CA using CertReq. You can view the debug output by setting the $DebugPreference to ‘Continue’






Share this post