Wednesday, June 25, 2014

VMware SSL certificates made a bit easier

If you have ever replaced certificates on a VMware product you know it can get a little confusing at times. For this reason I have written this simple powershell tool to easily create CSRs and import the replies.

The tool uses a set of canned configuration files for the various VMware products. These configuration files come directly from VMware KB articles. You can also write your own custom cfg files and place them in the templates directory for use in the tool. You must also add a line in the in the vmware-cert-tool.conf file for your custom template defaults.

You can download the tool from here. I have provided a link with OpenSSL included, but google thinks it contains a virus (which it does not)

You can get that here > VMware Certificate Tool w/ OpenSSL

If warnings make you nervous, You can get the package w/o OpenSSL included here > VMware Certificate Tool OpenSSL not Included

You will however need to download and install OpenSSL from http://slproweb.com/products/Win32OpenSSL.html and install it in the vmware cert tool directory under openssl or modify the powershell script to point to your installation

Now on to the screenshots...

When you run the program you will be prompted to either generate a CSR or import a reply

 You will be prompted with a list of all the current configuration templates you have in the templates directory


You will be prompted for the certificate information. In this example we are creating a request for a certificate that will be used for a load balanced SSO 5.5 instance. You can add multiple SANs and IPs

A summary will be printed, if you have made any mistakes you can start over

Several files including the CSR and private key are created. The templateUsed.txt file keeps track of the type of certificate you are requesting

At this point you are on your own to request the certificate from your CA. You can follow VMware's documentation for requesting a certificate here > http://kb.vmware.com/kb/2037432#getcert

For the certificate tool you will only need the .p7b file as this contains the complete certificate chain. For ease place it in the request directory for your request


Start the certificate tool up again and select option 2 to import the reply. You will enter the common name you set for the request and specify the absolute location for the .p7b file


After the tool runs it creates all the certificate files you could ever want including the certificate itself, all of the certificates in the chain, a chain certificate without the host certificate, and even the ever elusive PEM file which contains the entire chain and private key


I hope this helps some of you out.