Generating SAN security certificate for NSX-T and PKS on Windows


A friend of mine had some problems generating certificates for NSX-T to be used with PKS. When he tried using the commands, from his mac, as instructed by
https://docs.vmware.com/en/VMware-Enterprise-PKS/1.2/vmware-enterprise-pks-12/GUID-generate-nsx-ca-cert.html , he would have error all over the place. For your information, afterwards we found out that the copy of the code generated some characters that the CLI didn’t like.

Generating SAN certificates on Windows for NSX-T and PKS

So I decided to generate the certificates in a different way, using the Windows version of OpenSSL. Obviously the code inthe VMware article will not really work, since that was created for linux type of platforms.

Here is what we used to generate the certificate on Windows:


Windows certificate creation

A certificate with Subject Alternative Names is a single certificate supporting multiple Common Names (CN).

In this case, this means that a single server certificate can be used for multiple servers or multiple entries for the same server:

NSX.vmusketeers.local 
IP address for NSX

To be able to create a self-signed certificate which can be used for multiple server, download and install Open SSL. Then proceed with the following:

1. Create a 2048 bit Certificate Authority (CA) private key:

genrsa
-out NSX-privkey.pem 2048

The CA private key is created: NSX-privkey.pem

2. Create a self-signed CA certificate:

req
-new -x509 -days 3650 -nodes -key NSX-privkey.pem  -sha256 -out NSX-ca.pem

Fill in the following details to create a 2048 bit Certificate Authority (CA) certificate:

  • Country=US
  • O= NSX
  • OU=NSX
  • L=CAL
  • S=Palo Alto
  • FQDN server = NSX.vmusketeers.local
  • Email address: info@info.com

Once finished, the CA certificate is created: NSX-ca.pem

4. Now create the following server configuration file (server.csr.cnf).

You can copy paste the following content into Notepad++:

  • [req]
  • default_bits = 2048
  • prompt = no
  • default_md = sha256
  • distinguished_name = req_distinguished_name
  • [req_distinguished_name]
  • countryName = US
  • stateOrProvinceName = CAL
  • localityName = Palo Alto
  • organizationName = NSX
  • organizationalUnitName = NSX
  • emailAddress = info@info.com
  • CN = NSX.vmusketeers.local

5. Create a server Certificate Signing Request (CSR) and server private key.

req
-new -nodes -out NSX-server.csr -keyout NSX-server.key -config NSX.csr.cnf

As a result the server CSR is created: NSX-server.csr

Also the server private key is created: NSX -server.key

6. Now create a server extension file (server_v3.ext).

You can copy paste the following content into Notepad++:

Modify the server extension file according to your situation.

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage
= digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName
= @alt_names 
[v3_req]
subjectAltName
= @alt_names
[alt_names]
DNS.1 = NSX.vmusketeers.local 
IP.1 = 192……

7. Create the server certificate:

x509
-req -in NSX-server.csr -CA NSX-ca.pem -CAkey NSX-privkey.pem  -CAcreateserial -out NSX-server.crt -days
3650  -extfile NSX_v3.ext 

The server certificate is created: NSX-server.crt

The serial number file is created: NSX-ca.srl


Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.