A friend of mine had some problems generating certificates for NSX-T to be used with PKS. When he tried using the commands, from his mac, as instructed by
https://docs.vmware.com/en/VMware-Enterprise-PKS/1.2/vmware-enterprise-pks-12/GUID-generate-nsx-ca-cert.html , he would have error all over the place. For your information, afterwards we found out that the copy of the code generated some characters that the CLI didn’t like.
Generating SAN certificates on Windows for NSX-T and PKS
So I decided to generate the certificates in a different way, using the Windows version of OpenSSL. Obviously the code inthe VMware article will not really work, since that was created for linux type of platforms.
Here is what we used to generate the certificate on Windows:
Windows certificate creation
A certificate with Subject Alternative Names is a single certificate supporting multiple Common Names (CN).
In this case, this means that a single server certificate can be used for multiple servers or multiple entries for the same server:
NSX.vmusketeers.local
IP address for NSX
To be able to create a self-signed certificate which can be used for multiple server, download and install Open SSL. Then proceed with the following:
1. Create a 2048 bit Certificate Authority (CA) private key:
genrsa -out NSX-privkey.pem 2048
The CA private key is created: NSX-privkey.pem
2. Create a self-signed CA certificate:
req -new -x509 -days 3650 -nodes -key NSX-privkey.pem -sha256 -out NSX-ca.pem
Fill in the following details to create a 2048 bit Certificate Authority (CA) certificate:
- Country=US
- O= NSX
- OU=NSX
- L=CAL
- S=Palo Alto
- FQDN server = NSX.vmusketeers.local
- Email address: info@info.com
Once finished, the CA certificate is created: NSX-ca.pem
4. Now create the following server configuration file (server.csr.cnf).
You can copy paste the following content into Notepad++:
- [req]
- default_bits = 2048
- prompt = no
- default_md = sha256
- distinguished_name = req_distinguished_name
- [req_distinguished_name]
- countryName = US
- stateOrProvinceName = CAL
- localityName = Palo Alto
- organizationName = NSX
- organizationalUnitName = NSX
- emailAddress = info@info.com
- CN = NSX.vmusketeers.local
5. Create a server Certificate Signing Request (CSR) and server private key.
req -new -nodes -out NSX-server.csr -keyout NSX-server.key -config NSX.csr.cnf
As a result the server CSR is created: NSX-server.csr
Also the server private key is created: NSX -server.key
6. Now create a server extension file (server_v3.ext).
You can copy paste the following content into Notepad++:
Modify the server extension file according to your situation.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = NSX.vmusketeers.local
IP.1 = 192……
7. Create the server certificate:
x509 -req -in NSX-server.csr -CA NSX-ca.pem -CAkey NSX-privkey.pem -CAcreateserial -out NSX-server.crt -days 3650 -extfile NSX_v3.ext
The server certificate is created: NSX-server.crt
The serial number file is created: NSX-ca.srl
Leave a Reply