Home > Homelab, SSL > Setting up a small lab CA on Windows 2012 R2 for vSphere certificate replacement

Setting up a small lab CA on Windows 2012 R2 for vSphere certificate replacement


Sure I can, so let’s go. Same assumptions as in the last post, this is not intended to be secure or anything, it should just serve the purpose of being easy to setup and work out of the box while being able to create certificates with Derek Seaman’s SSL toolkit, which should also be the requirement for the VSS Labs vCert Manager, and create vSphere basic stack compliant certificates.

As Server 2012/2012R2 are still fairly new to me and I like to have stuff documented at some point I will make this a walk through from the very beginning after installing the operating system.

The first thing we will need to do is to actually promote our server to a domain controller. Now dcpromo does not work anymore on Server 2012 though. So we have two choices here, either use a PowerShell script (which we will actually get using the second option and is one of the best features of Server 2012 indeed) or use the GUI wizard.

Capture7I opted for the GUI version. But even with the GUI in a small lab environment this setup should perform just fine with 1 vCPU and 1 GB RAM (I found 512 to be not acceptable for Server 2012 with GUI at least).

So let’s use the new Server Manager to add the role for the “Active Directoy Domain Services” by choosing “Manage” in the top right corner and then “Add roles and features”.

CaptureWe want to perform a role-based installation in our case as we are not looking for VDI (and I am sure everyone would want to use VMware View for that anyway).

In the next screen we can actually choose our domain services and leave everything at default.

Capture2As this is only a lab I don’t mind restarts as well so it has become a habit for myself to simply check the “Reboot automatically if needed” boxes.

Capture3After the installation is done only the binaries have actually been copied over and still need to be configured correctly. We can easily do so by clicking the small flag symbol that will have a yellow exclamation mark triangle to show that something still needs our attention. Simply clicking “Promote this server to a domain controller” then launches the wizard we wanted all along.

Capture4Since our lab will be a completely new deployment I chose to create a new forest giving its root domain the name “ssl.local”.

Capture5The rest of the wizard will be left as default with choosing a random password when requested. The next important screen is the “Review Options” screen. In the bottom right is a button called “View script” which will open a text file including the PowerShell instructions needed to run the whole wizard configuration using no GUI at all, pretty nifty!

Capture6The rest of the wizard will be of the “next, next, finish, reboot” style like we are used to from Windows.

After the domain controller bits are out of the way we can actually deal with the certificate services once more. Same procedure as last time, add a new role-based installation role and this time choose “Active Directory Certificate Services”.

Capture8We don’t want to add any features as this time and skip the next couple of screens with defaults until we get to “Role Services” under “AD CS”, interestingly enough Microsoft has changed the order of the role services so some attention is need to check the correct ones. Like last time we want to have “Certificate Authority” and “Certification Authority Web Enrollment” which will also install IIS as a requirement.

Capture9We will leave the IIS settings on their defaults, and next through the rest of the installation until we see the summary screen which is telling us that further configuration for the certificate services is needed as well.

Capture10Like we did with the domain services we will click on the yellow triangle to continue the configuration of our CA.

Capture11The first screen wants credentials of a user belonging to the local administrators and Enterprise Admins group. Since this a lab my domain admin will do just fine in here. On the role services screen we choose to configure both choices.

Capture12As we want everything to be Active Directory integrated we will choose “Enterprise CA” on the next screen. And since this again is a small lab, a root CA needs to be sufficient for now. A new private key will be generated as well for my lab and again I chose to go with SHA512 instead of the default, just because.

Capture13The rest of the setup will be again the “next, next, finish” kind of fashion. To be able to edit the certificate templates again we need to choose “Tools” and then “Certificate Authority” in Server Manager.

Capture14The screen looks a bit different than on 2008 R2, to copy a new template we need to right click the “Certificate Templates” folder and select “Manage”.

Capture15In the screen that pops up we will choose the Webserver Template, right click it and choose the option to duplicate the template. Next it is customizing the template to VMware vSphere standards again. In the general tab choose an appropriate name.

Capture16In the extensions tab we are going to add the “Client Authentication” to the “Application Policies” and also allow the encryption of user data in “Key Usage”.

Capture17Once more the last step is to add the newly created certificate template to the web enrollment and test out that Derek’s script can just mint the certificates fine. This is done the same way as on Windows Server 2008 R2 by right clicking the Certificate Templates folder in the CA configuration, choosing New and then the only option that is being presented. Mark the freshly created template and hit “OK”. And indeed we can see the template being published in web enrollment.

Capture19The toolkit also does not seem to have any issues with this CA.

Capture20In the next post I will put both CAs to use to replace certificates for a mixed mode install of SSO and Web Client 5.5 with Inventory Service and vCenter Server 5.1 using the VMware SSL Automation tool.

 

 

 

 

 

 

 

 

 

 

 

 

 

Categories: Homelab, SSL Tags:
  1. No comments yet.
  1. No trackbacks yet.