Setting up a small lab CA on Windows 2012 R2 for vSphere certificate replacement
@fbuechsel Can you write the same for W2K12R2? :))
— Patrick Terlisten (@PTerlisten) 27. Juli 2014
Sure I can, so let’s go. Same assumptions as in the last post, this is not intended to be secure or anything, it should just serve the purpose of being easy to setup and work out of the box while being able to create certificates with Derek Seaman’s SSL toolkit, which should also be the requirement for the VSS Labs vCert Manager, and create vSphere basic stack compliant certificates.
As Server 2012/2012R2 are still fairly new to me and I like to have stuff documented at some point I will make this a walk through from the very beginning after installing the operating system.
The first thing we will need to do is to actually promote our server to a domain controller. Now dcpromo does not work anymore on Server 2012 though. So we have two choices here, either use a PowerShell script (which we will actually get using the second option and is one of the best features of Server 2012 indeed) or use the GUI wizard.
I opted for the GUI version. But even with the GUI in a small lab environment this setup should perform just fine with 1 vCPU and 1 GB RAM (I found 512 to be not acceptable for Server 2012 with GUI at least).
So let’s use the new Server Manager to add the role for the “Active Directoy Domain Services” by choosing “Manage” in the top right corner and then “Add roles and features”.
In the next screen we can actually choose our domain services and leave everything at default.
After the installation is done only the binaries have actually been copied over and still need to be configured correctly. We can easily do so by clicking the small flag symbol that will have a yellow exclamation mark triangle to show that something still needs our attention. Simply clicking “Promote this server to a domain controller” then launches the wizard we wanted all along.
The rest of the wizard will be left as default with choosing a random password when requested. The next important screen is the “Review Options” screen. In the bottom right is a button called “View script” which will open a text file including the PowerShell instructions needed to run the whole wizard configuration using no GUI at all, pretty nifty!
After the domain controller bits are out of the way we can actually deal with the certificate services once more. Same procedure as last time, add a new role-based installation role and this time choose “Active Directory Certificate Services”.
We don’t want to add any features as this time and skip the next couple of screens with defaults until we get to “Role Services” under “AD CS”, interestingly enough Microsoft has changed the order of the role services so some attention is need to check the correct ones. Like last time we want to have “Certificate Authority” and “Certification Authority Web Enrollment” which will also install IIS as a requirement.
We will leave the IIS settings on their defaults, and next through the rest of the installation until we see the summary screen which is telling us that further configuration for the certificate services is needed as well.
The first screen wants credentials of a user belonging to the local administrators and Enterprise Admins group. Since this a lab my domain admin will do just fine in here. On the role services screen we choose to configure both choices.
As we want everything to be Active Directory integrated we will choose “Enterprise CA” on the next screen. And since this again is a small lab, a root CA needs to be sufficient for now. A new private key will be generated as well for my lab and again I chose to go with SHA512 instead of the default, just because.
The rest of the setup will be again the “next, next, finish” kind of fashion. To be able to edit the certificate templates again we need to choose “Tools” and then “Certificate Authority” in Server Manager.
In the screen that pops up we will choose the Webserver Template, right click it and choose the option to duplicate the template. Next it is customizing the template to VMware vSphere standards again. In the general tab choose an appropriate name.
Once more the last step is to add the newly created certificate template to the web enrollment and test out that Derek’s script can just mint the certificates fine. This is done the same way as on Windows Server 2008 R2 by right clicking the Certificate Templates folder in the CA configuration, choosing New and then the only option that is being presented. Mark the freshly created template and hit “OK”. And indeed we can see the template being published in web enrollment.
In the next post I will put both CAs to use to replace certificates for a mixed mode install of SSO and Web Client 5.5 with Inventory Service and vCenter Server 5.1 using the VMware SSL Automation tool.