vSphere and vCenter 6.0

Last August, a coworker and I published a book on Amazon called Building Blocks: vSphere and vCenter 6.0. The sales were less than stellar and I, obviously, didn’t expect to get rich by writing tech books. However I believe there is a lot of useful information in it and while it will stay on Amazon for sale, I will post the PDF here for free. If you feel like the information was good or helpful, please buy a copy as a donation. The most important thing to me is getting the information out there.

Here is a link to the book on Amazon:  Building Blocks: vSphere 6.0 and vCenter 6.0

Here is a PDF copy of the book.

building blocks vsphere 6.0 and vcenter 6.0

If you have any comments, corrections, suggestions or the like, please feel free to email me at tom@computom.com.

Certificates…I hate them.

Updated:  Here is the link to actually configure the certificates:  Configure Microsoft CA Templates for VMware with SHA2-256

 

Now I realize that certificates are good and great and they keep our stuff from flying around the web in clear text, but I hate them and I also hate doing them for VMware.

Basically every KB article that VMware has for certificates just sucks. I have tried to get them updated and I have had no luck.

All of the articles are happy go lucky if you are on Windows 2003 with SHA1 in the most insecure environment ever, but I’m not.

This is what I have:

Windows 2012R2 AD controllers

Windows 2012R2 CA with SHA2 256 with a 2048 bit key

This is the KB I used:  VMware KB: 2112009

First of all, the video they included in the KB doesn’t match the god damn instructions. It just tells you to select “Windows 2008 Enterprise” for backwards compatibility.

Well guess what…the article references both Windows 2003 enterprise and Windows 2008 enterprise. Neither of those are real options. Its Windows XP/2003 or Windows 2008.

They are also referencing the CA OS only. What about the certificate recipient?! Is everything VMware just backwards compatible with 2003? Well that doesn’t seem secure at all.

Next the article goes on to say this: Note: If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.

Oh really? Well it didn’t work for me. Also there are two options. The certificate authority and the certificate recipient. WHICH ONE ARE YOU TALKING ABOUT?

Jesus…Yeah I’m kind of mad. VMware needs some QA on their articles for sure.

Now I will admit…I probably don’t know as much about CAs and Certs that I should, but KB articles are for the uninformed people aka Knowledge Base. Not the people who know everything.

:rantover:

I have actually resolved the issue and I have posted a link at the top of this article.

 

Configure Microsoft CA Templates for VMware with SHA2-256

So now that I have finished my rant, I will show you how to successfully configure a template for VMware certificates.

So for this you need to have a 2008+ Microsoft Certificate Authority installed and ready to go.

This is the VMware KB and it is incomplete:  VMware KB: 2112009

Open the Certificate Authority snap-in.

Right click on Certificate Templates and click Manage.

Right click on Web Server and click Duplicate.

Screenshots:

Enter the names for the Template.

Select Windows 2008 for both options. (Not specific in the KB)

Check the box for Allow private key to be exported. (Not in the KB at all)

You need this if you are doing your CSRs through IIS since you will need the key.

Continue reading