As you can see on my blog, I have been working a lot on SSL Certificates. I decided few month ago to take a look at the VRO SDK and create a new plugin that could integrate what I have done on VMware Certificate Toolkit. So I develop that plugin which was working well but it was only creating certificate files (CSR, Self-Signed CRT, PFX…), the signing part was still manual. I took a little break with VRO as I was struggling with NTLM authentication in Java to automate the signing with Active Directory Certificate Services. And now is the work is done ! SSLutils is able to create and read CSR certificate request, send the CSR to Active Directory Certificate Services in order to retreive the associated CRT file. It is also able to create Self-Signed CRT and read CRT files. I am posting a beta version because this was only tested on my lab environment and it would be great if you guys can do some testing so I can improve the plugin .
To use correctly this plugin to update certificate on VMware products, you must have the correct certificate template: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2062108
My environment :
- Active Directory Certificate Services :
- Windows 2008R2
- Basic configuration (HTTP with NTLM authentication)
- VRO 5.5
Plugin informations :
- Name : SSLUtils-5.5.1
- Size : 15.2 Mo
- File format : .dar
Plugin features :
- PKCS10 Certificate Request
- Create and Read CSR files in Base64 format
- Embedded Keypair generator (public/private key)
- X509v3 extension (SubjectAltName, Basic Constraint, Key Usage and Extended Key Usage)
- Key size : 2048 or 4096
- X509v3 Certificate
- Self-Signed certificate generator, Base64 format
- X509v3 certificate reader
- ADCS Certificate enrollment
- Automatic certificate request enrollment
- Multi Certificate template supported
- http and https (untrusted https connection check removed)
- Basic and NTML authentication supported
- Package with sample workflows included
Let’s take a look to VRO
Here you can see a sample workflow included in the plugin.
The first scriptable task creates a certificate request with the associated private key. Those objects are in string format and can be stored somewhere using the correct extension (.csr, .key…) or sent by email.
//create certificate request var csr = new SSL CertificateRequest(KeySize,SubjectAltName,Organization,OrganizationalUnit,CountryCode,State,Locality,CommonName); //result: Certificate request (public key inside) and associated RSA Private Key System.log(csr.getCertificateRequest()); System.log(csr.getPublicKey()); System.log(csr.getPrivateKey()); csrString = csr.getCertificateRequest();
The second scriptable task reads the certificate request information from the certificate previously generated.
var csr = new SSLCertificateRequest(csrString); //reading information from the CSR file System.log("Subject: "+csr.getSubject()); System.log("Signature: "+csr.getSignature()); System.log("Subject Alternative Name: "+csr.getSubjectAlternativeName());
The third scriptable task does the certificate enrollement by connecting to Active Directory Certificate Services. Then it retreives the signed certificate and put it in the « crtString » variable in String format. You can convert that string into a .crt file.
//instantiate the Signer var signer = new ADCertificateSigner(adcs,protocol,username,password,authType); //submit the certificate request to Active Directory Certificate Services var id = signer.submitCSR(csrString,crtTemplate); //retreive the certificate from Active Directory Certificate Services var crt = signer.getCRT(id); System.log(crt);
The following screenshot shows you what output you can get using this workflow :
From this you can export the certificate request, the public key, the private key, and the signed certificate to a file.
Anyone that has already implemented SSL Certififactes on servers knows that it is a painful task, and as a consultant in cloud automation, I am proud to announce that Certificate as a Service is born 😉
Have fun and don’t forget to give me feedbacks, just the version of the different components in your environment and if it works or not.