{"id":202,"date":"2022-07-27T16:56:52","date_gmt":"2022-07-27T14:56:52","guid":{"rendered":"https:\/\/zerobotics.de\/blog\/?p=202"},"modified":"2023-07-17T16:32:09","modified_gmt":"2023-07-17T14:32:09","slug":"vmware-nsx-alb-avi-certificate-signing-request-csr-in-combination-with-microsoft-ca","status":"publish","type":"post","link":"https:\/\/zerobotics.de\/blog\/en\/vmware-nsx-alb-avi-certificate-signing-request-csr-in-combination-with-microsoft-ca\/","title":{"rendered":"VMware NSX ALB \/ AVI Certificate Signing Request (CSR) with Microsoft CA"},"content":{"rendered":"Reading Time<\/span> 2<\/span> Minutes<\/span><\/span>\n

Since I was dealing with VMware NSX Advanced Load Balancer (or NSX ALB aka AVI Loadbalancer, take your pick!) in connection with vSphere with Tanzu in our ITQ Lab environment, I also wanted to make it trustworthy with an „official“ certificate and replace the „Self Signed Certificate“.<\/p>\n\n\n\n

In the Lab environment, a Windows Certificate Authority (CA) and the CA Web Enrollment already exist on a Windows 2019 VM. I will not go into detail about the installation of the CA; here I followed an article on the VirtuallyThere Blog<\/a>.<\/p>\n\n\n\n

In addition, I have created a Certificate Template according to VMware specifications. In the future, I would like to use this for all VMware product deployments in the lab. I have written another blog article about this (Creating a Microsoft CA Template for vSphere 6.x\/7.x<\/a>), or if you want to read it directly from VMware, here is the KB article: Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x\/7.x<\/a><\/p>\n\n\n\n\n\n\n\n

Certificate Signing Request<\/h2>\n\n\n\n

First, a certificate signing request must be created on the AVI controller. To do this, go to Templates >> Security >> SSL\/TLS Certificates<\/code><\/strong>, select Create >> Controller Certificate<\/code><\/strong> and create a new certificate of the type „CSR<\/code><\/strong>„.<\/p>\n\n\n\n

\"Create
Create a new Controller Certificate<\/figcaption><\/figure>\n\n\n\n
\"\"
New Certificate Type CSR<\/figcaption><\/figure>\n\n\n\n
<\/div>\n\n\n\n

When creating the request, make sure that all access addresses are included in the Subject Alternate Names (SANs). In my first attempt, I forgot the cluster IP and had to confirm the browser’s security query for this one address; the rest were excluded meaning they worked fine. Unfortunately, you then have to go through the CSR process again.<\/p>\n\n\n\n

\"\"
Adding Subject Alternate Names (SAN)<\/figcaption><\/figure>\n\n\n\n
<\/div>\n\n\n\n

Quick hint:
How do I come up with 4 entries for the SANs?<\/p>\n\n\n\n