From Iwan

Jump to: navigation, search

⚡
Before this can be done please complete Configuring a Microsoft Server to be a Root Certificate Authority (CA) and Use OpenSSL to generate the Certificate Signing Request (CSR) for VMware NSX (with multiple SANs)

In this lab I am working with the following software and versions:

Software	Version	Filename
Windows Server	2019	en_windows_server_2019_updated_feb_2020_x64_dvd_de383770.iso

Sign the NSX CSR with a Microsoft SA Server

The Steps

STEP 1: Open the Microsoft Active Directory Certificate Services
STEP 2: Sign the NSX CSR
STEP 3: Save the signed .csr file

STEP 1» Open the Microsoft Active Directory Certificate Services

STEP 2» Sign the NSX CSR

Select “Request a certificate”.

Select “advanced certificate request”.

Copy/Paste the content of the non-signed .csr into the request field.

Make sure to select the correct Certificate Template: “VMware NSX Certificates”

Click “Submit”.

Select “Base 64 encoded” and download both the “certificate: and the “certificate chain”

STEP 3» Save the signed csr file

Download them in the same folder as the initial (not-signed) .csr file is stored.

The nsx-signed.cer output:

-----BEGIN CERTIFICATE-----
MIIGgzCCBWugAwIBAgITFQAAAAarDMgMgI9fKwAAAAAABjANBgkqhkiG9w0BAQsF
ADBGMRMwEQYKCZImiZPyLGQBGRYDbGFiMRQwEgYKCZImiZPyLGQBGRYEc2RkYzEZ
MBcGA1UEAxMQc2RkYy1TVEVQLVdJTi1DQTAeFw0yMjA4MjcxOTA4NDlaFw0yNDA4
MjYxOTA4NDlaMH0xCzAJBgNVBAYTAk5MMQswCQYDVQQIEwJaSDESMBAGA1UEBxMJ
Um90dGVyZGFtMRQwEgYDVQQKEwtOU1ggQWNhZGVteTESMBAGA1UECxMJRWR1Y2F0
aW9uMSMwIQYDVQQDExpwb2QtMTIwLW5zeHQtbG0uc2RkYy5sb2NhbDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMoJLyy4gLLUnUKIHDanOInr2HZled4Y
d44nZRcb0Vu/KaVuhastM21q8TgkSDJwPKSILUr5+42lVUYwH42708a7DL8fKVap
dbnOcHD33WTJ3xlI6kMZ2IhVtswywm1vfxIXiF1I3MvLARC1PZhui7xZSuBnXhz5
6nG6h3lGXUpOeOrKZdIxTQ8vzNcSOJzSBDCYYcQcZ+0b1yKqqUaWeLXtWNpDWCSd
2zfYOahzLYgs4Fkj/70uk5uagD+TuBwpvcj+VPrREAJfPbJrvU0PzSkRmFqubQle
BIkgHmKl0sp490Z7h7jlUJLoBYHTV5tDgw825ZKn589WibDBx56wa3cCAwEAAaOC
AzEwggMtMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG
CCsGAQUFBwMBMIHLBgNVHREEgcMwgcCCD3BvZC0xMjAtbnN4dC1sbYIacG9kLTEy
MC1uc3h0LWxtLnNkZGMubG9jYWyCEXBvZC0xMjAtbnN4dC1sbS0xghxwb2QtMTIw
LW5zeHQtbG0tMS5zZGRjLmxvY2FsghFwb2QtMTIwLW5zeHQtbG0tMoIccG9kLTEy
MC1uc3h0LWxtLTIuc2RkYy5sb2NhbIIRcG9kLTEyMC1uc3h0LWxtLTOCHHBvZC0x
MjAtbnN4dC1sbS0zLnNkZGMubG9jYWwwHQYDVR0OBBYEFIKeek+NjY7vMcIc7k/0
zxX7RjjjMB8GA1UdIwQYMBaAFMlUQBfMs73FNY7sS9congVluUS+MIHMBgNVHR8E
gcQwgcEwgb6ggbuggbiGgbVsZGFwOi8vL0NOPXNkZGMtU1RFUC1XSU4tQ0EsQ049
c3RlcC13aW4sQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2RkYyxEQz1sYWI/Y2VydGlmaWNh
dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
blBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8v
L0NOPXNkZGMtU1RFUC1XSU4tQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNl
cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2RkYyxEQz1s
YWI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
dXRob3JpdHkwPAYJKwYBBAGCNxUHBC8wLQYlKwYBBAGCNxUIg5y1a4GG4zLBnzuD
17FHhsa1A2aDickhgcC1dwIBZAIBAjAbBgkrBgEEAYI3FQoEDjAMMAoGCCsGAQUF
BwMBMA0GCSqGSIb3DQEBCwUAA4IBAQBHni3IBJO2eEb2eppbzRDFWwh1idzevqpp
BZzQ86XYPH+3hrYHDXztKR3TckKvk5a5twjzWmDE7z7YBaby566JVSZP0EsRRyB4
eAYim/R+DVVTb5VLnkodToJAqg/R5+16kOcKVm+jihmD0TWIrEomd6PYDQKTeRBT
8eXvEipc9JjimVrZkmhvAaM6xgWwpwyAxJKFX+4CDEpnivobMyXmPG9U99lOB0LZ
lXipzKfkuC2h3HDpNSCn7mcEcTz1xWEp863/7KEd1inigrUBceiRKoOnYiiUMHUj
03wLzZb1i1bDQPAJmpH0ig/iPuOzmfM2kMuzyQfEuIj3H11zYcDN
-----END CERTIFICATE-----

The nsx-signed-full.p7b output:

-----BEGIN CERTIFICATE-----
MIIQrgYJKoZIhvcNAQcCoIIQnzCCEJsCAQExADCCBpoGCSqGSIb3DQEHAaCCBosE
ggaHMIIGgzCCBWugAwIBAgITFQAAAAarDMgMgI9fKwAAAAAABjANBgkqhkiG9w0B
AQsFADBGMRMwEQYKCZImiZPyLGQBGRYDbGFiMRQwEgYKCZImiZPyLGQBGRYEc2Rk
YzEZMBcGA1UEAxMQc2RkYy1TVEVQLVdJTi1DQTAeFw0yMjA4MjcxOTA4NDlaFw0y
NDA4MjYxOTA4NDlaMH0xCzAJBgNVBAYTAk5MMQswCQYDVQQIEwJaSDESMBAGA1UE
BxMJUm90dGVyZGFtMRQwEgYDVQQKEwtOU1ggQWNhZGVteTESMBAGA1UECxMJRWR1
Y2F0aW9uMSMwIQYDVQQDExpwb2QtMTIwLW5zeHQtbG0uc2RkYy5sb2NhbDCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMoJLyy4gLLUnUKIHDanOInr2HZl
ed4Yd44nZRcb0Vu/KaVuhastM21q8TgkSDJwPKSILUr5+42lVUYwH42708a7DL8f
KVapdbnOcHD33WTJ3xlI6kMZ2IhVtswywm1vfxIXiF1I3MvLARC1PZhui7xZSuBn
Xhz56nG6h3lGXUpOeOrKZdIxTQ8vzNcSOJzSBDCYYcQcZ+0b1yKqqUaWeLXtWNpD
WCSd2zfYOahzLYgs4Fkj/70uk5uagD+TuBwpvcj+VPrREAJfPbJrvU0PzSkRmFqu
bQleBIkgHmKl0sp490Z7h7jlUJLoBYHTV5tDgw825ZKn589WibDBx56wa3cCAwEA
AaOCAzEwggMtMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMIHLBgNVHREEgcMwgcCCD3BvZC0xMjAtbnN4dC1sbYIacG9k
LTEyMC1uc3h0LWxtLnNkZGMubG9jYWyCEXBvZC0xMjAtbnN4dC1sbS0xghxwb2Qt
MTIwLW5zeHQtbG0tMS5zZGRjLmxvY2FsghFwb2QtMTIwLW5zeHQtbG0tMoIccG9k
LTEyMC1uc3h0LWxtLTIuc2RkYy5sb2NhbIIRcG9kLTEyMC1uc3h0LWxtLTOCHHBv
ZC0xMjAtbnN4dC1sbS0zLnNkZGMubG9jYWwwHQYDVR0OBBYEFIKeek+NjY7vMcIc
7k/0zxX7RjjjMB8GA1UdIwQYMBaAFMlUQBfMs73FNY7sS9congVluUS+MIHMBgNV
HR8EgcQwgcEwgb6ggbuggbiGgbVsZGFwOi8vL0NOPXNkZGMtU1RFUC1XSU4tQ0Es
Q049c3RlcC13aW4sQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2RkYyxEQz1sYWI/Y2VydGlm
aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
dGlvblBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFw
Oi8vL0NOPXNkZGMtU1RFUC1XSU4tQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUy
MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2RkYyxE
Qz1sYWI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRp
b25BdXRob3JpdHkwPAYJKwYBBAGCNxUHBC8wLQYlKwYBBAGCNxUIg5y1a4GG4zLB
nzuD17FHhsa1A2aDickhgcC1dwIBZAIBAjAbBgkrBgEEAYI3FQoEDjAMMAoGCCsG
AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQBHni3IBJO2eEb2eppbzRDFWwh1idze
vqppBZzQ86XYPH+3hrYHDXztKR3TckKvk5a5twjzWmDE7z7YBaby566JVSZP0EsR
RyB4eAYim/R+DVVTb5VLnkodToJAqg/R5+16kOcKVm+jihmD0TWIrEomd6PYDQKT
eRBT8eXvEipc9JjimVrZkmhvAaM6xgWwpwyAxJKFX+4CDEpnivobMyXmPG9U99lO
B0LZlXipzKfkuC2h3HDpNSCn7mcEcTz1xWEp863/7KEd1inigrUBceiRKoOnYiiU
MHUj03wLzZb1i1bDQPAJmpH0ig/iPuOzmfM2kMuzyQfEuIj3H11zYcDNoIIJ8jCC
BoMwggVroAMCAQICExUAAAAGqwzIDICPXysAAAAAAAYwDQYJKoZIhvcNAQELBQAw
RjETMBEGCgmSJomT8ixkARkWA2xhYjEUMBIGCgmSJomT8ixkARkWBHNkZGMxGTAX
BgNVBAMTEHNkZGMtU1RFUC1XSU4tQ0EwHhcNMjIwODI3MTkwODQ5WhcNMjQwODI2
MTkwODQ5WjB9MQswCQYDVQQGEwJOTDELMAkGA1UECBMCWkgxEjAQBgNVBAcTCVJv
dHRlcmRhbTEUMBIGA1UEChMLTlNYIEFjYWRlbXkxEjAQBgNVBAsTCUVkdWNhdGlv
bjEjMCEGA1UEAxMacG9kLTEyMC1uc3h0LWxtLnNkZGMubG9jYWwwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKCS8suICy1J1CiBw2pziJ69h2ZXneGHeO
J2UXG9FbvymlboWrLTNtavE4JEgycDykiC1K+fuNpVVGMB+Nu9PGuwy/HylWqXW5
znBw991kyd8ZSOpDGdiIVbbMMsJtb38SF4hdSNzLywEQtT2Ybou8WUrgZ14c+epx
uod5Rl1KTnjqymXSMU0PL8zXEjic0gQwmGHEHGftG9ciqqlGlni17VjaQ1gknds3
2Dmocy2ILOBZI/+9LpObmoA/k7gcKb3I/lT60RACXz2ya71ND80pEZharm0JXgSJ
IB5ipdLKePdGe4e45VCS6AWB01ebQ4MPNuWSp+fPVomwwceesGt3AgMBAAGjggMx
MIIDLTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
BgEFBQcDATCBywYDVR0RBIHDMIHAgg9wb2QtMTIwLW5zeHQtbG2CGnBvZC0xMjAt
bnN4dC1sbS5zZGRjLmxvY2FsghFwb2QtMTIwLW5zeHQtbG0tMYIccG9kLTEyMC1u
c3h0LWxtLTEuc2RkYy5sb2NhbIIRcG9kLTEyMC1uc3h0LWxtLTKCHHBvZC0xMjAt
bnN4dC1sbS0yLnNkZGMubG9jYWyCEXBvZC0xMjAtbnN4dC1sbS0zghxwb2QtMTIw
LW5zeHQtbG0tMy5zZGRjLmxvY2FsMB0GA1UdDgQWBBSCnnpPjY2O7zHCHO5P9M8V
+0Y44zAfBgNVHSMEGDAWgBTJVEAXzLO9xTWO7EvXKJ4FZblEvjCBzAYDVR0fBIHE
MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1zZGRjLVNURVAtV0lOLUNBLENOPXN0
ZXAtd2luLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNkZGMsREM9bGFiP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q
b2ludDCBvwYIKwYBBQUHAQEEgbIwga8wgawGCCsGAQUFBzAChoGfbGRhcDovLy9D
Tj1zZGRjLVNURVAtV0lOLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNkZGMsREM9bGFi
P2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0
aG9yaXR5MDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQBgjcVCIOctWuBhuMywZ87g9ex
R4bGtQNmg4nJIYHAtXcCAWQCAQIwGwYJKwYBBAGCNxUKBA4wDDAKBggrBgEFBQcD
ATANBgkqhkiG9w0BAQsFAAOCAQEAR54tyASTtnhG9nqaW80QxVsIdYnc3r6qaQWc
0POl2Dx/t4a2Bw187Skd03JCr5OWubcI81pgxO8+2AWm8ueuiVUmT9BLEUcgeHgG
Ipv0fg1VU2+VS55KHU6CQKoP0eftepDnClZvo4oZg9E1iKxKJnej2A0Ck3kQU/Hl
7xIqXPSY4pla2ZJobwGjOsYFsKcMgMSShV/uAgxKZ4r6GzMl5jxvVPfZTgdC2ZV4
qcyn5Lgtodxw6TUgp+5nBHE89cVhKfOt/+yhHdYp4oK1AXHokSqDp2IolDB1I9N8
C82W9YtWw0DwCZqR9IoP4j7js5nzNpDLs8kHxLiI9x9dc2HAzTCCA2cwggJPoAMC
AQICEHf5Y6zMTNinRH5dfEntOQ4wDQYJKoZIhvcNAQELBQAwRjETMBEGCgmSJomT
8ixkARkWA2xhYjEUMBIGCgmSJomT8ixkARkWBHNkZGMxGTAXBgNVBAMTEHNkZGMt
U1RFUC1XSU4tQ0EwHhcNMjIwODI2MTUyMzU1WhcNMjcwODI2MTUzMzU0WjBGMRMw
EQYKCZImiZPyLGQBGRYDbGFiMRQwEgYKCZImiZPyLGQBGRYEc2RkYzEZMBcGA1UE
AxMQc2RkYy1TVEVQLVdJTi1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMJQQb1C5T7lxEkxvq33pJu0wKSqqfkq9q1YE/OGIvHWcm3BNP0PHsLiWaep
94bVIcHveDxCyjDLyeoynWS+re4CrZBoHadbuTjEKYPgujZPaMObLcX7U4fO2Pms
1LAb7/vRJ7Yvf98nGldOTaglCocMqaAL8A/1aeTfh+a/rkijsJJLmo9LEaRdXicq
dUUTPYJQeRcfP3zwObMPeR5fzpKrYr6JcKdzrPITWvXmtcW1GeQlWfnr7NRUU40e
+VvTJkRbhqx4Cpi4/vmMoX1GsxJDCQI0giNh+2bld1xLAAPaEfiLTDuI+Zbk98pn
PKhLO7kuB5bzhKXLbA9wgJAbZUkCAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1Ud
EwEB/wQFMAMBAf8wHQYDVR0OBBYEFMlUQBfMs73FNY7sS9congVluUS+MBAGCSsG
AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQACdkP3qYs51tAURM3z5yuY
Qig8JzWDLd2haEcCbZSEkX1o5Yu6MtyNFTCGrqLemw9a+kNgGwzWU3MXvASQ35Tx
c7vrCJWIYic6uxdnVGGiafLOb25Kui6X5/QRajn7DiI/OzplT4vtqf5/nKaJk68u
BJj6BrVR3OfyWVawWNCXFJhGSmK+h4KsyL4BdSe5i6tS55WFPoZnZgRKYLmXrPbv
IVj/bh1l67yMxEOpdIrXvJDEeE6Vs7GJXUUlB0BNoG9Y8y4Q9+B681jaGq0wOByz
DeKEk/TSDVSN4ZxY+SeRo7woZWcdN46CbWAe+ui+CV79A4JHp9GJro++PoWW+DMl
MQA=
-----END CERTIFICATE-----

Continue with >> Lab: Replacing the self-signed SSL certificates with CA-signed certificates

Retrieved from "http://www.iwanhoogendoorn.nl/index.php?title=Lab:_Signing_the_NSX_CSR_with_a_Microsoft_(root)_CA_Server&oldid=5288"