Recently I had a customer wanting to identify if a VM of theirs was in Production, Test, or Development based on the VM’s name. Luckily, all of their VMs are named using a naming standard of “{customer}{P|T|D}{application}{server-role}”, giving a generic VM name like “custpdc1” or “cust-t-sql2”. They’re just getting started on their journey with vRealize Orchestrator, and wanted to use it to perform this function.
Easy enough, what do we need?
Introduction We all know the immense pain of managing Windows Server VM templates, regardless of the platform you’re using. Sure, you can build them once then update them manually on a schedule. However, it’s tedious to document and even worse to execute, making sure the template is identical every time (except for your new updates of course).
In my experience, you also have to maintain multiple versions and editions of Windows Server.
Just recently a few colleagues of mine were attempting to generate new private keys with a 4096 bit size but they were seeing shocking performance from all of their Linux VMs.
They were seeing key generation taking up to 15 minutes while smashing away at the keyboard to generate entropy. It wasn’t a resource issue, the VMs were sized appropriately and showed no signs of stress. They asked me if they could throw a “Chaos Key” USB device into each of the ESXi hosts to generate more entropy to reduce the time it takes, but I knew that wasn’t required (like I was going to let that happen).
After a very successful and quick migration from Windows SSO 5.5 U3e installation to a Platform Services Controller v6.0U3 appliance I was ready to get my VMCA into action.
We have a corporate internal Microsoft CA with the VMware certificate templates already created as per VMware KB 2112009. Everything was coming up Milhouse, until CSR generation time using the ‘certificate-manager’ on the PSCs.
After stepping through the ‘certificate-manager’ wizard and having the CSR and private key files sent to a directory of my choosing, I quickly inspected the CSR using openssl to make sure I was on the right track:
After performing the vSphere v5.5 to vSphere 6.0 migration in our testing environment with great success, I began work on our production environment. First things first, migrating Windows SSO to PSC appliance.
I had successfully converted the first machine, and started doing some testing. Things like logging into the thick client and checking all vCenter servers and basic login services.
Problem
Out of 6 vCenter servers, only 1 was having issues.
I was just in the middle of configuring a PSC 6.0 node’s VMCA as an intermediate CA and, in traditional fashion, went to request a certificate from a Windows Server 2008 R2 Microsoft CA using the web enrollment form (as per this VMware KB article).
Oddly enough though my brand spanking new vSphere 6.0 machine and intermediate CA certificate templates were missing from the template selection drop down.
I had a look around online and found that MS CA v3 certificate templates are not supported in the web enrollment form.
This isn’t a be all and end all post on converting your Windows-based SSO server to the Platform Services Controller appliance, although I found an issue when performing the migration.
We kept receiving an “Update export failed” message when the appliance was deployed by the conversion wizard. We couldn’t understand why, and the appliance updaterunner.log file gave us no clues as to what it could be.
Turns out, you must run the vcsa_setup.