SSL Certificate Management on an NSX Data Center for vSphere Edge Gateway Using Your VMware Cloud Director Service Provider Admin Portal

The NSX Data Center for vSphere software in the VMware Cloud Director environment provides the ability to use Secure Sockets Layer (SSL) certificates with the SSL VPN-Plus and IPsec VPN tunnels you configure for your edge gateways.

The edge gateways in your VMware Cloud Director environment support self-signed certificates, certificates signed by a Certification Authority (CA), and certificates generated and signed by a CA. You can generate certificate signing requests (CSRs), import the certificates, manage the imported certificates, and create certificate revocation lists (CRLs).

About Using Certificates with Your Organization Virtual Data Center

You can manage certificates for the following networking areas in your VMware Cloud Director organization virtual data center.

IPsec VPN tunnels between an organization virtual data center network and a remote network.
SSL VPN-Plus connections between remote users to private networks and web resources in your organization virtual data center.
An L2 VPN tunnel between two NSX Data Center for vSphere edge gateways.
The virtual servers and pools servers configured for load balancing in your organization virtual data center

How to Use Client Certificates

You can create a client certificate through a CAI command or REST call. You can then distribute this certificate to your remote users, who can install the certificate on their web browser.

The main benefit of implementing client certificates is that a reference client certificate for each remote user can be stored and checked against the client certificate presented by the remote user. To prevent future connections from a certain user, you can delete the reference certificate from the security server list of client certificates. Deleting the certificate denies connections from that user.

Generate a Certificate Signing Request for an Edge Gateway Using Your VMware Cloud Director Service Provider Admin Portal

Before you can order a signed certificate from a CA or create a self-signed certificate, you must generate a Certificate Signing Request (CSR) for your edge gateway.

A CSR is an encoded file that you need to generate on an NSX edge gateway which requires an SSL certificate. Using a CSR standardizes the way that companies send their public keys together with information that identifies their company names and domain names.

You generate a CSR with a matching private-key file that must remain on the edge gateway. The CSR contains the matching public key and other information such as the name, location, and domain name of your organization.

Procedure

Open Edge Gateway Services.
1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
2. From the secondary left panel, select Edge Gateways.
3. Click the radio button next to the name of the target edge gateway, and click Services.
Click the Certificates tab.
On the Certificates tab, click CSR.

Configure the following options for the CSR:

Option	Description
Common Name	Enter the fully qualified domain name (FQDN) for the organization that you will be using the certificate for (for example, www.example.com). Do not include the http:// or https:// prefixes in your common name.
Organization Unit	Use this field to differentiate between divisions within your VMware Cloud Director organization with which this certificate is associated. For example, Engineering or Sales.
Organization Name	Enter the name under which your company is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request.
Locality	Enter the city or locality where your company is legally registered.
State or Province Name	Enter the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered.
Country Code	Enter the country name where your company is legally registered.
Private Key Algorithm	Enter the key type, either RSA or DSA, for the certificate. RSA is typically used. The key type defines the encryption algorithm for communication between the hosts. When FIPS mode is on, RSA key sizes must be greater or equal to 2048 bits. Note: SSL VPN-Plus supports RSA certificates only.
Key Size	Enter the key size in bits. The minimum is 2048 bits.
Description	(Optional) Enter a description for the certificate.

Click Keep.
The system generates the CSR and adds a new entry with type CSR to the on-screen list.

Results

In the on-screen list, when you select an entry with type CSR, the CSR details are displayed in the screen. You can copy the displayed PEM formatted data of the CSR and submit it to a certificate authority (CA) to obtain a CA-signed certificate.

What to do next

Use the CSR to create a service certificate using one of these two options:

Transmit the CSR to a CA to obtain a CA-signed certificate. When the CA sends you the signed certificate, import the signed certificate into the system. See Import the CA-Signed Certificate Corresponding to the CSR Generated for an Edge Gateway Using Your VMware Cloud Director Service Provider Admin Portal.
Use the CSR to create a self-signed certificate. See Configure a Self-Signed Service Certificate Using Your VMware Cloud Director Service Provider Admin Portal.

Import the CA-Signed Certificate Corresponding to the CSR Generated for an Edge Gateway Using Your VMware Cloud Director Service Provider Admin Portal

After you generate a Certificate Signing Request (CSR) and obtain the CA-signed certificate based on that CSR, you can import the CA-signed certificate to use it by your edge gateway in VMware Cloud Director.

Prerequisites

Verify that you obtained the CA-signed certificate that corresponds to the CSR. If the private key in the CA-signed certificate does not match the one for the selected CSR, the import process fails.

Procedure

Open Edge Gateway Services.
1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
2. From the secondary left panel, select Edge Gateways.
3. Click the radio button next to the name of the target edge gateway, and click Services.
Click the Certificates tab.
Select the CSR in the on-screen table for which you are importing the CA-signed certificate.
Import the signed certificate.
1. Click Signed certificate generated for CSR.
2. Provide the PEM data of the CA-signed certificate.
  - If the data is in a PEM file on a system you can navigate to, click the Upload button to browse to the file and select it.
  - If you can copy and paste the PEM data, paste it into the Signed Certificate (PEM format) field.
    Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
3. (Optional) Enter a description.
4. Click Keep.
  
  Note: If the private key in the CA-signed certificate does not match the one for the CSR you selected on the Certificates screen, the import process fails.

Results

The CA-signed certificate with type Service Certificate appears in the on-screen list.

What to do next

Attach the CA-signed certificate to your SSL VPN-Plus or IPsec VPN tunnels as required. See Configure SSL VPN Server Settings on an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Service Provider Admin Portal and Specify Global IPsec VPN Settings on an NSX Edge Gateway in the VMware Cloud Director Service Provider Admin Portal.

Configure a Self-Signed Service Certificate Using Your VMware Cloud Director Service Provider Admin Portal

You can configure self-signed service certificates with your edge gateways, to use in their VPN-related capabilities. You can create, install, and manage self-signed certificates.

If the service certificate is available on the Certificates screen, you can specify that service certificate when you configure the VPN-related settings of the edge gateway. The VPN presents the specified service certificate to the clients accessing the VPN.

Prerequisites

Verify that at least one CSR is available on the Certificates screen for the edge gateway. See Generate a Certificate Signing Request for an Edge Gateway Using Your VMware Cloud Director Service Provider Admin Portal.

Procedure

Open Edge Gateway Services.
1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
2. From the secondary left panel, select Edge Gateways.
3. Click the radio button next to the name of the target edge gateway, and click Services.
Click the Certificates tab.
Select the CSR in the list that you want to use for this self-signed certificate and click Self-sign CSR.
Enter the number of days that the self-signed certificate is valid for.
Click Keep.
The system generates the self-signed certificate and adds a new entry with type Service Certificate to the on-screen list.

Results

The self-signed certificate is available on the edge gateway. In the on-screen list, when you select an entry with type Service Certificate, its details are displayed in the screen.

Add a CA Certificate to the Edge Gateway for SSL Certificate Trust Verification Using Your VMware Cloud Director Service Provider Admin Portal

Adding a CA certificate to an edge gateway in VMware Cloud Director enables trust verification of SSL certificates that are presented to the edge gateway for authentication, typically the client certificates used in VPN connections to the edge gateway.

You usually add the root certificate of your company or organization as a CA certificate. A typical use is for SSL VPN, where you want to authenticate VPN clients using certificates. Client certificates can be distributed to the VPN clients and when the VPN clients connect, their client certificates are validated against the CA certificate.

Note: When adding a CA certificate, you typically configure a relevant Certificate Revocation List (CRL). The CRL protects against clients that present revoked certificates. See Add a Certificate Revocation List to an Edge Gateway Using Your VMware Cloud Director Service Provider Admin Portal.

Prerequisites

Verify that you have the CA certificate data in PEM format. In the user interface, you can either paste in the PEM data of the CA certificate or browse to a file that contains the data and is available in your network from your local system.

Procedure

Open Edge Gateway Services.
1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
2. From the secondary left panel, select Edge Gateways.
3. Click the radio button next to the name of the target edge gateway, and click Services.
Click the Certificates tab.
Click CA certificate.
Provide the CA certificate data.
- If the data is in a PEM file on a system you can navigate to, click the Upload button to browse to the file and select it.
- If you can copy and paste the PEM data, paste it into the CA Certificate (PEM format) field.
  Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
(Optional) Enter a description.
Click Keep.

Results

The CA certificate with type CA Certificate appears in the on-screen list. This CA certificate is now available for you to specify when you configure the VPN-related settings of the edge gateway.

Add a Certificate Revocation List to an Edge Gateway Using Your VMware Cloud Director Service Provider Admin Portal

A Certificate Revocation List (CRL) is a list of digital certificates that the issuing Certificate Authority (CA) claims to be revoked, so that systems can be updated not to trust users that present those revoked certificates to VMware Cloud Director. You can add CRLs to the edge gateway.

As described in the NSX Administration Guide, the CRL contains the following items:

The revoked certificates and the reasons for revocation
The dates that the certificates are issued
The entities that issued the certificates
A proposed date for the next release

When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for that particular user.

Procedure

Open Edge Gateway Services.
1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
2. From the secondary left panel, select Edge Gateways.
3. Click the radio button next to the name of the target edge gateway, and click Services.
Click the Certificates tab.
Click CRL.
Provide the CRL data.
- If the data is in a PEM file on a system you can navigate to, click the Upload button to browse to the file and select it.
- If you can copy and paste the PEM data, paste it into the CRL (PEM format) field.
  Include the -----BEGIN X509 CRL----- and -----END X509 CRL----- lines.
(Optional) Enter a description.
Click Keep.

Results

The CRL appears in the on-screen list.

Add a Service Certificate to the Edge Gateway Using Your VMware Cloud Director Service Provider Admin Portal

Adding service certificates to an edge gateway makes those certificates available for use in the VPN-related settings of the edge gateway. You can add a service certificate to the Certificates screen.

Prerequisites

Verify that you have the service certificate and its private key in PEM format. In the user interface, you can either paste in the PEM data or browse to a file that contains the data and is available in your network from your local system.

Procedure

Open Edge Gateway Services.
1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select the Cloud Resources tab.
2. From the secondary left panel, select Edge Gateways.
3. Click the radio button next to the name of the target edge gateway, and click Services.
Click the Certificates tab.
Click Service certificate.
Input the PEM-formatted data of the service certificate.
- If the data is in a PEM file on a system you can navigate to, click the Upload button to browse to the file and select it.
- If you can copy and paste the PEM data, paste it into the Service Certificate (PEM format) field.
  Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
Input the PEM-formatted data of the certificate private key.
When FIPS mode is on, RSA key sizes must be greater or equal to 2048 bits.
- If the data is in a PEM file on a system you can navigate to, click the Upload button to browse to the file and select it.
- If you can copy and paste the PEM data, paste it into the Private Key (PEM format) field.
  Include the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines.
Enter a private key passphrase and confirm it.
(Optional) Enter a description.
Click Keep.

Results

The certificate with type Service Certificate appears in the on-screen list. This service certificate is now available for you to select when you configure the VPN-related settings of the edge gateway.