The NSX Data Center for vSphere software in the VMware Cloud Director environment provides the ability to use Secure Sockets Layer (SSL) certificates with the SSL VPN-Plus and IPsec VPN tunnels you configure for your edge gateways.
The edge gateways in your VMware Cloud Director environment support self-signed certificates, certificates signed by a Certification Authority (CA), and certificates generated and signed by a CA. You can generate certificate signing requests (CSRs), import the certificates, manage the imported certificates, and create certificate revocation lists (CRLs).
About Using Certificates with Your Organization Virtual Data Center
You can manage certificates for the following networking areas in your VMware Cloud Director organization virtual data center.
- IPsec VPN tunnels between an organization virtual data center network and a remote network.
- SSL VPN-Plus connections between remote users to private networks and web resources in your organization virtual data center.
- An L2 VPN tunnel between two NSX Data Center for vSphere edge gateways.
- The virtual servers and pools servers configured for load balancing in your organization virtual data center
How to Use Client Certificates
You can create a client certificate through a CAI command or REST call. You can then distribute this certificate to your remote users, who can install the certificate on their web browser.
The main benefit of implementing client certificates is that a reference client certificate for each remote user can be stored and checked against the client certificate presented by the remote user. To prevent future connections from a certain user, you can delete the reference certificate from the security server list of client certificates. Deleting the certificate denies connections from that user.
Generate a Certificate Signing Request for an Edge Gateway Using Your VMware Cloud Director Tenant Portal
Before you can order a signed certificate from a CA or create a self-signed certificate, you must generate a Certificate Signing Request (CSR) for your edge gateway.
A CSR is an encoded file that you need to generate on an NSX edge gateway which requires an SSL certificate. Using a CSR standardizes the way that companies send their public keys together with information that identifies their company names and domain names.
You generate a CSR with a matching private-key file that must remain on the edge gateway. The CSR contains the matching public key and other information such as the name, location, and domain name of your organization.
Procedure
Results
What to do next
Use the CSR to create a service certificate using one of these two options:
- Transmit the CSR to a CA to obtain a CA-signed certificate. When the CA sends you the signed certificate, import the signed certificate into the system. See Import the CA-Signed Certificate Corresponding to the CSR Generated for an Edge Gateway Using Your VMware Cloud Director Tenant Portal.
- Use the CSR to create a self-signed certificate. See Configure a Self-Signed Service Certificate Using Your VMware Cloud Director Tenant Portal.
Import the CA-Signed Certificate Corresponding to the CSR Generated for an Edge Gateway Using Your VMware Cloud Director Tenant Portal
After you generate a Certificate Signing Request (CSR) and obtain the CA-signed certificate based on that CSR, you can import the CA-signed certificate to use it by your edge gateway in VMware Cloud Director.
Prerequisites
Procedure
- Open Edge Gateway Services.
- From the primary left navigation panel, select Networking and from the page top navigation bar, select Edge Gateways.
- Select the edge gateway that you want to edit, and click Services.
- Click the Certificates tab.
- Select the CSR in the on-screen table for which you are importing the CA-signed certificate.
- Import the signed certificate.
- Click Signed certificate generated for CSR.
- Provide the PEM data of the CA-signed certificate.
- If the data is in a PEM file on a system you can navigate to, click the Upload button to browse to the file and select it.
- If you can copy and paste the PEM data, paste it into the Signed Certificate (PEM format) field.
Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
- (Optional) Enter a description.
- Click Keep.
Note: If the private key in the CA-signed certificate does not match the one for the CSR you selected on the Certificates screen, the import process fails.
Results
What to do next
Attach the CA-signed certificate to your SSL VPN-Plus or IPsec VPN tunnels as required. See Configure SSL VPN Server Settings on an NSX Data Center for vSphere Edge Gateway Using the VMware Cloud Director Tenant Portal and Specify Global IPsec VPN Settings on an NSX Edge Gateway in the VMware Cloud Director Tenant Portal.
Configure a Self-Signed Service Certificate Using Your VMware Cloud Director Tenant Portal
You can configure self-signed service certificates with your edge gateways, to use in their VPN-related capabilities. You can create, install, and manage self-signed certificates.
If the service certificate is available on the Certificates screen, you can specify that service certificate when you configure the VPN-related settings of the edge gateway. The VPN presents the specified service certificate to the clients accessing the VPN.
Prerequisites
Verify that at least one CSR is available on the Certificates screen for the edge gateway. See Generate a Certificate Signing Request for an Edge Gateway Using Your VMware Cloud Director Tenant Portal.
Procedure
Results
Add a CA Certificate to the Edge Gateway for SSL Certificate Trust Verification Using Your VMware Cloud Director Tenant Portal
Adding a CA certificate to an edge gateway in VMware Cloud Director enables trust verification of SSL certificates that are presented to the edge gateway for authentication, typically the client certificates used in VPN connections to the edge gateway.
You usually add the root certificate of your company or organization as a CA certificate. A typical use is for SSL VPN, where you want to authenticate VPN clients using certificates. Client certificates can be distributed to the VPN clients and when the VPN clients connect, their client certificates are validated against the CA certificate.
Prerequisites
Verify that you have the CA certificate data in PEM format. In the user interface, you can either paste in the PEM data of the CA certificate or browse to a file that contains the data and is available in your network from your local system.
Procedure
- Open Edge Gateway Services.
- From the primary left navigation panel, select Networking and from the page top navigation bar, select Edge Gateways.
- Select the edge gateway that you want to edit, and click Services.
- Click the Certificates tab.
- Click CA certificate.
- Provide the CA certificate data.
- If the data is in a PEM file on a system you can navigate to, click the Upload button to browse to the file and select it.
- If you can copy and paste the PEM data, paste it into the CA Certificate (PEM format) field.
Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
- (Optional) Enter a description.
- Click Keep.
Results
Add a Certificate Revocation List to an Edge Gateway Using Your VMware Cloud Director Tenant Portal
A Certificate Revocation List (CRL) is a list of digital certificates that the issuing Certificate Authority (CA) claims to be revoked, so that systems can be updated not to trust users that present those revoked certificates to VMware Cloud Director. You can add CRLs to the edge gateway.
As described in the NSX Administration Guide, the CRL contains the following items:
- The revoked certificates and the reasons for revocation
- The dates that the certificates are issued
- The entities that issued the certificates
- A proposed date for the next release
When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for that particular user.
Procedure
- Open Edge Gateway Services.
- From the primary left navigation panel, select Networking and from the page top navigation bar, select Edge Gateways.
- Select the edge gateway that you want to edit, and click Services.
- Click the Certificates tab.
- Click CRL.
- Provide the CRL data.
- If the data is in a PEM file on a system you can navigate to, click the Upload button to browse to the file and select it.
- If you can copy and paste the PEM data, paste it into the CRL (PEM format) field.
Include the -----BEGIN X509 CRL----- and -----END X509 CRL----- lines.
- (Optional) Enter a description.
- Click Keep.
Results
Add a Service Certificate to the Edge Gateway Using Your VMware Cloud Director Tenant Portal
Adding service certificates to an edge gateway makes those certificates available for use in the VPN-related settings of the edge gateway. You can add a service certificate to the Certificates screen.
Prerequisites
Procedure
Results
The certificate with type Service Certificate appears in the on-screen list. This service certificate is now available for you to select when you configure the VPN-related settings of the edge gateway.