OpenSSL and NSX-T Certificates
When it comes to rolling new applications and infrastructure at either at work or in my lab I am one of those obsessed people that do not like using self-signed certificates, so I either use a certificate provider like RapidSSL or leverage an internal CA for handing out certificates.
In my lab I use OpenSSL as my internal CA which I sign all my certificates, mainly because it is open source and I don’t have to worry about having a Microsoft environment to host the certificate services.
I came across an interesting issue when creating certificates for NSX-T where the certificate I was generating was missing an extension even though I was following VMware’s documentation.
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-50C36862-A29D-48FA-8CE7-697E64E10E37.html
I ensured that when I generated the certificate that “basicConstraints = cA:FALSE” was included as an extension in the certificate I was generating.
I verified that the required extension was in the certificate by running
openssl x509 -in somensxt.pem -text -noout
As you can see the required extension exists.
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Every time I went to validate the imported certificate via API I would get “Import fails with missing extension”
So after a lot of head scratching I looked at how VMware recommends to setup a Certificate Template for a Microsoft Certificate Authority in VMware Validated Design 6.2.
https://docs.vmware.com/en/VMware-Validated-Design/6.2/sddc-deployment-of-the-management-domain-in-the-first-region/GUID-8C4CA6F7-CEE8-45C9-83B4-09DD3EC5FFB0.html
I generated and tested a certificate successfully so inspect the certificate and found some extra extensions that were required .
What was missing in my OpenSSL certificates were X509v3 Extended Key Usage which are not part of general certificate generation as below.
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
To enable the extension I modified my extension.cnf file which is used during the certificate generation.
[someguy@ca somensxt]# cat extension.cnf
basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
So for an example on the certificate generation once I had already generated a key and csr using OpenSSL
someguy@ca somensxt]# openssl x509 -req -in somensxt.csr -CA /etc/pki/CA/certs/someawesomeCA.crt -CAkey /etc/pki/CA/private/someawesomeCA.key -CAcreateserial -out somensxt.pem -days 365 -sha256 -extfile extension.cnf
Now when I validate the certificate and import it the API is much happier and I have suppressed my OCD for another day.
GET https://somensxt/api/v1/trust-management/certificates/2f1966f4-9419-40e7-a6bb-3c9d54e27394?action=validate
{
"status": "OK"
}
That is all for this blog however, as a note my OpenSSL CA does not have a Certificate Revocation List so if you are going to use basic OpenSSL you will have to disable the check in NSX-T by posting an update to the Security Global Config via API.
Below you can see where crl_checking_enabled”: true is changed from true to false.
GET https://somensxt.somedomain.org/api/v1/global-configs/SecurityGlobalConfig
{
"crl_checking_enabled": true,
"ca_signed_only": false,
"eku_checking_enabled": true,
"resource_type": "SecurityGlobalConfig",
"id": "b6355bde-adef-4739-a060-0061f2cd86e7",
"display_name": "b6355bde-adef-4739-a060-0061f2cd86e7",
"_create_user": "system",
"_create_time": 1627964941857,
"_last_modified_user": "system",
"_last_modified_time": 1627982835257,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 5
}
POST https://somensxt.somedomain.org/api/v1/global-configs/SecurityGlobalConfig
{
"crl_checking_enabled": false,
"ca_signed_only": false,
"eku_checking_enabled": true,
"resource_type": "SecurityGlobalConfig",
"id": "b6355bde-adef-4739-a060-0061f2cd86e7",
"display_name": "b6355bde-adef-4739-a060-0061f2cd86e7",
"_create_user": "system",
"_create_time": 1627964941857,
"_last_modified_user": "system",
"_last_modified_time": 1627982835257,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 5
}