Howto: Creating a CA template for VMware services

Having setup my lab's PKI infrastructure previously, one of the next steps I needed to complete was to create a template for certificates for VMware's products to use as they require certain properties to be present in the certificates used. There is a KB article that covers this but I wanted to run through it and use some of the specifics for my lab. Template for VMware SSL Certificates This template will provide certificates for ESXi hosts, vCenter, vRA, vRO etc. To create it, we first need the Certificate Templates Console. This can be opened by running certtmpl.msc. Per the KB article, I duplicated the "Web Server" template as a starting point. My first task was to give the template a new name and set the validity to 4 years: On … [Read more...]

Howto: Configuring a homelab online subordinate CA

A quick recap of where I got to. I have an offline Root CA (well, it's still online because I'll need it in a minute) and I've created a website on my online subordinate CA server to host the Root CA certificate and CRL files. The purpose of the subordinate CA is to handle certificate signing and repudiation for all services in my infrastructure that require them. It will be granted the authority to do so by the Root CA. So this post covers the remaining steps of the process, which are: Installing and configuring the subordinate CA Signing the subordinate CA's certificate using the Root CA Delegating control of the subordinate CA to someone other than Domain Admins Some elements of this process are very similar to the process of … [Read more...]

Howto: Publishing offline Root CA certs and CRLs

Previously, I setup an offline Root CA in my homelab with the intention emulating a PKI setup that many enterprises seem to run. The second stage of this process is publishing the Root CA certificate and CRL in a place that they can be accessed when the Root CA is offline. If you recall, I configured the Root CA to publish its CRL etc to a location on pki.o11n.lab. I now need to create that. The Server Rather than run my lab's online CA on a domain controller, which might be tempting but causes other issues, I have a domain joined server setup that will eventually become my online subordinate CA. It's a vanilla Windows 2012 R2 server as before and a domain member. DNS The VM is called "ca-01", but I need to have pki.o11n.lab pointed … [Read more...]

Howto: Configuring a homelab offline Root CA

Self-signed SSL certificates are all well and good but they're not meant to be for the real world. The trust issues they cause can be a headache on customer projects and anything that's going in to production shouldn't be using them. For that reason, I thought it'd be better to change my homelab so that it uses a slightly more realistic PKI setup. The first phase of that is creating an offline Root CA as it's something that a good number of customers use too. Step 1: DNS From a DNS perspective, my homelab is split up so that anything physical and fundamental to the lab (e.g. storage / NAS, physical hosts, switches etc) lives in its own DNS domain (home.lab). Everything else from vCenter and AD downwards is in one or more other DNS … [Read more...]

Removing the whitespace from text files in Sublime

I like Sublime Text, it's my favourite text editor. Handily available for OSX and Windows. What's annoying though is when you get given or open a text file that has loads of whitespace at the end of the lines. Aside from messing with my compulsive sense of order, there are cases when extra whitespace can cause problems for some applications. Just in case, there's a handy configuration option that can strip out trailing whitespace when a file is saved. Here's how to set it up... Open Sublime's preferences - in OSX this is done by "cmd + ," Add the setting "trim_trailing_white_space_on_save" and set it to "true" Save the preferences file Bingo! Whitespace will be trimmed when files are saved in future. Just for clarity, the full … [Read more...]

Some other TimeMachine exclusions

In my other post on the topic I excluded my local Mail app files from my TimeMachine backups because they were tripping over McAfee AntiVirus. I thought that it might be sensible to add a few other exclusions to trim down the total amount backed up and reduce the impact of frequent TM backups on my laptop. As you can see, my total backup size is about 380Gb. Included in that are a fair few transient / temporary files that aren't needed as well as some files that are backed up elsewhere anyway plus a handful of things that maybe I don't need or want to back up. Caches Really, you want to keep them? I thought not. They include the browser caches for Safari and Firefox amongst other things. Click the "+" button. In the finder window … [Read more...]

Infected email breaking OSX TimeMachine backups

Having been away from home a lot recently, it had been a while since my laptop had been backed up by TimeMachine. After a few attempts though it got a bit annoying as McAfee kept interrupting the process. The problem seemed to be that the backups contained infected emails: McAfee was blocking TM from writing infected emails to the backup drive. As it turns out, I recalled fixing this once before (although I never blogged about it). So how could it have come unpicked? Looking at my TM backup exclusions, the exclusion that I added was still in place: But my whole mail folder should be more than 8KB!... Then it clicked. I hadn't done a TM backup since updating to OSX El Capitan. After clicking the "+" button to add a new rule, I navigated … [Read more...]

Changing vRA ExternalWfStubs Timeouts

I saw a question on Twitter this morning that I thought warranted a quick post: The default timeout for the various workflow stubs is 30 minutes, but they can be changed. As always, take backup copies and be careful! The six stubs that can be changed are: Expired RegisterMachine Disposing UnprovisionMachine BuildingMachine MachineProvisioned The timeout settings for External Workflow stubs are configured on the Windows server (vRA 6.x) that hosts the Manager role. The file and path required (assuming a default installation) is: C:\Program Files (x86)\VMware\vCAC\Server\ExternalWorkflows\xmldb\ExternalWFStubs.xml Using your favourite text editor, simply adjust the timeout value for each workflow. Most people tend to require a longer … [Read more...]

UKVMUG 2015 – Loved it, but…

That's the fifth UKVMUG done with, and the first one that I've ever presented at. I loved it, it was a great day. The highlights for me (or what I did): Joe Baguley's opening keynote - great as ever (even though I saw some of it in TechSummit a couple of weeks ago).  Joe is a very inspiring speaker, and I'm not just saying that because he's my boss (a few times removed). Listening without a hangover this time, there were some interesting things that I took away from it. Eric Wright's session on OpenStack and VMware. Great to meet a fellow vBrownBag guy and good content too. An idea Josh Atwell gave me for some future blog postings over lunch. Picking the brains of Andy Jenkins and Robbie Jerom about Docker and Cloud Native Apps Ricky … [Read more...]

Don’t miss the UK VMUG!

In just over a week, on Thursday 19th November, a few hundred virtualisation professionals from the UK (and further afield too) will be descending on the National Motorcycle Museum near Birmingham once again for the UKVMUG. Although I've been a regular attendee of the UKVMUG in the past, this will be the first time that I'll be presenting. Along with my former Xtravirt colleagues, Jonathan Medd and Sam McGeown, we'll be talking about our collective experiences working on a number of major cloud automation projects. Aside from presenting and networking, I'm also looking forward to the other sessions. Some of highlights of the agenda are: Joe Baguley's opening keynote - I think I had a preview of it at VMware's TechSummit last week, I … [Read more...]