Well everyone knows it, the "dread" of replacing the vCenter Certificates and to be honest it got a lot easier over time.

All certificate replacements start at the root of trust, the Root CA so let's build one for our Lab.

I will use the CentOS template I built in an earlier post as a starting point.

As the first step we should add the EPEL repository, so we have access to the packages we need.

[root@root-ca ~]# dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

After adding the repository we can install the easy-rsa package using dnf.

[root@root-ca ~]# dnf install easy-rsa

Now we are all set to create our Root CA. I will create a extra user called causer the user will not be able to login remotely.

[root@root-ca ~]# useradd causer
[root@root-ca ~]# su - causer
[causer@root-ca ~]$ 

To setup the PKI we will have to initiate the PKI using the following command.

[causer@root-ca ~]$ /usr/share/easy-rsa/3/easyrsa init-pki 
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/causer/pki

Now we need to create out vars file in the home dir.

[causer@root-ca ~]$ wget https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/vars.example
[causer@root-ca ~]$ mv vars.example ~/pki/vars
[causer@root-ca ~]$ vim ~/vars
[...]
set_var EASYRSA_REQ_COUNTRY     "IE"
set_var EASYRSA_REQ_PROVINCE    "Cork"
set_var EASYRSA_REQ_CITY        "Cork"
set_var EASYRSA_REQ_ORG         "Ben on VMs"
set_var EASYRSA_REQ_EMAIL       "blog@ben-on-vms.com"
set_var EASYRSA_REQ_OU          "Blog"
[...]
set_var EASYRSA_KEY_SIZE        4096
[...]
set_var EASYRSA_CA_EXPIRE       825
[...]
set_var EASYRSA_CERT_EXPIRE     365
[...]
set_var EASYRSA_DIGEST          "sha512"

It is now finally time to create our CA.

[causer@root-ca ~]$ /usr/share/easy-rsa/3/easyrsa build-ca 
[...]
Enter New CA Key Passphrase: Super$ecretPa55phrase
Re-Enter New CA Key Passphrase: Super$ecretPa55phrase
[...]
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Ben on VMs Root CA

We now have our own Root CA.