Yesterday we created our own Root CA, now we want our CentOS Template to trust the certificates signed by it.

As I want to up my PowerCLI Game, we will use the PowerCLI for all vSphere operations.

PS /home/bfrenzel> Connect-VIServer  10.7.45.200
[...]
User: administrator@vsphere.local
Password for user administrator@vsphere.local: ****************
[...]
Name                           Port  User
----                           ----  ----
10.7.45.200                    443   VSPHERE.LOCAL\Administrator

After connecting to our vCenter Server we will list our templates.

PS /home/bfrenzel> Get-Template

Name
----
template-centos-8

After we got our the name of our template we can convert it back.

PS /home/bfrenzel> Set-Template -Template 'template-centos-8' -ToVM                

Name                 PowerState Num CPUs MemoryGB
----                 ---------- -------- --------
template-centos-8    PoweredOff 1        2.000

Now we can power the VM on

PS /home/bfrenzel> Start-VM template-centos-8
                                                                                                                Name                 PowerState Num CPUs MemoryGB                                                               ----                 ---------- -------- --------                                                               template-centos-8    PoweredOn  1        2.000                      

As we need to SSH into the VM we need an IP address, and as the VMware Tools are installed we can also use the PowerCLI for this.

PS /home/bfrenzel> (Get-VM -Name template-centos-8).Guest.IPAddress
10.7.87.103
fe80::d81:4682:ec49:ee3d

To add the CA Certificate we first need to retrive it from our Root CA, later we will make it much easier to retrive, but for now we ssh into our CA VM and just copy the file content.

[causer@root-ca ~]$ cat pki/ca.crt 
-----BEGIN CERTIFICATE-----
MIIFYDCCA0igAwIBAgIUHthbeNnk6zjJ4mf/nZLoRiqHMTswDQYJKoZIhvcNAQEN
BQAwHTEbMBkGA1UEAwwSQmVuIG9uIFZNcyBSb290IENBMB4XDTE5MTIyNzE0MDYw
NFoXDTIyMDMzMTE0MDYwNFowHTEbMBkGA1UEAwwSQmVuIG9uIFZNcyBSb290IENB
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxzWES69UMg8Dgo3Tx3sW
+TKGxndzXKzP+lH3ypzst6TnBM4vjEQJrcp7DArhwwFwxtf2D4C3DJ79goREs6sa
[...]
Hk9Ti5ppJ2ikp6wHiVTrDnBJFxzaYy4Qw/Nz8Jcp3c4fZllogrHEKpK7Xsmor9Dg
IBzcD7jdV7dG2e4XfW8L6u3nhSfiEV9l2jfk4qDMr01IxVNyIk5dsboTBtVJuwoH
4fuStkRwcOgC19cLMYFRVX1lD68uosUCq2pCc1VYaDrDjKkGX58LuZ/PC/Q6m7rk
RO3raJhzRG5Ycd+UjxWxX5hZrPaY2rHgYo+4OF8MI8EnhPQttcjepDUiUzxgAmir
4oCj+0JIoIZctG/gq976SqTcSguenD0tbqx1zmdLuadhkwaIenmc/NdEUeA0fNL0
uCB4ZcH7d1G4vCHtw71UdhuQI+q611zC3jMZ7uzTDL8jy3PxGdobZ5j9OvZuSHeH
l47T7sVbt2kgNTsbsFUJkKsT0z8yMbAYOu0fFolCSXKf3ujG
-----END CERTIFICATE-----
[causer@root-ca ~]$ 

On our template we will need to create a file containing the certificate.

[root@template-centos-8 ~]# vim /etc/pki/ca-trust/source/anchors/lab-root-ca.crt

After we copied the content we now can update the trust store on our system.

[root@template-centos-8 ~]# update-ca-trust extract

Now all new VMs created by this template will trust our Lab CA.

We can run the clean up steps from the article “Home Lab - Preparing a CentOS 8 Template” to make a nice clean template again.

PS /home/bfrenzel> $vm = Get-VM 'template-centos-8'
PS /home/bfrenzel> New-Template -VM $vm -Name 'template-centos-8-with-root-ca' -Datastore 'datastore2' -Location 'Templates'
PS /home/bfrenzel> Remove-VM $vm