Category: Homelab

Home / Category: Homelab

Deploying VCF Offline Depot using Photon OS

December 29, 2025 | Homelab, Linux, VCF, VMware | No Comments

Greetings, today we will be deploying an Photon Linux Offline Depot for VCF

This was done using Aaron Rombaut’s and the Broadcom KB articles.

VMware Cloud Foundation (VCF), VCF Download Tool (v 9.0.1.0) and Offline Depot with Photon OS 5

https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/deployment/deploying-a-new-vmware-cloud-foundation-or-vmware-vsphere-foundation-private-cloud-/preparing-your-environment/downloading-binaries-to-the-vcf-installer-appliance/connect-to-an-offline-depot-to-download-binaries/set-up-an-offline-depot-web-server-for-vmware-cloud-foundation.html

To start, you will need to download the Photon OS from the following link. I will be using the OVA with visual hardware v15 version.

https://github.com/vmware/photon/wiki/Downloading-Photon-OS

I will be downloading the minimal ISO for x86_64

RIght-click your cluster and select New Virtual Machine

Select Next

Enter the Virtual Machine name and select Next

Choose the cluster you want to deploy to and select Next

Choose the desired storage and select Next

Select your version compatibility. I changed from 9 to 8.0 U2 and later as I have an 8.0 U3 node that it has a chance to be moved to between rebuilds.

Choose the appropriate OS version. Since this is for Linux Photon OS, I selected that. Select Next

Select Add New Device, choose Hard Disk, and set the New Hard disk 2 to at least 250GB (recommended is 1TB). I also changed CPU to 2, Memory to 4, change the network vlan to match what you will be deploying on.

Change CD/DVD Drive to Datastore ISO file, find your ISO and select it. Check the Connect at Power On box. Select Next

Review your choices and select Finish

Power on the VM and then select Launch Web Console

Review the license agreement, then if you agree, hit Enter to Accept

We will install the OS on the 16G drive on /dev/sda. I will select Auto in this case

I am going to select Configure network manually

Enter your information and then select OK

Since I am doing this on an ESX (its on purpose, 9 changed back to ESX) host, I will choose VMwarem Hypervisor Optimized

Enter your hostname and hit enter

Enter your password and hit enter

Confirm you have the correct password and hit enter

Confirm if you are ready to install and hit enter

Once completed press any key to reboot

Go back to ESX and edit settings, then change CD/DVD drive back to Client Device and select OK

Login using the console as root so that we can enable SSH access for root

Once logged in, enter the following line to edit the config file

Vi /etc/ssh/sshd_config

Once in the file, find the PermitRootLogin line, this should be line 32, as shown in the lower right of the image. Hit the “i” key to enter insert mode

Once in insert mode, remove the no and type in yes, hit escape to exit insert mode

To save an exit, enter the following

:wq

Hit enter

Restart the sshd service and verify it using the below commands

systemctl restart sshd.service

Systemctl status sshd.service

Add additional DNS Server

If you have an additional DNS server, feel free to do the following steps, if not please continue past them

Enter the following to edit the network settings for the adapter

vi /etc/systemd/network/50-static-en.network

Hit the “i” key and add your DNS server by leaving a space after the existing one then the IP of the new one

After entering the information it should look like this

Hit escape, the type the following
:wq

Hit enter

Once back at the prompt, enter the following to restart the systemd-resolved service

systemctl restart systemd-resolved

Enter the following

resolvectl status

Your results should look similar to this

Update the Operating System

Enter the following to apply updates

Tdnf update –assumeyes

Hit enter

Once completed

Enter reboot and hit enter

Prepare the additional disk

After the system has rebooted, log back in

Run the following command to list drives\mount points

lsblk -f

In this case, sdb will be our new drive

Enter the following command and hit enter

Fdisk /dev/sdb

Enter n for new partition

Enter P for primary partition and hit enter

Enter the number 1 for the partition number and hit enter

Leave first sector blank to select the default, hit enter

Same thing with the last sector, leave blank to select the default and hit enter

Your completed process for creating the new drive and partition should look like this. There will be a size difference if you chose a different size drive of course.

Type in w and hit enter to save the changes

You should see the above once completed

Format the new partition

Enter the following to format the drive

Mkfs -t ext4 /dev/sdb1

You should see the above once complete

Attaching the drive

Enter the following command and hit enter

Mkdir -p /var/www/html

Type the following and hit enter

UUID=$(blkid -s PARTUUID -o value /dev/sdb1)

This will pull the identifier and add it to the variable UUID so that we can add it to fstab to make sure its mounted every boot

Enter the following command and hit enter to add the partition to fstab

Echo “PARTUUID=${UUID} /var/www/html ext4 defaults 0 2” >> /etc/fstab

Type the following and hit enter to mount the partition

mount -a

Run the following command to show mounted locations. Notice the bottom line is the newly added sdb1

df -h

Allow HTTPS through Firewall

Type the following to allow https traffic through the firewall

Iptables -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT

Type in the following to see what iptables rules are in place

iptables -L

Enter the following command to save the new rule into the iptables list

Iptables-save > > /etc/systemd/scripts/ip4save

Install Apache Web Server

Run the following command to install Apache. This does require an internet connection to do this way.

tdnf install httpd tar tree –assumeyes

Once the install has completed, it should look like this

Configure Certificate for Web Server

Enter the following command to create the folder the certificates will be worked on from

Mkdir /root/apache-certs

Enter the following command to change directory to the new apache-certs folder

cd /root/apache-certs

Enter the following command to generate the private key for the certificate

Openssl genpkey -out /root/apache-certs/server.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048

Enter the following command to start building the configuration file for generating the certificate request. Current standards require certificates to have the Subject Alternative Name (SAN) and certificate name match.

Vi offline-depot.cnf

The following is the basic info needed for the file. Modify to suit your environment

[req]

distinguished_name = req_distinguished_name

req_extensions = req_ext

prompt = no

[req_distinguished_name]

C = <country>

ST = <state>

L = <locality>

O = <organization>

OU = <organizational unit>

CN = <fully-qualified domain name>

[req_ext]

subjectAltName = @alt_names

[alt_names]

IP.1 = <ip address>

DNS.1 = <fully-qualified domain name>

DNS.2 = <short name>

Type the following command to generate the certificate request (CSR) using the config file we just created along with the previously created private key.

Openssl req -new -key /root/apache-certs/server.key -out /root/apache-certs/request.csr -config /root/apache-certs/offline-depot.cnf

Since I’m a child of the GUI, I used winscp to pull the file over to my jump box to request the certificate

Go to your certificate server and place your request

Make sure you export the new certificate as Base 64 encoded, DER will not work and would have to be converted

Combine the root ca, intermediate ca (if you have one), and the machine certificate into a new chain cert file. Transfer that back to the offline depot.

Rename the file to server.crt

Type the following command to move the server.key and server.crt files to the /etc/httpd/conf folder

mv /root/apache-certs/server.* /etc/httpd/conf

Type the following command to make sure the permissions are where we need them to be

Chmod 0400 /etc/httpd/conf/server.* && chown root:root /etc/httpd/conf/server.*

Please make sure no other files in the folder have the “server” name as they would get the changes as well.

Configure the httpd.conf file

Type the following command to load the ssl module

sed -i ‘s|#LoadModule ssl_module|LoadModule ssl_module|’ /etc/httpd/conf/httpd.conf

Type the following command to load the socache_schmcb module

sed -i ‘s|#LoadModule socache_shmcb_module|LoadModule socache_shmcb_module|’ /etc/httpd/httpd.conf

Type the following command to include the httpd-ssl.conf file

sed -i ‘s|#Include conf/extra/httpd-ssl.conf|Include conf/extra/httpd-ssl.conf|’ /etc/httpd/conf/httpd.conf

Configure the httpd-ssl.conf file

Type the following command to set the document root location

sed -i ‘s|DocumentRoot “/etc/httpd/html”|DocumentRoot “/var/www/html”|’ /etc/httpd/conf/extra/httpd-ssl.conf

Type the following command to set the email addresses for the website.

sed -i ‘s|ServerAdmin admin@Admin.com|ServerAdmin Admin@admin.com|’ /etc/httpd/conf/extra/httpd-ssl.conf

Type the following command to set the server name for SSL. Please use the appropriate name for yours.

sed -i ‘s|ServerName www.example.com:443|ServerName depot.rainpole.io:443|’ /etc/httpd/conf/extra/httpd-ssl.conf

Type the following command to edit the httpd-ssl.conf file at line 290

Vi /etc/httpd/conf/extra/httpd-ssl.conf +290

Add the following in after the CustomLog lines and before the </VirtualHost>. Hit the ‘i’ key to enter insert mode.

<Directory /var/www/html/PROD/COMP>

    AuthType Basic

    AuthName “Basic Authentication”

    AuthUserFile /etc/httpd/conf/.htpasswd

    require valid-user

</Directory>

<Directory /var/www/html/PROD/metadata>

    AuthType Basic

    AuthName “Basic Authentication”

    AuthUserFile /etc/httpd/conf/.htpasswd

    require valid-user

</Directory>

<Directory “/var/www/html/PROD/COMP/Compatibility/VxrailCompatibilityData.json”>

    # VxRail VVS Cookie Validation (VCF 5.0)

    <If “%{HTTP:Cookie} == ‘ngssosession=ngsso-token’ “>

    Require all granted

    </If>

</Directory>

<Directory /var/www/html/PROD/vsan/hcl>

    Require all granted

</Directory>

    # Those Alias statements are needed only for VCF 5.1.0.0.

    Alias /products/v1/bundles/lastupdatedtime /var/www/html/PROD/vsan/hcl/lastupdatedtime.json

    Alias /products/v1/bundles/all /var/www/html/PROD/vsan/hcl/all.json

    # Needed only if UMDS downloads are presented

<Directory /var/www/html/umds-patch-store>

    Require all granted

</Directory>

Hit esc key to exit insert mode, then type :wq to save and quit

Configure Basic Authentication

Type the following to create an user for the website

htpasswd -c /etc/httpd/conf/.htpasswd <username>

Remove the -c for any other users created

You should see this output once completed

Type the following to change the file owner and permissions to protect the password file

chown apache /etc/httpd/conf/.htpasswd && chmod 0400 /etc/httpd/conf/.htpasswd

The permissions for the file should look like this afterwards

Cleanup Activities

Type the following command to remove the apache-certs folder

rm -rf /root/apache-certs

Type the following command to remove the index file for the website

rm -rf /var/www/html/index.html

Type the following command to modify the sshd_config file to set PermitRootLogin back to no

It should look like this after the change

Hit esc and then type in :wq and press enter to exit the edit

Edit the following file to ensure the DocumentRoot path is properly “/var/www/html”

Also change “Required all denied” to “Required all granted”

Run the following command to check the syntax of the configuration

httpd -t

Run the following command to start the httpd service

systemctl start httpd

Run the following command to check the status of the httpd service

systemctl status httpd

Run the following commands to set the permissions for the files

chown apache -R /var/www

chown apache -R /var/www/html/

find /var/www/html -type d -eec chmod 0500 {} \;

find /var/www/html -type f -exec chmod 0400 {} \;

Download of the VCF Binaries

Transfer the vcf download tool to the offline depot. I used WinSCP for this

Run the following command to create the folder the download tool will be expanded to

mkdir ~/vcf-download-tool

Run the following command to extract the vcf download tool

tar -xvf vcf-download-tool-9.0.1.0.24962179.tar.gz -C ~/vcf-download-tool/

Change to the directory

cd vcf-download-tool/bin

Run the following command to kick off the download.

./vcf-download-tool binaries download -d /var/www/html –depot-download-token-file /var/www/html/downloadtoken.txt –vcf-version=9.0.1 –type=INSTALL

Note: these are supposed to be two dashes – – 

Answer Y or N for enabling the Customer Experience Improvement Program

Note, you will need to create the downloadtoken.txt file and place it on the system and include it with the command. The content of the download token is your organization’s download token.

Once its started downloading you should see the above

Once it’s completed, you should get the above summary of what was downloaded.

Variations of the download command

You can download upgrades and patches as well using the download tool using the below commands. Change the version as appropriate. Base 9.0 will download anything 9.0.x

Install:

./vcf-download-tool binaries download -d /var/www/html –depot-download-token-file /var/www/html/downloadtoken.txt –vcf-version=9.0 –type=INSTALL

Upgrade:

./vcf-download-tool binaries download -d /var/www/html –depot-download-token-file /var/www/html/downloadtoken.txt –vcf-version=9.0 –type=UPGRADE

Patch:

./vcf-download-tool binaries download -d /var/www/html –depot-download-token-file /var/www/html/downloadtoken.txt –vcf-version=9.0 –patches-only

You should now have a functioning Offline Depot. Have a good one.

Read More
By Scott Bell

Create Certificate Template for VMware Certificate Authority

December 13, 2025 | ADCS, Certificate Services, Certificate Template, Homelab, Microsoft, VCF, VMware | No Comments

Greetings, this time we are going to be creating a Certificate Template for VMware Certificate Authority (VMCA). This would allow you to use VMCA to issue certificates for your VMware environment.

This is based on the following article:

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere

Open Certificate Authority

Select Certificate Authority

Create Certificate Template

Expand Root-CA01, then right-click Certificate Templates and select Manage

Find and right-click the Subordinate Certification Authority, then select Duplicate Template

Change Certification Authority to Windows Server 2012 and Certificate Recipient to Windows 7/Server 2008 R2

Go to the General Tab and enter your preferred name for the Template. I would recommend a name that indicates its purpose.

Also select Publish certificate in Active Directory

Go to the Extensions tab, select Basic Constraints, click Edit and make sure that Make this extension critical is enabled. Select OK if changes were made, choose cancel if not.

Go down to Key Usage, click Edit and verify that Digital signature, Certificate signing, and CRL signing are all enabled. Also check to make sure Make this extension critical is enabled as well.

Click OK if changes were made, cancel if not.

Select OK

Authorize Template to be issued

Go back to Certificate Management, right-click Certificate Templates, hover over New, and Select Certificate Template to Issue

Scroll down to VMware VMCA (or whatever it may have been named) and select OK

Note: This is a subordinate Certificate Authority Level CA. Guard usage of this template very careful as misuse\unintended issue can cause significate issues if control is lost of it.

Now you have your certificate template to issue certs from VMware Certificate Authority. Have a good one.

Read More
By Scott Bell

Update ESXi 7 using CLI

December 1, 2025 | ESXi, ESXi 7, ESXi 7 CLI Update, Homelab, VMware | No Comments

Greetings, today we will be updating ESXi 7 to a newer version of 7 using command line and no vCenter. In this case 7.0.3d to 7.0.3w.

Note: All VMs running on the host should be powered off, or vmotioned to another host if there is a vCenter available.

To start we will need to have downloaded the update zip bundle from Broadcom’s download page.

https://support.broadcom.com

Go to My Downloads on the left, type in vSphere in the search bar, then select Show Results

Select Solutions under the VMware vSphere section name. This is where you will find most every patch.

Select the version that applies for you. I will be selecting Enterprise Plus

In this case, select 7.0

Select the VMware-ESXi-7.0U3w-24784741-depot option

Select the Cloud Icon with the down arrow to download the file. Please save it where you can find it again

Method 1: Using Datastore Browser

Login

Select Storage on the left-side pane

Select Datastore browser

I don’t have any folders in this datastore for ISOs or updates. So I will make one by selecting Create directory and give it the name you want, I’m using ISOs.

Select the folder you made, click Upload, then navigate to and select the file to upload and choose Open

You will get an upload progress indicator in the upper right of the window

Now that the file is complete, you will see it in the 3rd pane. Click close

Select Data in the center pane to get the Location. Save that file path as you will need it when we go to update in CLI

Enable SSH: Method 1 (Using Webpage)

Go to Manage, Services, then scroll down until you see TSM and TSM-SSH, select each one and click Start

Now the services are running to allow SSH and Shell interactions

Enable SSH: Method 2 (Using DCUI)

Login to the DCUI of your host

Select Troubleshooting options

Enable both ESXi Shell and SSH by pressing enter once each line is selected

Hit the escape key twice

Method 1: Transferring the file to the host (Using SCP)

Click on the Start menu, enter winscp and select WinSCP

Select New Site on the left pane and then enter the host info on the right pane, then select Login

If you trust your host, select Accept

On the left pane navigate to where your file is, on the right side navigate to where you want to save it. I will again use the ISOs folder created earlier.

Yes, I did delete the earlier copies of the transfer.

Drag and drop the file from the left pane to the right pane, you will then get this transfer window.

Once transferred the file will show on the right pane.

Method 2: Transferring the file to the host (Using SCP)

Right-click the start menu and select Terminal or Terminal (Admin). SCP can be run from either in PowerShell

Enter the following command to transfer using PowerShell

scp <file path to your copy of the zip file> root@<ip\FQDN of ESXi host>:<vmfs file path to your folder>

Install the update to the host

SSH into the host

Navigate to the directory you have the file and enter LS

Enter the following command to get the list of update profiles available.

Esxcli software sources profile list –depot=/vmfs/volumes/<your volume ID>/<Folder>/<Update zip file name>

We are now ready to perform the update using the following command.

Esxcli software profile update –depot=/vmfs/volumes/<your volume ID>/<Folder>/<Update zip file name> –profile=ESXi-7.0U3w-24784741-standard

I am using the standard profile as that includes VMware Tools as part of the update.

The update output should look like this if it was successful.

Reboot the host to complete the update.

After reboot you should see the following version on the DCUI

Logging into the webpage you should see the following version on the right side Configuration section

Logging into SSH you should see the following version

You have successfully updated your ESXi 7 host to a newer version of ESXi 7. Congrats and have a good day.

Read More
By Scott Bell

Building an VCF Offline Depot in Windows using IIS

December 1, 2025 | Homelab, Microsoft, VCF, VMware | No Comments

Greetings, today we are going to be setting up an Offline Depot using Windows and IIS. This is going to assume you have already deployed an Windows Server.

You will want an additional drive added with 1TB of space for current and future downloads.

You will need:

1TB added drive. If your limited on space, you can probably get away with 200GB, but you will need to more actively manage your space usage with future downloads.

The VCF Download Tool. Instructions will be below for downloading it.

Something that can unzip tar.gz files, I will be using 7zip for this

Login, Select My Downloads, then enter “foundation” in the search bar, select Show Results, and then Select VMware Cloud Foundation

Select VMware Cloud Foundation 9, then select 9.0.1.0

Select Drivers & Tools

Select VCF Download Tool

Select the Download Icon and save the Download Tool.

From here we will pivot to the Windows Server to setup IIS and get ready for the download tool.

Deployment config

So this will not require extensive compute resources so I’m setting up with 2 CPU, 4GB RAM, 50GB Disk 1, 1TB Disk 2.

Format 1TB Drive

Once your Windows Server is deployed and ready, go to Disk Management

Right-click Disk 1 and select Online

Right-click Disk 1 again and select Initialize Disk

Select ok

Right-click the lined area next to Disk 1 and select New Simple Volume

Select Next

Select Next

Select your desired drive letter and select Next

Enter your desired Volume Label and select Next

Select Finish

Now we have a formatted drive to store the data on

Install IIS Now we will start the process to install IIS.

In Server Manager, Select Add roles and features

Select Next

Select Next

Select Next

Select Web Server (IIS)

Select Add Features

Select Next

Select Next

Select Next

Scroll down to Security and select Basic Authentication and select Next

Select Install

Once finished, select Close

Configure IIS

Now that we have IIS installed, we will need to provide it an SSL certificate.

Request Certificate

Click start, type certlm.msc, then select certlm.msc

Select Yes

As you can see, we have no certificates at all for this machine.

Right-click Personal, hover over All Tasks, then Select Request New Certificate

Select Next

Select Next

Select the blue line to provide more information for the Web Server Template

Change the Subject name Type to Common name and Alternative name Type to DNS

Add your Common name, I prefer to use the Fully Qualified Domain Name (FQDN), and click Add. For DNS I prefer to do FQDN and short names. After adding those, change Alternative name Type to IP address (v4) and add the IP address.

Enter the friendly name, I again prefer the FQDN here, then select OK

Check the block for Web Server then select Enroll

Once completed you should see the above success screen. Select Finish

Now we have a certificate

Click Start, type IIS, then select IIS Manager

Expand wdeploy, then expand Sites, select Default Web Site then click Bindings on the right side pane

Select Add

Change Type to https

Change SSL certificate to the one we just made

It should look like this. Select OK

Select Close

Setup the web directory

Since were already in IIS, select Basic Settings on the right-side pane

Select the …

Scroll down and select your added drive, then select Make New Folder

Name your folder, I am going with www in this case

Select OK

When attempting to access the path, you will get the above error

Back in IIS, select Directory Browsing

In Directory Browsing, Select Enable on the right-side pane

In this case I created a test folder in e:\www to validate it will display

Select Default Web Site again, then double-click Authentication

Select Basic Authentication, then click Enable

Go back to Default Web Site, then double-click SSL Settings

Check the block for Require SSL and then select Apply on the right-side pane

Download the VCF Binaries

Now that we have the structure setup, its time to download the VCF Binaries that we will be hosting for the VCF Installer

So go grab your VCF Download Tool we downloaded earlier and copy it over to this system.

Right-click the VCF Download tool, hover over 7-Zip, then Extract To “path”

Then repeat with the .tar file

In that folder, right-click the open area, hover over New, then select Folder

Name it vcf-download-tool

Copy the other folders into vcf-download-tool

Move the vcf-download-tool folder to e:\www

In the vcf-download-tool folder, right-click the open area, hover over New, and select Text Document

Name the document downloadtoken.txt. I have show file extensions enabled to verify that its .txt for the file type. In this folder you will need to populate only your download token. This is specific to each customer so I will not be showing the file contents.

Note: I’m pretty positive the downloadtoken.txt needs to be named in lowercase.

Move the downloadtoken.txt file to www

Right-click Start and select Windows PowerShell (Admin)

In PowerShell, change directory to e:\www\vcf-download-tool

CD into \bin, since I am downloading for VCF 9.0.1 I am running the command with that specified, I am including the test directly below for easier copying.

./vcf-download-tool binaries download –depot-store e:\www\ –depot-download-token-file  e:\www\downloadtoken.txt –vcf-version=9.0.1 –type=INSTALL

I am ok with my lab being in the Customer Experience Improvement Program, so I will select Y

Completed list of files

You can run the same command with –Type=upgrade to get the upgrade files

Versions of the command to get various file types:

Install (both for 9.0 and 9.0.1):

./vcf-download-tool binaries download –depot-store e:\www\ –depot-download-token-file  e:\www\downloadtoken.txt –vcf-version=9.0 –type=INSTALL

./vcf-download-tool binaries download –depot-store e:\www\ –depot-download-token-file  e:\www\downloadtoken.txt –vcf-version=9.0.1 –type=INSTALL

Upgrade (both for 9.0 and 9.0.1):

./vcf-download-tool binaries download –depot-store e:\www\ –depot-download-token-file  e:\www\downloadtoken.txt –vcf-version=9.0 –type=UPGRADE

./vcf-download-tool binaries download –depot-store e:\www\ –depot-download-token-file  e:\www\downloadtoken.txt –vcf-version=9.0.1 –type=UPGRADE

Patch (both for 9.0 and 9.0.1):

./vcf-download-tool binaries download –depot-store e:\www\ –depot-download-token-file  e:\www\downloadtoken.txt –vcf-version=9.0 –patches-only

./vcf-download-tool binaries download –depot-store e:\www\ –depot-download-token-file  e:\www\downloadtoken.txt –vcf-version=9.0.1 –patches-only

That covers getting the files to the system. The next article will cover linking the Offline Depot to the VCF Installer. Have a good day.

Read More
By Scott Bell

Create Certificate Template for VMware Services

November 28, 2025 | ADCS, Certificate Services, Certificate Template, Homelab, Microsoft, VCF, VMware | No Comments

Greetings, this time we are going to be creating a Certificate Template for VMware services.

This is based on the following article:

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere

Open Certificate Authority

Select Certificate Authority

Expand Root-CA01, then right-click Certificate Templates and select Manage

Right-click Web Server and select Duplicate Template

Change these settings to match the above, CA as 2012 and Recipient as 7/2008 R2

On the General tab, change the Template display name to whatever you want. I am using VMware

On the Extensions tab, make sure Application Policies is selected and select Edit

Select Server Authentication and select Remove

Select OK

Select Basic Constraints and select Edit

Check Enable this extension and select OK

Select Key Usage and Select Edit

Check the Signature is proof of origin (nonrepudiation) and leave the rest as default. Select OK

Go to the Subject Name tab and make sure Supply in the request is selected. Select OK.

Now that the new VMware certificate template exists. Close this window

Back on the main CA window, right-click Certificate Template, hover over New, and select Certificate Template to issue

Scroll down until you see your template. Click it and select OK

You now have the VMware certificate available to issue as needed. Enjoy and have a good day.

Read More
By Scott Bell

Setting Up IIS SSL Certificate for CA Server for Homelab (CertSrv) (Part 2 of Setting up CA Server)

November 27, 2025 | ADCS, Certificate Services, Homelab, Microsoft | No Comments

Now that we have IIS installed on our CA Server, it’s time to setup a certificate for HTTPS connections

Login, click the Start Menu and type certlm.msc. You can also right-click start and select Run to do the same.

Expand Personal and then click on Certificates. Notice there is only the Root-CA’s Cert here, we don’t want that as the cert for our certsrv page cert.

Right-click either the Certificates folder, or in the white area on the right, hover over All Tasks, then select Request New Certificates

Select Next

Select Next

Now I want the Web Server template which is not shown here. That is because I’m using an account with privileges that isn’t authorized for that template. Were going to go fix that. So go ahead and select Cancel.

Select Start, type cert, then click Certification Authority

Expand Root-CA01 then select Certificate Templates, you can see Web Server is here. Next is to change the permissions.

Right-click Certificate Templates and select Manage

Scroll down the middle section and right-click Web Server, then select properties

Go to the Security tab and notice the permissions. Since this is a lab I’m just going to give authenticated users enroll permissions.

Now that enroll has been granted, select OK

Go back to your certlm window, and right-click the open area, hover over All Tasks and select Request New Certificate

Select Next

Select Next

And now we have the Web Server template as an option, click the blue line to enter your information

Change the Subject name drop down from Full DN to Common Name and Type from Directory name to DNS

For Common name, I prefer to enter the Fully Qualified Domain Name (FQDN), and for DNS I prefer to do both the FQDN and the short name. Once you enter them in the lines on the left, click the corresponding Add button to add them. Then change Type from DNS to IP Address (v4) (or v6 if needed) and enter the IP address.

Once it looks like this, go to the general tab

I generally will use the FQDN for the Friendly name as well. Select the Private Key tab

As a note, under Key Options you can mark the private key as exportable, if this cert is for another server, or perhaps is for a VIP or multiple servers, you would select this so that the cert can be exported\imported to those other servers. Once complete, select OK

Now that the blue line is gone, you can select the Web Server template and click Enroll

Once complete you should receive this window

Adding Certificate to IIS

Click start, type IIS  and select IIS Manager

Expand Sites and click Default Web Site, then select Bindings on the right side

Select https and click Edit

Change SSL certificate from Root-CA01 to ca01.lab.scottbell.me. There are more options that can be selected from a security standpoint like specifying the IP, hostname, and Disabling Legacy TLS. Select options as appropriate for your environment. Then select OK

Select Close

Select Restart on the right side pane

Go to a browser and enter the address of your website with /CertSrv at the end. You should not get a untrusted website alert (assuming the client accessing the site trusts the Root CA) and a username\password prompt.

Once you enter account information that has access to the website, you should see the above and are now able to request certificates as you need. Congrats and have a good day.

Read More
By Scott Bell

Install an CA Server for Home Lab (Part 1)

November 26, 2025 | ADCS, Certificate Services, Homelab, Microsoft, VCF | No Comments

Today we are going to be setting up a Certificate Server for the new domain in my home lab. This is part of the systematic rebuild of the lab so that I can write these articles to document the process to potentially help others and for a record of my own on the next rebuild.

The new lab so far has just two domain controllers. I need certificate services to continue with other functions such as the offline depot for VCF, the new jump box I will end up building, and VCF itself with its components.

This will be based on the assumption that you have already deployed a Windows Server, have named it, given it an IP, and domain joined it.

Installing Certificate Services

Select Add roles and features

Select Next

Select Next

Select Next

Select Active Directory Certificate Services

Select Add Features

Select Next

Please read this page before selecting Next, the note does matter

Select Certification Authority Web Enrollment, and Certificate Enrollment Web Service

Once you select Certificate Enrollment Web Service, this window will pop up, select Add Features

Once the selection matches the above, select Next

Read and select Next

Scroll down to Security section and select Basic Authentication, this is to support VCF functions later. Select Next

Review the selections and then select Install

Once the install is finished, select Configure Active Directory Certificate Services

Use your intended account if different than what’s pre-populated based on the logged in account. Then select Next

You can only setup the first two at the same time. We will have to come back after for the Certificate Enrollment Web Service after the Certificate Authority is setup. Select Next

In my case with it being a lab, I will do Enterprise CA where it stays online. If your doing a proper CA in the real world, I would suggested a Standalone Root CA that stays offline when not in use and an Domain-Joined Subordinate CA. Select Next

Again, since this is a lab environment, this will just be a Root CA. Select Next

Since this is a new server and not a transfer\upgrade\recovery, I will Create a new private key and select Next

I am going to stick with the defaults here, I am not using anything that needs the admin interaction for extra security so I will leave it unchecked.

I have changed the Common name to be more what I want, but I am leaving the rest the default format. Select Next

Use whatever timeframe is suitable for you. As this is a lab, it wont survive 5 years so I will leave it at that.

Security needs may require these locations to be moved to a different location\drive. I’m not operating under those requirements so I will be leaving them default. Select Next

Review the summary and select Configure

Once complete, select Close

Select Yes

Same thing, change account if needed then select Next

Select Certificate Enrollment Web Services and select Next

Select Next

This I will leave as default for Windows integrated authentication. Select Next

I’m not going to bother with a service account in this case and select the Use the built-in application pool identity.

I will indeed use the Root-CA01 as the default selection here. You will need to actually select (click) on the certificate and then select Next

Review the options and if everything is as expected, select Configure

Now we are completed for this configuration. Select Close

Select Close again

Click start and type IIS, then select IIS Manager

In IIS, expand CA01, then Sites, Then Default Web Site, click CertSrv, and double-click Authentication

Select Basic authentication, then click Enable

Please go to part 2 for setting up an Certificate in IIS for the CA Server. Have a good day.

Read More
By Scott Bell

Deploy Windows Server 2022 and Build Active Directory Part 2: Building Active Directory

November 13, 2025 | Homelab, Microsoft | No Comments

Deploy Windows Server 2022 and Build Active Directory Part 2

Greetings, today in part 2 we will be building the Active Directory Domain using the new name for my lab which will be lab.scottbell.me.

Lets get to it

Snapshot

First, login and take a snapshot of the VM just in case.

Now that we have our short term safety net, lets continue. Please remember though, snapshots are not backups.

Login to the system, for now I’m using the VMware web console to do so

Add Role

Select Add roles and features

Select Next

Keep the default selection of Role-based or feature-based installation and select Next

Select Next

Select Active Directory Domain Services

Select Add Features

Select Next

Select Next

Select Next

Select Install

Select Close

Select the flag with the Yellow Triangle and select Promote this server to a domain controller

Configure Active Directory

Select Add a new forest and enter the name you’re planning to use

Unless you have a reason, you should stick with the default Windows Server 2016 Forest and Domain functional levels, Enter a password for Directory Services Restore Mode and make sure its not lost. Ideally using a password vault\manager.

I will leave the default NetBIOS name as is and select Next

If you have security requirements mandating it, relocated the files to a suitable place. I will be leaving the defaults in this case and select Next.

Review your choices and go back to make changes if needed

Once the Pre-checks have been passed, read the warnings as shown and then select Install

Once complete you will get the following warning for the system rebooting after a successful install of the Active Directory role.

Validate Install

After the reboot, login

Congrats. Active Directory has been installed. Now we will run through adding the second Domain Controller to the Domain.

Add Second Domain Controller

Login to the second Domain Controller

Repoint DNS

Right-click the start menu and select Network Connections

Select Network and Sharing Center

Select Ethernet0 on the right side of the window

Select Properties

Click on Internet Protocol Version 4 (TCP/IPv4) and select Properties

Change DNS to point to the new Domain Controller and select OK

Add Role

Select Add roles and features

Select Next

Select Role-based or feature-based installation

Were not doing a remote server so leave it selected for itself and select Next

Select Active Directory Domain Services

Select Add Features

Select Next

Select Next

Select Next

Select Install

Now that the install is done, select Promote this server to a domain controller.

Join Existing Domain

Enter the information for the new domain, the click select

Provide an account from the domain.

Select your domain and click OK

Select Next

We have not created any sites and this is not a Read Only Domain Controller, so I will leave this at default settings and enter the Directory Services Restore Mode (DSRM) password and select Next.

Select Next

Theres only one DC in this domain so I will leave it with Any domain controller selected. Select Next.

Again, since this isn’t an hardened type install and I have no requirements to move the directories, I will leave the default locations and Select Next.

Review the details and go back to change if needed. Then Select Next.

Once the prechecks are done, review the warnings and Select Install.

Once the install is completed, the system will reboot.

Validate Joining Active Directory

Login

Congrats. You now have a domain with two Domain controllers. Now you can customize as needed for your environment. Have a good one.

Read More
By Scott Bell

Deploy Windows Server 2022 and Build Active Directory Part 1: Building the Windows Servers

November 11, 2025 | Homelab, Microsoft | No Comments

This will be the start of a series of articles for the rebuild of my lab to properly document the build process.

This will start here with Active Directory on Windows Server 2022, building a new Certificate Server on 2022, then continue into VCF oriented steps such as the offline depot, deploying the VCF installer, linking the two, and then deployment of VCF and its components.

To start I will be installing Windows Server 2022 with 2x Cores, 4GB RAM, and 50gb HDD. All storage used is NVME so it will be more than fast enough for our needs.

Deployment

I’m going to start with building the shell by right clicking my ESX host and selecting New Virtual Machine

We will select Create a new virtual machine and then Next

Enter the virtual Machine name and its location then select Next

Select the compute resource for where the VM will run

Select the storage location then select Next

Select the appropriate compatibility level for your environment. For me, that will be ESXi 8.0U2 and later then select Next

Now we get to set the OS version we will be running in this VM. I’m using Windows Server 2022 so that’s what I choose, then select Next.

Note: This matters as the wrong setting can lead to performance\stability issues if there’s enough of an instruction set difference.

Now we get to see everything together and verify the choices.

In this case I will need to change networking to the proper Port Group for my environment, change the HDD from 90GB to 50GB, and also add the ISO to the CD/DVD Drive.

Once finished, select Next.

Review the settings on Ready to complete and change if needed on the previous page. If no changes are needed, select Next.

Once its finished, make sure to go edit the settings and enable the Connect At Power On option for the CD/DVD Drive so that it actually uses the ISO when you power the VM up for the first time

Select Power on and then select Launch Remote Console

Operating System Install

Change the default Language/Time/Keyboard options if desired

Select Install Now

Select the desired edition. I will be using Standard Evaluation (Desktop Experience) in this case as I still like my GUI. Select Next

Read, and if you agree to the terms, accept the license terms, and select Next

I selected Custom to make sure it shows the correct hard drive info. Select Next

It will now run through the installation

Either wait or select the Restart Now to restart the system

Windows will then reboot and start getting ready for use

Configure Operating System

After configuration you will provide the initial Administrator password

Once you have set the password you will be brought to the login screen, login

Install VMware Tools

Once you have logged in, go back to your ESX host and select Install VMware Tools

Select Mount

Go back to your console for the VM and open File Explorer and Select the DVD Drive (D:)

Run setup

Select Next

Select Typical unless you have specific parts you want to install or deselect

Select Install

When complete, select restart

Login after reboot

Configure IP Information

Right click the Internet icon (the wire globe in this case) and select Network & Internet settings

I prefer the old control panel so I will select Network and Sharing Center

Select Ethernet0 on the right side of the window

Select Properties

Select Internet Protocol Version 4 (TCP/IPv4) and select Properties

Enter your information for the IP and DNS, for now use an actual DNS. This will change later when this is promoted to being a Domain Controller, but that is not yet.

Select OK

You will be asked if you want the PC to be discoverable by other devices, make the appropriate choice for your environment

Windows Updates

Select the start menu in the lower left and then settings

Scroll down and select Update & Security

It should have automatically started checking and downloading updates, if not, select the Check for Updates option

These downloads can take a while depending on your internet.

Once everything is at Status: Pending install, select Install now

Now you get to wait for Updates.

Go to system and select Rename this PC

Enter the desired name

select Restart now

Provide the reason for the restart, I went with Other (Planned)

Once complete, run through these steps again to build a second server that will become the secondary Domain Controller for redundancy.

Make sure to go back into ESX, edit settings on the VM and set CD/DVD Drive back to Client Device so the ISO doesn’t cause problems later.

This will be the end of Part 1 of deploying Active Directory, building the Servers.

Read More
By Scott Bell

HomeLab Equipment

November 9, 2025 | Homelab, VCF, VMware | No Comments

Overview

Greetings, I was recently asked about what equipment is in my lab and its capabilities. In talking with Aaron about it, he was willing to host this on his website (thanks!), so here is a breakdown of the equipment in my newly acquired lab and its intended uses.

Overall, this environment will be used to gain experience with VMware Virtualization technologies. Specifically VMware Cloud Foundation (VCF) and the Modern Private Cloud (MPC).

Servers

My general logic was to have a structure generally similar to customer environments I might encounter. Enterprise level equipment, but not latest and greatest. So, for me that meant recently out of support but not too out of support servers at a reasonable price. Enter the Dell R640.

Note: using an Intel 61xx series processor is deprecated in ESXi 8 and not supported in ESX 9. This can be overridden.

Having decided that, I then had to decide where to buy them, eBay and Amazon being the immediate likely candidates. eBay won this as they allow sellers to provide drop downs for customization of the specifications to let you have more flexibility in capability and pricing.

All four nodes are also using full NVME drives to allow for vSAN ESA capability, this also allowed the option to test memory tiering in vSphere 8 or VCF 9 if I reserve a drive per host for this purpose.

Note: these drives are not on the Hardware Compatibility List (HCL) so you will need to override the deployment for these to work

Initially I went with 3 servers so that I didn’t need to do nested virtualization. But then went to 4 servers since one of my goals is to do apples-to-apples which for VMware VCF 5.x means 4 hosts. This can of course be overridden to use less hosts. Same with the 3-node NSX Manager requirement. I did not want the complications and additional variables of a nested lab.

Add-In Card

These servers as I bought them came with 2x 1GbE and 2x 10GbE nics. I wanted 25GbE for my backbone, so I also bought one expansion card per server, the Dell Broadcom 57414 Dual 25GbE SFP PCIe cards from eBay.

Networking

So here I wanted to meet the MPC requirement which is 25GbE networking for the backbone. I wanted Cisco, but that gets pricey at this range. Second was Arista as a near-Cisco CLI. In my case that led to a 2-switch setup of a 1GbE switch with 10GbE uplinks by Arista, and then a Dell 25GbE SFP switch for the backbone. Overkill for a home lab, but in line with intended architectures today for those running MPC. Both purchased from eBay.

Arista Switch for 1GB network elements

Dell 25GbE switch for backbone data

Router\Firewall

You need to protect your environment and this made a good excuse to go beyond the standard ISP routers firewall.

In this case I did not want to go too far down the rabbit hole so I went simple, possibly a bit too simple. So, I went with a Firewalla Gold Pro from Firewalla’s website.

This acts as both the lab’s router and firewall behind the ISP’s modem. This does limit to 10GbE for anything transiting the FW.

Overall intent with this environment is to provide flexibility of running workloads from a basic vSphere 7/8 environment, all the way up to a full VCF 9 with VCF Automation deployment and anything in between.

Persistent Node

Now since building out various configurations of the environment is destructive, I have a single persistent ESXi 8 node.

This is for servers\services that I want to survive tear down and rebuild of the lab environment, such as Active Directory\LDAP, Certificate Services, Jump Box, etc.

For this I am using an Minisforum MS-A2 node with 96GB of RAM, a 2Tb NVME SSD and a 4Tb NVME SSD.

Cabling

Now to connect all of the 25GbE links, I opted for FS.com for DAC cables. They provide options to customize the connectors for better compatibility.

For 10GbE, I went to Amazon and got some generic DAC cables.

For the 1GbE connections I also opted for generic Cat 8 ethernet cables from Amazon.

Power

Power matters, and with this being an expensive investment I opted to use one UPS per server, with it being (at least currently) one plug in the battery backed and one plug in the surge protected plugs. This was bought off Amazon.

Console Cable

You will need a console cable to connect, most systems don’t use the old style connectors so I went with a USB interface which all laptops have, make sure you have a USB-A plug or an adapter for it. This was bought off Amazon.

Rack

Lastly, I needed something to store the equipment in. Back to eBay I went.

Misc

Not to interface with it I use a pre-existing laptop and a monitor\mouse\keyboard. Nothing fancy is needed. And remember to be mindful of what type of video cable is needed for your server. In the case of the R640, that is still VGA.

Result

Overall, not the prettiest setup, but here is what the “finished” product looks like.

Conclusion

Hope this helps anyone considering a HomeLab setup. Beyond just the ability to demo\test VCF, this can also run additional capabilities such as photo and movie servers or home automation like Home Assistant. The skies the limit.

Read More
By Scott Bell