SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. An organization needs to install the SSL Certificate onto its web server to initiate a secure session with browsers. Once a secure connection is established, all web traffic between the web server and the web browser will be secure.
By default, all vRealize Log Insight Appliance has a Self-Signed certificate and it is not recommended to keep same certificate in your Production Infrastructure. In this blog I will explain how to Create, Sign and Replace the certificate of an vRealize Log Insight with you Organization Certificate Authority Server.
- To Start with we need a Microsoft Certificate Server and The Certificate Template which supports vCSA, This link will help to Install and Configure a MSCA server and to create a certificate Template.
- Download and Install OpenSSL on any Windows machine, OpenSSL to be able to create custom certificates for vSphere environments.
Generating Certificate Request
First, to manage certificates in the vRealize Log Insight, you must go Administration
Click SSL on the left tab to see SSL configuration window. PEM is the only supported certificate format by vRealize Log Insight.
To configure OpenSSL, follow these steps:
Take a backup of the openssl.cfg file. By default, this file is located at the c:\OpenSSL-Win32\bin directory and delete the contents of the file and replace with below content. Replace the FQDN and IP with the details of the server that you are configuring.
Save and close the file.
- If you are using an alias to access vRealize Log Insight, you must add the alias name.
- If you are planning to use the same certificate in all vRealize Log Insight nodes, you must add all hostnames and IP addresses.
Open a command prompt and navigate to the OpenSSL directory as previously configured in the Configuring OpenSSL article. By default, this is C:\OpenSSL-Win32\bin. Run the below command
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vxpertvlog01, IP:192.168.1.36, DNS:vxpertvlog01.vxpert.in [ req_distinguished_name ] countryName = AE stateOrProvinceName = Dubai localityName = Al Nahdha 0.organizationName = Vxpert organizationalUnitName = vCenterInventoryService commonName = vxpertvlog01.vxpert.in
openssl.exe req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg
There are no prompts because all information was provided in the openssl.cfg file as configured before and this creates the certificate request rui.csr and rui.orig.key files in same directory.
Convert the Key to be in RSA format by running these command
openssl.exe rsa -in rui-orig.key -out rui.key
Sign the Certificate with CA
After the certificate request is created, the certificate must be given to the certificate authority for generation of the actual certificate. The authority presents a certificate back, as well as a copy of their root certificate, if necessary. For the certificate chain to be trusted, the root certificate must be installed on the server.
Log in to the Microsoft CA certificate authority web interface. By default, it is http://servername/CertSrv/
Click Request a certificate
Click Advanced certificate request
Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
Open the certificate request(rui.csr) using a text editor, Copy the content from —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– into the Saved Request box. Please, be sure to select “Web Server” in the “Certificate Template”. Click Submit.
Click Yes to confirm
Once you administrator approves the request you can download the Base 64 encoded certificate chain on the Certificate issued screen, this will have new certificate as well as all ll the certificate of the issuing authority chain
Save the certificate as vxpertvlog.p7b filename, Open the certificate and check the parameters you have provided is correct or on not.
Installing Certificate on vRealize Log Insight
vRealize Log Insight only accept PEM certificates, so we must create my vxpertvlog.pem file. Before we can use the certificate it first needs to be processed and manipulated. This involves changing the format of the file from “p7b” to “PEM”. We use openssl to do this as follows.
openssl.exe pkcs7 -print_certs -in vxpertvlog.p7b -out vxpertvlog.pem
Now combine the vxpertlog.pem and rui.key. Open both files in notepad copy paste the contents from rui.key to the end of vxpertlog.pem and Save
Please, return to vRealize Log Insight, go to Administration and then SSL, click in Browser button, select your PEM file (vxpertvlog.pem), and then click in SAVE.
Opening a new browser session to Log Insight should now allow you to verify that the CA issued certificate is in operation.
If you have any comments, please
drop me a line