After the initial install of a couple of the vRealize products, Log Insight, and Operations, I wanted to remove the annoying warning about the default self-signed certificates not being trusted. I am running a Windows PKI, so will use this to issue replacement certificates. Both Log Insight and Operations follow the same process for generating a certificate, just the applying the certificate is slightly different.
I started working with this guide from VMware to replace the certificates on Log Insight, but it did not cover all aspects such as including the certificate chain which is partly why I am writing my own guide.
Step 1 – Create a config file to feed into OpenSSL for CSR creation
Create a new file with the name ConfigName.cfg with the following contents
[ req ] default_md = sha512 default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS: ServerShortName, DNS: ServerIPAddress, DNS: server.domain.com [ req_distinguished_name ] countryName = Country stateOrProvinceName = State localityName = City 0.organizationName = Company Name organizationalUnitName = vRealize commonName = server.domain.com
Step 2 – Install OpenSSL
Head over to http://slproweb.com/products/Win32OpenSSL.html and grab a copy of Win OpenSSL suitable to your operating system.
run through the install wizard and head onto Step 3
Step 3 – Create a Certificate Signing Request and an RSA key
To make things easier, copy the ConfigName.cfg file you created earlier into the BIN folder. Fire up a command prompt window and navigate to the OpenSSL Install Directory/Bin. Run the following command to generate a new RSA key.
openssl genrsa -out configname.key 2048
Then run the following to create the Certificate Signing Request.
openssl req -new -key configname.key -out configname.csr -config configname.cfg
You will end up with 2 new files in the directory
Step 4 – Submit CSR to Microsoft Certificate Authority
Open the config.csr file in your favorite text editor and copy the contents.
Now head over to your internal CA at http://internalCA/certsrv and select Request a Certificate
Then choose Advanced Certificate Request
Paste the CSR into the request box and choose the appropriate Certificate Template. For more information on creating certificate template for vSphere 6 take a look here
Once you have clicked submit, download the certificate in Base 64 encoded format and save it to the BIN folder in the OpenSSL directory you used earlier.
Step 5 – Download the Certificate Authority certificate chain.
I include the chain in the certificate before importing it to Log Insight or Operations. First, we need to download the certificate chain though. Return to the home page of the certificate server and choose to Download a CA certificate, certificate chain or CRL.
Then download the CA certificate.
Save the file in the BIN directory for OpenSSL and rename it to root.cer
You should now have something that looks like this in the directory.
Step 6 – Create a PEM certificate for use with the vRealize products.
The vRealize products accept a new certificate in the PEM format. To create one is pretty simple, all we need to down is combine the KEY, the issued certificate, and the root certificate.
Open the configname.key file in a text editor. Do the same with configname.cer and root.cer
Create a new file so the contents are arranged as below. Save it as configname.pem
Step 7 – Import the certificate
For vRealize Operations, browse to https://applianceurl/admin and login.
Click the SSL Certificate option.
Then click to install new certificate.
Select the PEM certificate and click install.
Reload the page and the certificate should now show as valid.
To do this for vRelaize Log Insight, browse to the following URL and login; https://applianceurl and browse to the following location.
Click choose and browse to the PEM file generated for the Log Insight server.
Refresh the page and you should be done!
Hopefully, you found this post useful.