Replace SSL certificates on VMware vRealize Log Insight (vRLI) and vRealize Operations (vROps)


Background

After the initial install of a couple of the vRealize products, Log Insight, and Operations, I wanted to remove the annoying warning about the default self-signed certificates not being trusted. I am running a Windows PKI, so will use this to issue replacement certificates. Both Log Insight and Operations follow the same process for generating a certificate, just the applying the certificate is slightly different.

The Solution

I started working with this guide from VMware to replace the certificates on Log Insight, but it did not cover all aspects such as including the certificate chain which is partly why I am writing my own guide.

Step 1 – Create a config file to feed into OpenSSL for CSR creation

Create a new file with the name ConfigName.cfg with the following contents

[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: ServerShortName, DNS: ServerIPAddress, DNS: server.domain.com

[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = City
0.organizationName = Company Name
organizationalUnitName = vRealize
commonName = server.domain.com

Make sure you update the highlighted items below to reflect your organisation and server details
vRealizeSSL_01

Step 2 – Install OpenSSL

Head over to http://slproweb.com/products/Win32OpenSSL.html and grab a copy of Win OpenSSL suitable to your operating system.

OpenSSL

run through the install wizard and head onto Step 3

Step 3 – Create a Certificate Signing Request and an RSA key

To make things easier, copy the ConfigName.cfg file you created earlier into the BIN folder. Fire up a command prompt window and navigate to the OpenSSL Install Directory/Bin. Run the following command to generate a new RSA key.

openssl genrsa -out configname.key 2048

vRealizeSSL_02

Then run the following to create the Certificate Signing Request.

openssl req -new -key configname.key -out configname.csr -config configname.cfg

vRealizeSSL_03

You will end up with 2 new files in the directory

vRealizeSSL_04

Step 4 – Submit CSR to Microsoft Certificate Authority

Open the config.csr file in your favorite text editor and copy the contents.

vRealizeSSL_05

Now head over to your internal CA at http://internalCA/certsrv and select Request a Certificate

CertSrv1

Then choose Advanced Certificate Request

vRealizeSSL_06

Paste the CSR into the request box and choose the appropriate Certificate Template. For more information on creating certificate template for vSphere 6 take a look here

CertSrv3

Once you have clicked submit, download the certificate in Base 64 encoded format and save it to the BIN folder in the OpenSSL directory you used earlier.

CertSrv4

Step 5 – Download the Certificate Authority certificate chain.

I include the chain in the certificate before importing it to Log Insight or Operations. First, we need to download the certificate chain though. Return to the home page of the certificate server and choose to Download a CA certificate, certificate chain or CRL.

vRealizeSSL_07

Then download the CA certificate.

vRealizeSSL_08

Save the file in the BIN directory for OpenSSL and rename it to root.cer

You should now have something that looks like this in the directory.

vRealizeSSL_09

Step 6 – Create a PEM certificate for use with the vRealize products.

The vRealize products accept a new certificate in the PEM format. To create one is pretty simple, all we need to down is combine the KEY, the issued certificate, and the root certificate.

Open the configname.key file in a text editor. Do the same with configname.cer and root.cer

Create a new file so the contents are arranged as below. Save it as configname.pem

vRealizeSSL_10

Step 7 – Import the certificate

For vRealize Operations, browse to https://applianceurl/admin and login.

Click the SSL Certificate option.

vRealizeSSL_11

Then click to install new certificate.

vRealizeSSL_12

Select the PEM certificate and click install.

vRealizeSSL_13

Reload the page and the certificate should now show as valid.

vRealizeSSL_14

To do this for vRelaize Log Insight, browse to the following URL and login; https://applianceurl and browse to the following location.

vRealizeSSL_15

 

Click choose and browse to the PEM file generated for the Log Insight server.

vRealizeSSL_16

Refresh the page and you should be done!

 

Hopefully, you found this post useful.

 

Ian

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.