Just Another IT Blog

It's time to share some of my experiences, crazy ideas, tips and tricks !!!

Post Page Advertisement [Top]

This post is another contribution of one of my friends, he's a VMware's Technical Account Manager, in fact he’s the oldest VMware’s TAM in Brazil, combining deep expertise and business oriented approach, he has been helping dozens of clients to extract the most of their VMware's products while bring to them all the innovation VMware has to offer, please, meet Jean Oliveira.

One of Jean’s clients wanted to replace vRealize Log Insight self-signed certificate with an certificate provided by an internal Microsoft CA.
Despite the fact you find the details on the documentation, he found a little bit more of information was required, so he created this procedure to avoid  keep jumping back and forward for information.

**** Create a Certificate Signing Request ****
On Log Insight Server or any other server where you have openssl installed
- Edit the /etc/ssl/openssl.cng;
- Make sure the [req] section has the req_extensions parameter defined;
        req_extensions=v3_req #

obs: req_extensions specifies the section that defines extensions to add to a certificate request, where v3_req is the name of the section we want because it allow us to specify Subject Alternative Names (SAN).

- Add an appropriate Subject Alternative Name entry for the hostname or IP address of your server;

- Save the file;
- Run the following command to generate your private key;
openssl genrsa -out server.key 2048

- Create a certificate signing request by running the following command;
openssl req -new -key server.key -out server.csr

**** Submit Certificate Request to a CA****

Now that you have your CSR it’s time to submit it to your CA and get your certificate back.

- In your Windows CA Server, run the following command to generate your certificate;
certreq -submit -attrib “CertificateTemplate:WebServer” server.csr server.pem

obs: “Certificate Template:WebServer” is the certificate template to be used, if you have another one you want to use just adjust the name accordingly.

**** Concatenate Certificate Files ****

Before you upload the certificate on Log Insight you need to concatenate them, so the root CA, intermediate CA (if any) an your certificate is all in on file.

- Create a new server-upload.pem file and open it in a text editor;
(it’s just an empty file)

- Copy the contents of your server.key file and paste it in server-upload.pem;
use the following format.
(Your Private Key: server.key) 

- Copy the contents of your server.pem file and paste it in server-upload.pem;
use the following format.
  (Your Primary SSL certificate: server.pem)

- If the Certificate Authorities provided you with an intermediate or chained certificate, append the intermediate or chained certificates along with the root certificate to the end of the server-upload.pem file;
use the following format.
(Your Intermediate certificate: intermediateCA.crt) 
(Your Root certificate: TrustedRoot.crt) 

- Save your server-upload.pem file;

**** Upload Certificate ****

Finally you have your certificate ready, it’s time to upload it.

- Log in on vRealize Log Insight Web Interface;
- In the configuration menu select Administration;
- Under configuration click SSL Certificate;
- Browse to your new certificate and click Open;
- Click Save;
- Restart vRealize Log Insight

If you are curious where all this information came from, please check:

 Let us know if it works for you !!!

Bottom Ad [Post Page]