Tuesday, June 16, 2015

Generate Internal Certificate for vRealize Log Insight


This post is another contribution of one of my friends, he's a VMware's Technical Account Manager, in fact he’s the oldest VMware’s TAM in Brazil, combining deep expertise and business oriented approach, he has been helping dozens of clients to extract the most of their VMware's products while bring to them all the innovation VMware has to offer, please, meet Jean Oliveira.

One of Jean’s clients wanted to replace vRealize Log Insight self-signed certificate with an certificate provided by an internal Microsoft CA.
Despite the fact you find the details on the documentation, he found a little bit more of information was required, so he created this procedure to avoid  keep jumping back and forward for information.


**** Create a Certificate Signing Request ****
 
On Log Insight Server or any other server where you have openssl installed
- Edit the /etc/ssl/openssl.cng;
- Make sure the [req] section has the req_extensions parameter defined;
[req]
.
.
        req_extensions=v3_req #

obs: req_extensions specifies the section that defines extensions to add to a certificate request, where v3_req is the name of the section we want because it allow us to specify Subject Alternative Names (SAN).

- Add an appropriate Subject Alternative Name entry for the hostname or IP address of your server;
[v3_req]
.
.
        subjectAltName=DNS:server-01.loginsight.domain
        #subjectAltName=IP:10.27.74.215

- Save the file;
- Run the following command to generate your private key;
openssl genrsa -out server.key 2048

- Create a certificate signing request by running the following command;
openssl req -new -key server.key -out server.csr

**** Submit Certificate Request to a CA****

Now that you have your CSR it’s time to submit it to your CA and get your certificate back.

- In your Windows CA Server, run the following command to generate your certificate;
certreq -submit -attrib “CertificateTemplate:WebServer” server.csr server.pem

obs: “Certificate Template:WebServer” is the certificate template to be used, if you have another one you want to use just adjust the name accordingly.

**** Concatenate Certificate Files ****

Before you upload the certificate on Log Insight you need to concatenate them, so the root CA, intermediate CA (if any) an your certificate is all in on file.

- Create a new server-upload.pem file and open it in a text editor;
(it’s just an empty file)

- Copy the contents of your server.key file and paste it in server-upload.pem;
use the following format.
-----BEGIN RSA PRIVATE KEY----- 
(Your Private Key: server.key) 
-----END RSA PRIVATE KEY----- 

- Copy the contents of your server.pem file and paste it in server-upload.pem;
use the following format.
-----BEGIN CERTIFICATE----- 
  (Your Primary SSL certificate: server.pem)
-----END CERTIFICATE-----  

- If the Certificate Authorities provided you with an intermediate or chained certificate, append the intermediate or chained certificates along with the root certificate to the end of the server-upload.pem file;
use the following format.
-----BEGIN CERTIFICATE----- 
(Your Intermediate certificate: intermediateCA.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Root certificate: TrustedRoot.crt) 
-----END CERTIFICATE-----

- Save your server-upload.pem file;


**** Upload Certificate ****

Finally you have your certificate ready, it’s time to upload it.

- Log in on vRealize Log Insight Web Interface;
- In the configuration menu select Administration;
- Under configuration click SSL Certificate;
- Browse to your new certificate and click Open;
- Click Save;
- Restart vRealize Log Insight

If you are curious where all this information came from, please check:

 Let us know if it works for you !!!

No comments:

Post a Comment

Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions. Reach me at @dumeirell

Most Viewed Posts

Blog Archive