This post is another contribution of one of my friends, he's a VMware's Technical Account Manager,
in fact he’s the oldest VMware’s TAM in Brazil, combining deep expertise and
business oriented approach, he has been helping dozens of clients to extract the
most of their VMware's products while bring to them all the innovation VMware
has to offer, please, meet Jean Oliveira.
One of Jean’s clients wanted to replace vRealize Log Insight self-signed certificate with an certificate provided by an internal Microsoft CA.
Despite the fact you find the details on the documentation, he found a
little bit more of information was required, so he created this procedure to avoid keep jumping back and forward for information.
**** Create a Certificate Signing Request ****
On Log Insight Server or any other server where you have openssl
installed
- Edit the /etc/ssl/openssl.cng;
- Make sure the [req] section has the req_extensions parameter defined;
[req]
.
.
req_extensions=v3_req #
obs: req_extensions specifies the section
that defines extensions to add to a certificate request, where v3_req
is the name of the section we want because it allow us to specify Subject
Alternative Names (SAN).
- Add an appropriate Subject Alternative Name entry for the hostname or
IP address of your server;
[v3_req]
.
.
subjectAltName=DNS:server-01.loginsight.domain
#subjectAltName=IP:10.27.74.215
- Save the file;
- Run the following command to generate your private key;
openssl genrsa -out server.key 2048
- Create a certificate signing request by running the following command;
openssl req -new -key server.key -out server.csr
**** Submit Certificate Request to a CA****
Now that you have your CSR it’s time to submit it to your CA and get
your certificate back.
- In your Windows CA Server, run the following command to generate your
certificate;
certreq -submit -attrib “CertificateTemplate:WebServer” server.csr
server.pem
obs: “Certificate Template:WebServer” is the certificate template to be
used, if you have another one you want to use just adjust the name accordingly.
**** Concatenate Certificate Files ****
Before you upload the certificate on Log Insight you need to concatenate
them, so the root CA, intermediate CA (if any) an your certificate is all in on
file.
- Create a new server-upload.pem file and open it in a text editor;
(it’s just an empty file)
- Copy the contents of your server.key file and paste it in
server-upload.pem;
use the following format.
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: server.key)
-----END RSA PRIVATE KEY-----
- Copy the contents of your server.pem file and paste it in
server-upload.pem;
use the following format.
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: server.pem)
-----END CERTIFICATE-----
- If the Certificate Authorities provided you with an intermediate or
chained certificate, append the intermediate or chained certificates along with
the root certificate to the end of the server-upload.pem file;
use the following format.
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: intermediateCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
- Save your server-upload.pem file;
**** Upload Certificate ****
Finally you have your certificate ready, it’s time to upload it.
- Log in on vRealize Log Insight Web Interface;
- In the configuration menu select Administration;
- Under configuration click SSL
Certificate;
- Browse to your new certificate and click Open;
- Click Save;
- Restart vRealize Log Insight
If you are curious where all this information came from, please check:
Let us know if it works for you !!!