Skip links

VMware LogInsight 4 – Custom SSL Certificate

Author: Published on: Published in: Certificates

In this post I will show the procedure for replacing the certificate on LogInsight. First thing to note here is that the certificate requirements are for a PEM format certificate.  In a previous post I showed the procedure for replacing the SSL certificates on the VMware vCenter Server and PSC.  For the VCSA/PSC we needed a *.cer base64 format certificate.

LogInsight 4.1

For the purposes of this post I am using a freshly installed vRLI 4.1 node in my lab. As you can see below the certificate currently being used is a self-signed certificate. I can replace the certificate as part of the initial install/setup or in this case afterwards. My node name is sto-vrli01.lab.local.

Self Signed Certificate
Self Signed Certificate

In order to create the CSR for the node I will use OpenSSL. If you don’t have OpenSSL already installed on your computer you can download a version. Here I am using a Windows 64-bit version that I downloaded from here. I previously installed OpenSSL onto my c drive.

First Generate the Private Key

In order to generate the CSR we first need to create a private key used to sign the request. To keep things simple I am running OpenSSL from the install location (c:\OpenSSL-Win64\bin) and so my generated files will be placed here. Run the following command to generate the key. *Note I have called the output key stovrli01.key

openssl genrsa -out stovrli01.key 2048

Generate the CSR

With the private key output saved there are a number of fields that may need to be edited in the openssl.cfg found in  /bin  Check to see that there is a section marked [req] and that it has the req_extensions parameter defined. In my case it was. You may need to uncomment that parameter. Then under the [v3_req] section enter details for your node. My node name is sto-vrli01.lab.local and will have an IP of 10.10.100.25 although below I commented this out as I didnt want my certifcate to be tied to that IP. There are additional details you can place into  [ req_distinguished_name ] if required.

v3 req

You can edit the below text and paste this into the file instead:

[v3_req ]

subjectAltName = DNS:sto-vrli01.lab.local
SubjectAltNam=IP:10.10.100.25

[ req_distinguished_name ]

countryName = SE
stateOrProvinceName = Stockholm Lan 
localityName = Stockholm 
0.organizationName = Terataki.net 
organizationalUnitName = Lab 

Now that I have the openssl.cfg populated withe correct details I can create the CSR using the key previously generated using the following command.

openssl req -new -key stovrli01.key -out stovrli01.csr

Submit CSR to CA

With the new CSR I can send this off to my CA or in my lab I can now generate a certificate from the Microsoft CA I run. If I had direct access to the MS console I could run the following command to generate the certifcate in PEM format:

certreq -submit -attrib “CertificateTemplate:WebServer” stovrli01.csr stovrli01.pem

However in some environments such as at a recent customer visit we had to follow a different procedure which is what I followed in my lab.  First browse to the CA and click ‘Request a certificate’.

Picture

Click ‘advanced certificate request’

Picture

Then click ‘Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.’

Picture

Paste the text obtained from the csr file with everything from and between —–BEGIN CERTIFICATE REQUEST  and  END CERTIFICATE REQUEST —–

Picture

My certificate is issued immediately in the Lab. Now I need to download both the Certificate and the Certificate Chain. With the Base64 encoded radio button checked download both. Save these with a relevant name to a location that you can easily find later. In my case I am calling them stovrli01.cer and chain.cer

Picture

Concatenate Certificate Files

Now to finish I need to concatenate the certificate files together to create a PEM file.  In Notepad ++ create a new file and name it stovrli01.pem  In the empty file paste the contents of stovrli.key (open it in Notepad ++) along with stovrli.cer (open it in Notepad ++) and chain.cer(open it in Notepad ++) . Be careful to ensure that you capture all the text. See below:

PEM FIle
Concatenate Certificate Files

Install the Custom SSL Certificate

Browse to your LogInsight instance. In my case this is https://sto-vrli-o1.lob.local  Click on the 3 lines in the top right hand corner and select ‘Administration’ and then under Configuration Select ‘SSL’   Within the SSL configuration click ‘Choose File’ and locate the new stovrli01.pem file. ONce this has been validated click ‘SAVE’

Uploading Certificate
Uploading Certificate

The certificate will be uploaded and during this time you will see a dialogue saying that the certificate is being updated. Once complete quit the browser, reopen it and browse to the LogInsight Instance. You will now see that the certificate is showing as valid.

Updating Certificate

Valid Custom Certificate
Valid Custom Certificate

 

 

This post was written using the following resources:

VMware documentation: Replacing the SSL certificate in LogInsight
Just another IT Blog
Virtualising Middle Earth

Leave a Comment