Generate PEM certificate for vRealize Log Insight Cluster and Integrated Load Balancer

LI

This is the process to generate the CA signed SSL certificate for vRealize Log Insight. The VMware documentation for this isn’t really clear.

I am implementing a 3 node Log Insight cluster and will also utilise the Integrated Load Balancer feature.

The FQDN and IP addresses of the Log Insight appliances will be:

log01.lab.local    10.1.1.11

log02.lab.local    10.1.1.12

log03.lab.local  10.1.1.13

The FQDN and IP of the Integrated Load Balancer will be:

syslog.lab.local 10.1.1.10

All of the above FQDN/IPs need to be in the certificate as Subject Alternative Names (SAN), and the certificate Enhanced Key Usage must include Server Authentication. The certificate you upload into the Log Insight appliances needs to be in the PEM format and include the CA intermediate and root certificates.

You need to generate the Private KEY and CSR files from OpenSSL. OpenSSL was installed on my laptop: c:\openssl.

Firstly you need to modify the OpenSSL configuration file to include specific settings and the SAN entries.

The configuration file is called OpenSSL.cfg and is located in the BIN folder i.e. C:\OpenSSL\BIN.

Edit OpenSSL.cfg file, copy and paste the below into the file, modify to suit your company name and details etc. Save the file once updated.

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS:log01.lab.local, DNS:log02.lab.local, DNS:log03.lab.local, DNS:syslog.lab.local (**modify to suit)

[ req_distinguished_name ]

countryName = NZ (**modify to suit)

stateOrProvinceName = DownThere (**modify to suit)

localityName = YourCity (**modify to suit)

0.organizationName = MyCompanyName (**modify to suit)

organizationalUnitName = LogInsight (**modify to suit)

commonName = 10.1.1.10

You now need to run the OpenSSL commands to generate the Private KEY and CSR.

Open a command prompt as Administrator.

Change directory to your OPENSSL\BIN folder.

Run the following command to generate the Private KEY and CSR:

C:\OPENSSL\BIN\openssl.exe req -new -nodes -out server.csr -keyout server.key -config openssl.cfg

If you receive the following error: “no such file or directory – openssl.cfg” then you need to put a system entry into your machine to point to the openssl.cfg file. Run this command, changing the file path as required:

set OPENSSL_CONF=c:\OpenSSL\bin\openssl.cfg

Once you have done this, re-run the command to generate the files.

Note: Should you be using the Integrated Load Balancer feature of vRealize Log Insight, your Common Name that you configure in your OPENSSL.CFG file MUST be the IP address that you will be using for the load balancer VIP. In my case the VIP will be 10.1.1.10 – so looking at my OPENSSL.CFG file you see I have set my Common Name to this IP.

Once you have run the command you should have in your BIN folder two files: SERVER.CSR and SERVER.KEY

You now need to submit the information contained in the CSR to a Certificate Root Authority (CA) to generate the SSL certificate. In my case I submitted this to my internal CA.

The certificate I received back from my CA was called server.cer. I opened this certificate and checked that the full CA chain back to the root was in place, the Enhanced Key Usage contained Sever Authentication, and I could see all my SANs entries were there and correct.

You now need to combine the Private Key, server.cer and your intermediate and root certificate authorities in a PEM file.

The certificate information for each of the above must be in the PEM file in the order listed above, from top to bottom.

Firstly, create a file called SERVER.PEM.

Open this file to edit.

Open your SERVER.KEY file and copy this information into the SERVER.PEM file and place at the top of the file.

Next

Right click on your SERVER.CER file and open with Notepad. Copy all the information shown and append into the SERVER.PEM file

Next

You need to copy the information from your Intermediate CA into the PEM file (Note: this step might not apply or you might only have one certificate that contains your intermediate and root CA). Right click your Intermediate CA certificate and open with Notepad. Copy all the information shown and append into the SERVER.PEM file.

Next

You need to copy the information from your Root CA into the PEM file. Right click your Root CA certificate and open with Notepad. Copy all the information shown and append it to the SERVER.PEM file.

Next

Save and close your SERVER.PEM file.

You now have a valid PEM file that can be uploaded to your vRealize Log Insight appliance.

Log into the web console, click Administration, then the SSL tab and upload your PEM certificate. Once it is uploaded, you must reboot the appliance for the certificate to become active.

  1. […] where you import the PEM certificate. The process to generate the certificate is detailed in this blog post and is for a Log Insight cluster with a load balanced cluster FQDN. If you do not have a Log […]

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: