This is the process to generate the CA signed SSL certificate for vRealize Log Insight. The VMware documentation for this isn’t really clear.
I am implementing a 3 node Log Insight cluster and will also utilise the Integrated Load Balancer feature.
The FQDN and IP addresses of the Log Insight appliances will be:
The FQDN and IP of the Integrated Load Balancer will be:
All of the above FQDN/IPs need to be in the certificate as Subject Alternative Names (SAN), and the certificate Enhanced Key Usage must include Server Authentication. The certificate you upload into the Log Insight appliances needs to be in the PEM format and include the CA intermediate and root certificates.
You need to generate the Private KEY and CSR files from OpenSSL. OpenSSL was installed on my laptop: c:\openssl.
Firstly you need to modify the OpenSSL configuration file to include specific settings and the SAN entries.
The configuration file is called OpenSSL.cfg and is located in the BIN folder i.e. C:\OpenSSL\BIN.
Edit OpenSSL.cfg file, copy and paste the below into the file, modify to suit your company name and details etc. Save the file once updated.
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:log01.lab.local, DNS:log02.lab.local, DNS:log03.lab.local, DNS:syslog.lab.local (**modify to suit)
[ req_distinguished_name ]
countryName = NZ (**modify to suit)
stateOrProvinceName = DownThere (**modify to suit)
localityName = YourCity (**modify to suit)
0.organizationName = MyCompanyName (**modify to suit)
organizationalUnitName = LogInsight (**modify to suit)
commonName = 10.1.1.10
You now need to run the OpenSSL commands to generate the Private KEY and CSR.
Open a command prompt as Administrator.
Change directory to your OPENSSL\BIN folder.
Run the following command to generate the Private KEY and CSR:
C:\OPENSSL\BIN\openssl.exe req -new -nodes -out server.csr -keyout server.key -config openssl.cfg
If you receive the following error: “no such file or directory – openssl.cfg” then you need to put a system entry into your machine to point to the openssl.cfg file. Run this command, changing the file path as required:
Once you have done this, re-run the command to generate the files.
Note: Should you be using the Integrated Load Balancer feature of vRealize Log Insight, your Common Name that you configure in your OPENSSL.CFG file MUST be the IP address that you will be using for the load balancer VIP. In my case the VIP will be 10.1.1.10 – so looking at my OPENSSL.CFG file you see I have set my Common Name to this IP.
Once you have run the command you should have in your BIN folder two files: SERVER.CSR and SERVER.KEY
You now need to submit the information contained in the CSR to a Certificate Root Authority (CA) to generate the SSL certificate. In my case I submitted this to my internal CA.
The certificate I received back from my CA was called server.cer. I opened this certificate and checked that the full CA chain back to the root was in place, the Enhanced Key Usage contained Sever Authentication, and I could see all my SANs entries were there and correct.
You now need to combine the Private Key, server.cer and your intermediate and root certificate authorities in a PEM file.
The certificate information for each of the above must be in the PEM file in the order listed above, from top to bottom.
Firstly, create a file called SERVER.PEM.
Open this file to edit.
Open your SERVER.KEY file and copy this information into the SERVER.PEM file and place at the top of the file.
Right click on your SERVER.CER file and open with Notepad. Copy all the information shown and append into the SERVER.PEM file
You need to copy the information from your Intermediate CA into the PEM file (Note: this step might not apply or you might only have one certificate that contains your intermediate and root CA). Right click your Intermediate CA certificate and open with Notepad. Copy all the information shown and append into the SERVER.PEM file.
You need to copy the information from your Root CA into the PEM file. Right click your Root CA certificate and open with Notepad. Copy all the information shown and append it to the SERVER.PEM file.
Save and close your SERVER.PEM file.
You now have a valid PEM file that can be uploaded to your vRealize Log Insight appliance.
Log into the web console, click Administration, then the SSL tab and upload your PEM certificate. Once it is uploaded, you must reboot the appliance for the certificate to become active.