This blog will walk through how to create or replace the certificate for VMware vRealize Network Insight with a CA-signed certificate using the platform appliance.

Introduction

The following KB article provided by VMware illustrates the procedure for replacing the certificates for vRNI, VMware Official Documentation.

However, for those who are not Linux-savvy, this may be hard to follow. So I have decided to create this blog which will take you through an end-to-end process on how this can be achieved, without the need to use an external server or ESXi host to temporarily store the certificates.

For this blog, I will be using Microsoft Active Directory Certificate Services as my CA.

Tested Release Version

Prerequisites

• vRNI platform and collector deployed
• vRNI support user credentials
• Basic Linux knowledge
• WinSCP client on Windows (https://winscp.net/eng/index.php)

Generate Private Key and CSR

1. SSH to vRNI Platform appliance using support user, either using a windows PowerShell or Linux terminal.

   1	ssh support@{{ vnri ip }}

2. Create and enter into a folder for your cert creation workplace.

   1	mkdir ~/certs && cd ~/certs

3. Create a config file to be used with OpenSSL to create CSR, and run the following command to create an empty file.

   1	vim vrni_config.cfg

4. When using vim as the editor, to edit the file press i key to insert text.

5. Paste in the following template, and edit [ req_distinguished_name ] and [alt_names] sections according to your environment.

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

   [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = GB ST = Greater London L = London O = THMB OU = VMware CN = vrni-p01-mp.thmb.local [v3_req] subjectAltName = @alt_names [alt_names] DNS.1 = vrni-mp.thmb.local DNS.2 = vrni-p01-mp.thmb.local

6. When using vim as the editor, to save the file press the esc key, and enter :wq! followed by the return key.

7. Create the key file, by running the following:

   1	openssl genrsa -out vrni_key.key 2048

8. Verify the generated key file type is correct, by running the following command:

   1	file vrni_key.key

   The output should look like the following, where the file type is “PEM RSA private key”:

   1 2	support@vrni-platform-release:~/certs$ file vrni_key.key vrni_key.key: PEM RSA private key

   Bug

   There seems to be a bug in certain versions of OpenSSL where the file type of an RSA Private key shows to be “ASCII text”.

   Verify the private key format is RSA, by running the following command:

   1	openssl rsa -in vrni_key.key -check

   The output should contain the following

   1 2	RSA key ok writing RSA key

   Once the above has been verified. Proceed with the next step to “fix” the headers in the key file, by running the following command:

   1 2	sed -i 's/-----BEGIN PRIVATE KEY-----/-----BEGIN RSA PRIVATE KEY-----/g' vrni_key.key sed -i 's/-----END PRIVATE KEY-----/-----END RSA PRIVATE KEY-----/g' vrni_key.key

   The file type should now be “PEM RSA private key” this can be verified by running the following command:

   1	file vrni_key.key

9. Create the CSR using the generated key file, by running the following:

   1	openssl req -new -key vrni_key.key -config vrni_config.cfg -out vrni_csr.csr

10. Verify the CSR generated is correct:

    1	openssl req -text -noout -verify -in vrni_csr.csr

    The output should look like the following:

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

    support@vrni-platform-release:~/certs$ openssl req -text -noout -verify -in vrni_csr.csr verify OK Certificate Request: Data: Version: 0 (0x0) Subject: C=GB, ST=Greater London, L=London, O=THMB, OU=VMware, CN=vrni-p01-mp.thmb.local Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b6:ef:90:48:3e:50:2b:16:f2:4c:7f:cf:10:f1: 45:40:12:93:38:fb:18:cb:5c:11:e9:6a:d4:b2:19: 88:49:34:fb:86:d8:dc:48:93:ce:64:21:df:ff:b9: 0f:65:8a:cd:c8:af:7a:47:64:74:c8:52:2c:59:72: 06:1b:2c:1e:22:0f:4e:42:16:e0:3e:0f:85:ea:2e: ac:41:b5:a6:2c:9d:49:49:35:b3:21:27:73:11:c8: 7b:c0:7c:16:2e:01:25:f0:11:db:63:8d:cf:49:6b: ae:4f:b9:f9:08:30:fc:ae:d9:4d:1a:10:fa:23:c3: b1:c7:74:38:4c:fe:d4:5e:d3:b3:50:30:8b:c9:2f: 87:3c:30:ae:25:90:32:6c:63:33:5a:0e:fb:94:a4: b5:56:ab:94:a2:3e:d8:30:b3:49:7e:17:57:a7:17: e9:a0:0e:ea:ab:91:13:92:98:41:7b:c1:87:fb:03: 8f:e6:c2:57:e8:44:6c:db:04:ce:3a:65:f7:d1:f6: 95:be:ad:bf:be:e5:57:c3:52:4f:0b:21:f5:eb:de: 2c:15:a7:d8:33:bd:c6:fb:63:69:3c:ea:7d:7f:ce: bd:70:5f:cb:91:5c:5a:8f:c6:ef:52:18:90:83:5f: 32:7d Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:vrni-mp.thmb.local, DNS:vrni-p01-mp.thmb.local Signature Algorithm: sha256WithRSAEncryption ad:53:32:41:94:b1:56:93:98:fd:ac:b4:3f:61:df:cd:ce:af: f2:80:15:db:11:40:d8:1e:bd:15:75:88:48:24:42:78:e7:05: ba:1f:c8:a7:be:b1:54:dd:51:46:c2:91:4a:9d:b5:de:7d:8b: ae:24:38:bb:70:d1:f2:6a:d1:d9:b0:13:c4:90:e3:e4:84:11: 73:ae:3b:ca:4f:4f:91:a8:97:72:d7:94:e7:10:97:be:9b:df: 52:c3:37:eb:e2:86:db:cc:a1:8c:52:12:b6:94:39:14:ec:c1: ea:c6:c7:be:41:10:11:4d:3d:4c:65:8f:cf:1f:66:71:e9:f7: d4:14:18:b2:d5:a8:59:96:18:25:8c:e4:5e:d8:80:67:95:9c: 93:86:2d:d7:41:f8:51:3b:f6:6a:3e:df:da:66:3a:6a:24:29: 06:27:36:6a:33:d8:65:2f:96:f2:69:6c:b5:4a:b8:56:be:34: ec:21:fe:e4:21:1f:c6:93:93:44:db:54:b8:41:16:28:80:9f: 1d:1c:e8:dd:60:18:a8:4c:fb:5c:92:28:5c:f4:54:9a:90:1c: 3b:08:cf:28:93:c2:16:d9:1d:0d:e3:12:77:7b:86:a7:c6:5a: 50:73:f4:2a

Request Certificate from CA

1. Using the generated vrni_csr.csr, request the cert from your chosen Certificate Authority.

   The following steps illustrate the certificate request using Microsoft CA running on windows server 2016

2. Navigate to the Microsoft Certification Authority server in your browser, and type the IP address followed by certsrv.

   For example: https://{{ IP }}/certsrv

3. Click the Request a Certificate link.

4. Click the Advanced certificate request link.

5. Click Submit a certificate.

6. Paste the contents of your CSR file into the Saved Request text box.

7. Under Certificate Template, select Web Server from the drop-down menu.

8. Click Submit.

9. Select Base 64 encoded

10. Click Download Certificate and rename the downloaded certificate file to vrni_cert.cer

11. Download the CA root certificate, by navigating back to the homepage https://{{ IP }}/certsrv```

12. Click Download a CA Certificate

13. Under Encoding method, select Base 64

14. Click Download CA Certificate and rename the downloaded certificate file to ca_root_cert.cer

15. Optional, if an Intermediate certificate is present, ensure this is downloaded as Base 64 and renamed to ca_inter_cert.cer

Import CA Signed Certificate

1. Copy the vrni_cert.cer, ca_root_cert.cer and ca_inter_cert.cer (if present) files to the certs folder at ```/home/support/certs''' on the VRNI platform appliance. WinSCP can be used for the file transfer method with the support user credentials.

2. Create the cert chain file using the vrni_cert.cer, ca_root_cert.cer and ca_inter_cert.cer (if present) files, by running the following command on the vrni platform appliance as support user:

   1 2 3 4 5

   cat \ /home/support/certs/vrni_cert.cer \ /home/support/certs/ca_inter_cert.cer \ /home/support/certs/ca_root_cert.cer \ > vrni_cert_chain.cer

3. If there is a custom certificate already installed, we can remove it by running the following command on the vrni platform appliance as the consoleuser user:

   1	custom-cert remove

4. Import the CA-signed certificate and private key files, by running the following command as the consoleuser user, ensure to enter the password when prompted:

   1 2 3 4 5

   custom-cert copy --host localhost --user support --port 22 \ --path /home/support/certs/vrni_cert_chain.cer custom-cert copy --host localhost --user support --port 22 \ --path /home/support/certs/vrni_key.key

5. Ensure the certs have been imported, by running the following command as the consoleuser user:

   1	custom-cert list

   Output should look like the following:

   1 2 3

   (cli) custom-cert list vrni_cert_chain.cer vrni_key.key

6. If the above output is correct, apply the certificates, by running the following command:

   1	custom-cert apply