Posts Tags Categories About

Replacing certificates for VMware vRealize Network Insight

 included in VMware VCF Operations
   1043 words   5 minutes 
/featured-image/Replacing certificates for VMware vRealize Network Insight.png
Contents

This blog will walk through how to create or replace the certificate for VMware vRealize Network Insight with a CA-signed certificate using the platform appliance.

The following KB article provided by VMware illustrates the procedure for replacing the certificates for vRNI, VMware Official Documentation.

However, for those who are not Linux-savvy, this may be hard to follow. So I have decided to create this blog which will take you through an end-to-end process on how this can be achieved, without the need to use an external server or ESXi host to temporarily store the certificates.

For this blog, I will be using Microsoft Active Directory Certificate Services as my CA.

Software Version
vRNI 6.5.1

  1. SSH to vRNI Platform appliance using support user, either using a windows PowerShell or Linux terminal.

    1

    ssh support@{{ vnri ip }}

  2. Create and enter into a folder for your cert creation workplace.

    1

    mkdir ~/certs && cd ~/certs

  3. Create a config file to be used with OpenSSL to create CSR, and run the following command to create an empty file.

    1

    vim vrni_config.cfg

  4. When using vim as the editor, to edit the file press i key to insert text.

  5. Paste in the following template, and edit [ req_distinguished_name ] and [alt_names] sections according to your environment.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

    [req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = GB
ST = Greater London
L = London
O = THMB
OU = VMware
CN = vrni-p01-mp.thmb.local
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = vrni-mp.thmb.local
DNS.2 = vrni-p01-mp.thmb.local

  6. When using vim as the editor, to save the file press the esc key, and enter :wq! followed by the return key.

  7. Create the key file, by running the following:

    1

    openssl genrsa -out vrni_key.key 2048

  8. Verify the generated key file type is correct, by running the following command:

    1

    file vrni_key.key

    The output should look like the following, where the file type is “PEM RSA private key”:

    1
2

    support@vrni-platform-release:~/certs$ file vrni_key.key
vrni_key.key: PEM RSA private key
    Bug
    There seems to be a bug in certain versions of OpenSSL where the file type of an RSA Private key shows to be “ASCII text”.

    Verify the private key format is RSA, by running the following command:

    1

    openssl rsa -in vrni_key.key -check

    The output should contain the following

    1
2

    RSA key ok
writing RSA key

    Once the above has been verified. Proceed with the next step to “fix” the headers in the key file, by running the following command:

    1
2

    sed -i 's/-----BEGIN PRIVATE KEY-----/-----BEGIN RSA PRIVATE KEY-----/g' vrni_key.key
sed -i 's/-----END PRIVATE KEY-----/-----END RSA PRIVATE KEY-----/g' vrni_key.key

    The file type should now be “PEM RSA private key” this can be verified by running the following command:

    1

    file vrni_key.key

  9. Create the CSR using the generated key file, by running the following:

    1

    openssl req -new -key vrni_key.key -config vrni_config.cfg -out vrni_csr.csr

  10. Verify the CSR generated is correct:

    1

    openssl req -text -noout -verify -in vrni_csr.csr

    The output should look like the following:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

    support@vrni-platform-release:~/certs$ openssl req -text -noout -verify -in vrni_csr.csr
verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=GB, ST=Greater London, L=London, O=THMB, OU=VMware, CN=vrni-p01-mp.thmb.local
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b6:ef:90:48:3e:50:2b:16:f2:4c:7f:cf:10:f1:
                    45:40:12:93:38:fb:18:cb:5c:11:e9:6a:d4:b2:19:
                    88:49:34:fb:86:d8:dc:48:93:ce:64:21:df:ff:b9:
                    0f:65:8a:cd:c8:af:7a:47:64:74:c8:52:2c:59:72:
                    06:1b:2c:1e:22:0f:4e:42:16:e0:3e:0f:85:ea:2e:
                    ac:41:b5:a6:2c:9d:49:49:35:b3:21:27:73:11:c8:
                    7b:c0:7c:16:2e:01:25:f0:11:db:63:8d:cf:49:6b:
                    ae:4f:b9:f9:08:30:fc:ae:d9:4d:1a:10:fa:23:c3:
                    b1:c7:74:38:4c:fe:d4:5e:d3:b3:50:30:8b:c9:2f:
                    87:3c:30:ae:25:90:32:6c:63:33:5a:0e:fb:94:a4:
                    b5:56:ab:94:a2:3e:d8:30:b3:49:7e:17:57:a7:17:
                    e9:a0:0e:ea:ab:91:13:92:98:41:7b:c1:87:fb:03:
                    8f:e6:c2:57:e8:44:6c:db:04:ce:3a:65:f7:d1:f6:
                    95:be:ad:bf:be:e5:57:c3:52:4f:0b:21:f5:eb:de:
                    2c:15:a7:d8:33:bd:c6:fb:63:69:3c:ea:7d:7f:ce:
                    bd:70:5f:cb:91:5c:5a:8f:c6:ef:52:18:90:83:5f:
                    32:7d
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:vrni-mp.thmb.local, DNS:vrni-p01-mp.thmb.local
    Signature Algorithm: sha256WithRSAEncryption
         ad:53:32:41:94:b1:56:93:98:fd:ac:b4:3f:61:df:cd:ce:af:
         f2:80:15:db:11:40:d8:1e:bd:15:75:88:48:24:42:78:e7:05:
         ba:1f:c8:a7:be:b1:54:dd:51:46:c2:91:4a:9d:b5:de:7d:8b:
         ae:24:38:bb:70:d1:f2:6a:d1:d9:b0:13:c4:90:e3:e4:84:11:
         73:ae:3b:ca:4f:4f:91:a8:97:72:d7:94:e7:10:97:be:9b:df:
         52:c3:37:eb:e2:86:db:cc:a1:8c:52:12:b6:94:39:14:ec:c1:
         ea:c6:c7:be:41:10:11:4d:3d:4c:65:8f:cf:1f:66:71:e9:f7:
         d4:14:18:b2:d5:a8:59:96:18:25:8c:e4:5e:d8:80:67:95:9c:
         93:86:2d:d7:41:f8:51:3b:f6:6a:3e:df:da:66:3a:6a:24:29:
         06:27:36:6a:33:d8:65:2f:96:f2:69:6c:b5:4a:b8:56:be:34:
         ec:21:fe:e4:21:1f:c6:93:93:44:db:54:b8:41:16:28:80:9f:
         1d:1c:e8:dd:60:18:a8:4c:fb:5c:92:28:5c:f4:54:9a:90:1c:
         3b:08:cf:28:93:c2:16:d9:1d:0d:e3:12:77:7b:86:a7:c6:5a:
         50:73:f4:2a

  1. Using the generated vrni_csr.csr, request the cert from your chosen Certificate Authority.

    The following steps illustrate the certificate request using Microsoft CA running on windows server 2016

  2. Navigate to the Microsoft Certification Authority server in your browser, and type the IP address followed by certsrv.

    For example: https://{{ IP }}/certsrv

  3. Click the Request a Certificate link.

  4. Click the Advanced certificate request link.

  5. Click Submit a certificate.

  6. Paste the contents of your CSR file into the Saved Request text box.

  7. Under Certificate Template, select Web Server from the drop-down menu.

  8. Click Submit.

  9. Select Base 64 encoded

  10. Click Download Certificate and rename the downloaded certificate file to vrni_cert.cer

  11. Download the CA root certificate, by navigating back to the homepage https://{{ IP }}/certsrv```

  12. Click Download a CA Certificate

  13. Under Encoding method, select Base 64

  14. Click Download CA Certificate and rename the downloaded certificate file to ca_root_cert.cer

  15. Optional, if an Intermediate certificate is present, ensure this is downloaded as Base 64 and renamed to ca_inter_cert.cer

  1. Copy the vrni_cert.cer, ca_root_cert.cer and ca_inter_cert.cer (if present) files to the certs folder at ```/home/support/certs''' on the VRNI platform appliance. WinSCP can be used for the file transfer method with the support user credentials.

  2. Create the cert chain file using the vrni_cert.cer, ca_root_cert.cer and ca_inter_cert.cer (if present) files, by running the following command on the vrni platform appliance as support user:

    1
2
3
4
5

    cat \
/home/support/certs/vrni_cert.cer \
/home/support/certs/ca_inter_cert.cer \
/home/support/certs/ca_root_cert.cer \
> vrni_cert_chain.cer

  3. If there is a custom certificate already installed, we can remove it by running the following command on the vrni platform appliance as the consoleuser user:

    1

    custom-cert remove

  4. Import the CA-signed certificate and private key files, by running the following command as the consoleuser user, ensure to enter the password when prompted:

    1
2
3
4
5

    custom-cert copy --host localhost --user support --port 22 \
--path /home/support/certs/vrni_cert_chain.cer

custom-cert copy --host localhost --user support --port 22 \
--path /home/support/certs/vrni_key.key

  5. Ensure the certs have been imported, by running the following command as the consoleuser user:

    1

    custom-cert list

    Output should look like the following:

    1
2
3

    (cli) custom-cert list
vrni_cert_chain.cer
vrni_key.key

  6. If the above output is correct, apply the certificates, by running the following command:

    1

    custom-cert apply
Updated on 2022-08-14
 OpenSSLCertsSSL
Back | Home
/static/android-chrome-512x512.png

Harry Roshan Thambi
VMware Technical Architect
@ Xtravirt Ltd
Interested virtualisation, cloud and anything that can be automated.


categories