Friday, February 28, 2014

Replacing the SSL Certificate for Microsoft CA Signed on vCenter Log Insight 1.5 Virtual Appliance

Replacing the self-signed certificate of any product with a CA Signed alterative is common place and in most security conscious organizations mandatory, whilst working on an internal project recently I attempted to achieve just that for my vCenter Log Insight Virtual Appliance.

The official VMware documentation posted here, in my opinion is very light in content on this subject in fact it only really describes how to replace the certificate by browsing for the .pem file and restarting the appliance. I’m no expert when it comes to SSL Certificates and so the whole process was a little bit of trial an error but thought I would share the process with the community in an effort to save others some time.

Firstly, there are some specific requirements which are well documented these are:
  • The certificate file must contain both a valid private key and a valid certificate chain.
  • The private key is generated by the RSA or the DSA algorithm.
  • The private key is not encrypted by a pass phrase.
  • If the certificate is signed by a chain of other certificates, all other certificates are included in the certificate file that you plan to import.
  • The private key and all the certificates that are included in the certificate file are PEM-encoded. Log Insight does not support DER-encoded certificates and private keys.
  • The private key and all the certificates that are included in the certificate file are in the PEM format. Log Insight does not support certificates in the PFX, PKCS12, PKCS7, or other formats.
For the whole process I will be using OpenSSL tool for Windows, which I have installed to the C:\OpenSSL folder.
I also use the C:\Certs folder to store the files being generated throughout the process, if you have ever read one of the VMware KB articles this will look familiar.
The end to end process can be split into following three stages, which is pretty standard of all VMware products where you want to replace the self-signed certificate:

Stage 1 – Generating the .csr file

1. Launch a command prompt and navigate into the OpenSSL directory.

2. In the C:\Certs folder, create a folder for your Log Insight certificate files (C:\Certs\Log-Insight)
3. Open a text editor on the system where OpenSSL is installed. Create a configuration file vCenter Log Insight containing the following values (items in red must be altered to match your environment), save the file.
[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:hostname, IP: xx.xx.xx.xx, DNS:
[ req_distinguished_name ]
countryName = UK
stateOrProvinceName = London
localityName = London
0.organizationName = VMware
organizationalUnitName = vCenter Log Insight
commonName =

4. Generate the .csr file by running the following command:
openssl req -new -nodes -out C:\Certs\Log-Insight\rui.csr -keyout C:\Certs\Log-Insight\rui-orig.key -config C:\Certs\Log-Insight\openssl-loginsight.cfg
5. Convert the orig_rui.key into RSA format by running the following command:

openssl rsa -in C:\Certs\Log-Insight\rui-orig.key -out C:\Certs\Log-Insight\rui.key

Stage 2 – Obtaining the Certificate

Now you have your .csr file, using the Microsoft Certificate Authority generate your certificate file. I've not documented the process as this is document in many other blog posts, for reference take a look at Derek Seaman's blog here.

Stage 3 – Installing the Certificate

1. Launch a command prompt and navigate into the OpenSSL directory.
2. Next we need to merge the certificate, private key and CA Chain by generating a .pfx file by issuing the following command:
openssl pkcs12 -export -in C:\Certs\Log-Insight\rui.crt -inkey C:\Certs\Log-Insight\rui.key -certfile C:\Certs\Root64.cer -name rui -passout pass:testpassword -out C:\Certs\Log-Insight\rui.pfx

3. Now we need to convert the .pfx file into the format that the vCenter Log Insight Appliance accepts which is a .pem file by issuing the following command:

openssl pkcs12 -nodes -in C:\Certs\Log-Insight\rui.pfx -out C:\Certs\Log-Insight\rui.pem

4. Finally, you need to upload the rui.pem file into the appliance as per the VMware documentation.

1 comment:

  1. Fantastic thanks, followed lots of dead ends today and this worked a treat