Replacing the self-signed SSL certificate utilised by vRealize Log Insight (vRLI) requires a little extra touch than some appliances within the product stack; however, the process is simple enough and documented within this article.
To follow the procedure detailed in this article, you’ll need to download OpenSSL. It is OpenSSL that we’ll use to create our certificate requests before processing them via our domain’s certificate authority.
Firstly, we’ll need to create a configuration file containing the subject names, etc., of our vRealize Log Insight environment.
1. Create a new config file using the below content. Edit the subjectAltName and all req_distinguished_name fields accordingly. When ready, save the file with an appropriate name (i.e. – vRLI.cfg), and copy the file to C:\Program Files\OpenSSL-Win64\bin\vrli.
[ req ] default_md = sha512 default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS: vrli.vgarethlewis.com [ req_distinguished_name ] countryName = CountryName stateOrProvinceName = StateorProvinceName localityName = LocalityName 0.organizationName = OrganisationName organizationalUnitName = OrganizationalUnitName commonName = vrli.vgarethlewis.com
2. I’m using Windows, so open a Command Prompt and browse to C:\Program Files\OpenSSL-Win64\bin\.
3. Run the below command to generate the required key file.
openssl genrsa -out vrli\vrli.key 2048
4. Run the below command to generate our certificate request. Confirm creation of the two files.
openssl req -new -key vrli\vrli.key -out vrli\vrli.csr -config vrli\vrli.cfg
5. Browse to your CA (https://<FQDN-or-IP-Address>/certsrv) and click advanced certificate request.
6. Copy the contents of the certificate request (.csr) file, set Certificate Template to VMware, and click Submit. Save the new certificate as vrli.cer.
7. Select Base 64 encoded and click Download certificate.
8. Finally, browse back to https://<FQDN-or-IP-Address>/certsrv and click Download a CA certificate, certificate chain, or CRL, download the Certificate Authority certificate chain, and save as root.cer.
9. Confirm creation of all required files:
10. Next we’ll need to create our final PEM file which we’ll upload to vRLI. Simply copy the contents from the cert, issued cert, and key files into a text editor and ensure they are pasted in the below order:
-----BEGIN RSA PRIVATE KEY----- Contents of the .key file go here -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- Contents of the vrli.cer file go here -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Contents of the root.cer go here -----END CERTIFICATE-----
11. Browse to Administration > SSL and click Choose File to upload the new PEM file.
12. Monitor the upload progress.
13. Once uploaded, click View Details to view the certificate information.
14. Finally, browse to vRLI and confirm your certificate has been applied successfully.