vRLI 8.x – Replace Built in cert with custom certificate

When you install vRLI a common thing is to replace the built-in certificate. I wanted to go over the process in a post since it makes good sense to see the procedure. Most people should understand why we want to do this apart from getting the warning page in various browsers or the HSTS (Http  Strick Transport Security) block. It is of course to secure your servers and data. It is worth mentioning that this process works with older versions of vRealize Log Insight also.

There is a number of steps in the replacing the certificate and these are listed here. Since I use a Windows AD for this I will cover the CA signature using the Certificate Authority from Windows. Before you start make sure you have a VMware Certificate template set up, if not you can find an example here.

  1. First we need to install OpenSSL, I will do this on a windows host in this case.
  2. Then we need to edit the config file.
  3. Then we need to run some commands to generate the cert request.
  4. Upload the csr and then get the base64 cert file.
  5. Download the Certificate chain
  6. Bundle it all together in a .pem file
  7. Upload it to vRealize Log Insight.

Download openSSL if you don’t have it downloaded already and install it.

Then edit the cfg file. Here is an example from my version (with the exception of “subjectAltName =…” everything is as it should be. That line should also be a single line (baring WordPress formatting). Note also I tend to put both dns name and ip address in my files. The last line, commonName, can not be longer than 64 chars.

[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: aoclogs.aocit.net, IP: 10.1.101.39, DNS: aoclog01.aocit.net, IP: 10.1.101.40, DNS: aoclog02.aocit.net, IP: 10.1.101.41, DNS: aoclog03.aocit.net, IP: 10.1.101.42

[ req_distinguished_name ]
countryName = CH
stateOrProvinceName = Solothurn
localityName = Solothurn
0.organizationName = aocit
organizationalUnitName = IT
commonName = aoclogs.aocit.net

Create a folder inside “openssl\bin” called vrli and save this file as vrli.cfg in that dir.

Then from the “openssl\bin” folder run these two commands:

Openssl genrsa -out vrli\vrli.key 2048



Openssl req -new -key vrli\vrli.key -out vrli\vrli.csr -config vrli\vrli.cfg

The first line generated your key file. The second line generates the certificate request file. You should end up with something that looks like this.

Next you need to go to import and generate the cert. In my case I use the CA of AD. Usually the web address is https://fqdn/certsrv where fqdn is where you installed your web page cert authority.

From there Request a certificate:

Then select “Advanced Certificate Request”

On the page that appears we need to copy and paste the content of our .csr file into the web page and select the right template to use for the creation of the certificate:

Now click on submit, and then on the following page select Base64 and “download certificate”. Save this certificate as vrli.cer.

Next go back to the main page of Certificate services and select  “Download a CA certificate chain or CRL”:

 

Make sure Base64 is selected and thenThen select “Download CA Certificate chain” and save this as root.cer

Now you should have 4 or 5 files in your folder.

Of these 5 files you now need to copy the contents of three into a .pem file. The format should be as here:

-----BEGIN RSA PRIVATE KEY-----

Contents of the .key file go here

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

Contents of the vrli.cer file go here

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Contents of the root.cer go here

-----END CERTIFICATE-----

After you have done this and saved the file as vrli.pem (for example). You should log into Log Insight and on the admin page go to SSL:

Select “choose file” and select your vrli.pem file. Wait for the file to upload.

Once it is uploaded you can check if all went well by selecting “view details” on existing certificate.

Finally you can verify that the cert is now recognised by your browser by clicking on the small padlock in the browser bar and check the certificate. Hopefully you have a green checkmark like I do.

That’s all, if you need to do this in vROps, then there’s a similar guide to this one here.