vROps – Replacing the default certificate

So you decided to replace the built-in cert with, so that users can access your vROps page without problems of untrusted certs and HSTS errors etc.

Here I will cover how:

Like with Log Insight, I wanted to go over the process in a post since it makes good sense to see the procedure. Most people should understand why we want to do this apart from getting the warning page in various browsers or the HSTS (Http  Strick Transport Security) block. It is of course to secure your servers and data. It is worth mentioning that this process works with older versions of vRealize Log Insight also.

There is a number of steps in the replacing the certificate and these are listed here. Since I use a Windows AD for this I will cover the CA signature using the Certificate Authority from Windows. Before you start make sure you have a VMware Certificate template set up, if not you can find an example here.

  1. First we need to install OpenSSL, I will do this on a windows host in this case.
  2. Then we need to edit the config file.
  3. Then we need to run some commands to generate the cert request.
  4. Upload the csr and then get the base64 cert file.
  5. Download the Certificate chain
  6. Bundle it all together in a .pem file
  7. Upload it to vRealize Log Insight.

Download openSSL if you don’t have it downloaded already and install it.

Then edit the cfg file. Here is an example from my version (with the exception of “subjectAltName =…” everything is as it should be. That line should also be a single line (baring WordPress formatting). Note also I tend to put both dns name and ip address in my files. The last line, commonName, can not be longer than 64 chars.

[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: aoclogs.aocit.net, IP: 10.1.101.39, DNS: aoclog01.aocit.net, IP: 10.1.101.40, DNS: aoclog02.aocit.net, IP: 10.1.101.41, DNS: aoclog03.aocit.net, IP: 10.1.101.42

[ req_distinguished_name ]
countryName = CH
stateOrProvinceName = Solothurn
localityName = Solothurn
0.organizationName = aocit
organizationalUnitName = IT
commonName = aoclogs.aocit.net


Create a folder inside “openssl\bin” called vrops and save this file as vrops.cfg in that dir.

Then from the “openssl\bin” folder run these two commands:

Openssl genrsa -out vrops\vrops.key 2048



Openssl req -new -key vrops\vrops.key -out vrops\vrops.csr -config vrops\vrops.cfg

The first line generated your key file. The second line generates the certificate request file. You should end up with something that looks like this.

Next you need to go to import and generate the cert. In my case I use the CA of AD. Usually the web address is https://fqdn/certsrv where fqdn is where you installed your web page cert authority.

From there Request a certificate:

Then select “Advanced Certificate Request”

On the page that appears we need to copy and paste the content of our .csr file into the web page and select the right template to use for the creation of the certificate:

Now click on submit, and then on the following page select Base64 and “download certificate”. Save this certificate as vrops.cer.

Next go back to the main page of Certificate services and select  “Download a CA certificate chain or CRL”:

 

Make sure Base64 is selected and thenThen select “Download CA Certificate chain” and save this as root.cer

Now you should have 4 or 5 files in your folder:

root.cer
vRops.cfg
vRops.csr
vRops.cer
vRops.key

The three files ending in .key, vrops.cer and root.cer needs to be added to a .pem file like below:

-----BEGIN RSA PRIVATE KEY-----

Contents of the .key file go here

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

Contents of the vrops.cer file go here

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Contents of the root.cer go here

-----END CERTIFICATE-----

Save the file as vrops.pem.

Then log into the admin interface of your vRops instance, https://vrops.domain.name/admin

Once inside there, in the top right corner there is a cert icon… (or diploma icon?). Click on that and in the Window that pops up select install new certificate. Select your vrops.pem file and continue. The certificate as verified as being ok and you can select install. It should only take a moment. Once done you should be able to see the new cert by clicking on the cert icon again.

Finally verify in the browser that the padlock shows a green checkmark for a valid cert:

That’s it for certificate replacement.