vCenter LogInsight & SSL

November 20, 2013  •  1 Comment

So you've just gotten yourself licenses for VMware's vCenter LogInsight tool and are wanting to replace the stock self-signed certificate with a custom one, or a commercial cert.  The documentation from VMware on the process is really quite lacking with most of it just referencing the requirements for the certificate.

  1. The certificate file contains both a valid private key and a valid certificate chain.
  2. The private key is generated by the RSA or the DSA algorithm.
  3. The private key is not encrypted by a pass phrase.
  4. If the certificate is signed by a chain of other certificates, all other certificates must be included in the certificate file that you plan to import.
  5. All the certificates and the private key that are included in the certificate file must be PEM-encoded. DER-encoded certificates and private keys are not supported.
  6. All the certificates and the private key that are included in the certificate file must be in the PEM format. Certificates in the PFX, PKCS12, PKCS7, or other formats are not supported.

 

All well and good, but that doesn't help one generate a PEM if they've never done so before.  A search of the LogInsight Community brings up several posts that talk about differing processes to generate the certificates and create the needed PEM.  However none seemed to work for me, results varied from OpenSSL errors to invalid certificates.  I finally broke down this morning and talked to our security guy who runs our CA, and came away with a much simpler methodology that worked on the very first try.

  1. Generate your PEM encoded private key and request as illustrated here.
  2. Send the request off to your CA.
  3. Save the certificate, intermediate certificate and root certificate (sometimes offered as a single file) locally
  4. Open your text editor of choice and paste in the contents of your private key and certificates sequentially starting with your key.
  5. Save as a .PEM file and apply via the LogInsight admin interface.

Comments

1.Bill Roth(VMware)(non-registered)
Thanks for your detailed analysis on this. I have share this with the product managers and the engineering leads. Its a doc bug at least (which you called out) and should probably be easier. @BillRothVMware
No comments posted.
Loading...

Archive
January (5) February March (1) April May June July August September October November (1) December (1)
January February March (1) April May June July August September October (1) November (4) December
January (1) February (1) March (2) April (1) May June July August September October November December
January February March April May June July August September October November December
January February March April May June July August September October November December