topic Re: vShield 5.5 - Load Balancer - Trying to implement signed certificate in vCloud Networking and Security Discussions

vShield 5.5 - Load Balancer - Trying to implement signed certificate

TimR26 — Tue, 09 Jun 2015 12:29:31 GMT

Some background info for context:

vShield Mgr 5.5:

- imported Root CA cert. and a CA-signed X.509 cert.

- able to login to vShield Mgr. with trusted certs.

vCD Cells:

- all certs signed and imported

- able to login directly with trusted certs.

vShield Load Balancer:

Virtual Machine: vcloud.ourcloudnet.com (10.10.10.1)

Profile applied: http/https, least_conn, 80/443, members are both vCD cells

We want to have a signed and trusted cert for the load balancer address (vcloud.ourcloudnet.com). I have been trying to follow the procedures in the vShield Administration Guide page 73, but I'm getting confused with the procedure itself. When it says "You can generate a CSR and get it signed by a CA. If you generate a CSR at the global level, it is available to all vShield Edges in your inventory.", does that mean generating a CSR at the vShield Mgr level as opposed to the vShield Edge level? Am I doing this all wrong?

Need some guidance please.

Re: vShield 5.5 - Load Balancer - Trying to implement signed certificate

Sreec — Tue, 09 Jun 2015 14:40:55 GMT

When you generate at Global Level and Import at Global Level.CA signed certificate is applicable for all the edges(1:Many Mapping).However you can explicitly create CSR of each Edge(1:1 mapping) and Import only for those edges as well. Depending upon the business use case you can create/import accordingly.

For eg: If i have multiple tenants and i'm using VSE features,i would prefer creating a separate certificate for each Edge rather doing creating CSR at Global Level and getting applied to all edges.

However for encrypting information sent to the VCNS,we will create CA singed cert of Management software as well(1:1 mapping)

Re: vShield 5.5 - Load Balancer - Trying to implement signed certificate

TimR26 — Tue, 16 Jun 2015 14:14:44 GMT

Hello,

I get that I can create a signed cert. for the Edge, but I'm confused as to how I can import it.

Here is the procedure I have been following:

I log into vCNS -> my data center -> Network Virtualization -> Edges, then double click my edge device -> configure -> certificates -> actions -> generate CSR

I then copy the contents from the PEM Encoding text box.

I log into my CA server (MS CA Services)

I click Request a Certificate -> click Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal....

I paste the contents of the CSR and submit.

The CA admin approves the request.

In the CA server I can then download a filename.cer file.

At this point I do back into vCNS -> edge certificate screen, when I click the actions -> import certificate, its expecting my to submit the contents of a signed certificate. Which I can't do because the filename.cer file is encrypted. Am I doing something wrong in regards to generating the CSR, the type of certificate I'm getting signed...or am I way off base with the entire signed certificate process?

Re: vShield 5.5 - Load Balancer - Trying to implement signed certificate

TimR26 — Fri, 19 Jun 2015 12:02:33 GMT

I figured out the issue. When the certificate is ready to be downloaded I need to select Base-64 encoded instead of the DER encoded. This will allow me to view the signed certificate in plain text and therefore copy/paste the signed certificate content when I import the certificate into the load balancer edge appliance.

When I did that I also ran into a different issue which I will create a new discussion on.

Thanks anyways for the help.