VMware Cloud Community
imthemp3king
Contributor
Contributor
Jump to solution

Replacing the Log Insight SSL certificate with a CA signed cert

I am trying to generate a cert for Log Insight by using the method that is described in this blog post (at the bottom) using an automated batch file

http://www.derekseaman.com/2012/09/vmware-vcenter-51-installation-part-2.html

The resulting chain.pem file includes my cert and CA cert chain.  When I attempt to add it to Log Insight, it says the cert is invalid.  Can you guys provide any suggestions on how to modify this bit of batch code to work with Log Insight?  The meat of the batch is listed below (I just left out all the variables that are set beforehand)

CD /d %Cert_Path%\loginsight

%OpenSSL_BIN%  genrsa 2048 > rui.key

%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config loginsight.cfg

certreq -submit -f -q -config "%CA_NAME%" -attrib "CertificateTemplate:%Cert_Template%" rui.csr rui.crt

%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -out rui.pem

copy /B rui.crt + %CA_Cert_Chain% chain.pem

Tags (1)
Reply
0 Kudos
1 Solution

Accepted Solutions
sflanders
Commander
Commander
Jump to solution

You need to have one file that contains both the key and the chain or else you will get an error. This command:

%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -out rui.pem


Will create one file, however rui.pem is incorrect. It is actually creating a rui.pfx (see bottom of this link: The Most Common OpenSSL Commands). I believe the issue is that you need the -nodes flag at the end of the command (see What is the purpose of the -nodes argument in openssl? - Stack Overflow). One visual way to check is to open the <file>.pem and ensure a contains a --- BEGIN RSA PRIVATE KEY --- section. The chain.pem does not and the rui.pem is binary as such both will fail. I hope this helps!

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

View solution in original post

Reply
0 Kudos
11 Replies
sflanders
Commander
Commander
Jump to solution

The following link is known to work, but is for Linux: http://panoptic.com/wiki/aolserver/How_to_generate_self-signed_SSL_certificates

Can you upload your PEM file per the instructions here: http://kb.vmware.com/kb/1008525 (no need for a SR, just create a folder called imthemp3king)

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
imthemp3king
Contributor
Contributor
Jump to solution

ok, I logged in and created a folder and I believe the files were uploaded but when I refresh I don't see anything, even thought the applet indicated they were uploaded successfully

Reply
0 Kudos
imthemp3king
Contributor
Contributor
Jump to solution

Were you able to see my certificate upload from last week?  As I said, I couldn't tell if anything actually uploaded, even though I did receive a successful message afterward

Reply
0 Kudos
sflanders
Commander
Commander
Jump to solution

Yes, I just downloaded the certificate and took a look. I assume you are uploading the chain.pem file to Log Insight, right? If so, the issue is that your private key is not included in your chain.pem file. From the Log Insight install/admin guide:

Verify that your custom SSL certificate meets the following requirements.

  • The certificate file contains both a valid private key and a valid certificate chain. <-- issue
  • The private key is generated by the RSA or the DSA algorithm.
  • The private key is not encrypted by a pass phrase.
  • If the certificate is signed by a chain of other certificates, all other certificates are included in the certificate file that you plan to import.
  • All the certificates and the private key that are included in the certificate file are PEM-encoded. Log Insight does not support DER-encoded certificates and private keys.
  • All the certificates and the private key that are included in the certificate file are in the PEM format. Log Insight does not support certificates in the PFX, PKCS12, PKCS7, or other formats.
Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
imthemp3king
Contributor
Contributor
Jump to solution

I've tried importing both the chain.pem file and the rui.pem file.  Wouldn't the following line include the .key in the .pem file?

%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -out rui.pem

  • The certificate file contains both a valid private key and a valid certificate chain. <-- see above
  • The private key is generated by the RSA or the DSA algorithm. <-- Yes
  • The private key is not encrypted by a pass phrase.  <-- When prompted for a passphrase, I just hit Enter
  • If the certificate is signed by a chain of other certificates, all other certificates are included in the certificate file that you plan to import. <-- Yes
  • All the certificates and the private key that are included in the certificate file are PEM-encoded. Log Insight does not support DER-encoded certificates and private keys. <-- I believe so, but can't say with 100% certainty.  Referring to this link, How to Create a .pem File for SSL Certificate Installations, it should be
  • All the certificates and the private key that are included in the certificate file are in the PEM format. Log Insight does not support certificates in the PFX, PKCS12, PKCS7, or other formats.  <-- Based on this definition, http://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions, I am using everything in PEM format
Reply
0 Kudos
sflanders
Commander
Commander
Jump to solution

You need to have one file that contains both the key and the chain or else you will get an error. This command:

%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -out rui.pem


Will create one file, however rui.pem is incorrect. It is actually creating a rui.pfx (see bottom of this link: The Most Common OpenSSL Commands). I believe the issue is that you need the -nodes flag at the end of the command (see What is the purpose of the -nodes argument in openssl? - Stack Overflow). One visual way to check is to open the <file>.pem and ensure a contains a --- BEGIN RSA PRIVATE KEY --- section. The chain.pem does not and the rui.pem is binary as such both will fail. I hope this helps!

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
imthemp3king
Contributor
Contributor
Jump to solution

Thanks for the informative response.  I will try this out and report back.  Much appreciated!

Reply
0 Kudos
imthemp3king
Contributor
Contributor
Jump to solution

So I finally got around to trying your suggestion and unfortunately it doesn't work.  The batch file now looks like this:

%OpenSSL_BIN%  genrsa 2048 > rui.key

%OpenSSL_BIN%  req -out rui.csr -key rui.key -new -config loginsight.cfg

certreq -submit -f -q -config "%CA_NAME%" -attrib "CertificateTemplate:%Cert_Template%" rui.csr rui.crt

%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -out rui.pfx

%OpenSSL_BIN%  pkcs12 -in rui.pfx -out rui.pem -nodes

What confuses me about this, if that if I open the rui.key file, I see that it starts with -----BEGIN RSA PRIVATE KEY-----

However, when I open the rui.pem file after converting the rui.pfx file, the key section start with -----BEGIN PRIVATE KEY----- and the key information looks entirely different.  I would think that if the .key file is being included in the .pfx file then it should still read -----BEGIN RSA PRIVATE KEY-----

Is that an incorrect assumption?

Reply
0 Kudos
Agryppa
Enthusiast
Enthusiast
Jump to solution

There is another method, not official, not supported, but it always works! Smiley Wink

Regards!

Reply
0 Kudos
GaryJBlake
VMware Employee
VMware Employee
Jump to solution

I just created a new blog post that walks through the steps needed to generate a signed certificate from a Microsoft CA and apply it to the vCenter Log Insight 1.5 Virtual Appliance. The blog post can be found at this url: vmLand - The World of Virtualisation: Replacing the SSL Certificate for Microsoft CA Signed on vCent...

Reply
0 Kudos
Agryppa
Enthusiast
Enthusiast
Jump to solution

Finally, I created a script to generate a proper certificate for (almost) any SSL (VMware) service. It works very well with LogInsight! Smiley Happy

You can find it here.

Reply
0 Kudos