I am trying to generate a cert for Log Insight by using the method that is described in this blog post (at the bottom) using an automated batch file
http://www.derekseaman.com/2012/09/vmware-vcenter-51-installation-part-2.html
The resulting chain.pem file includes my cert and CA cert chain. When I attempt to add it to Log Insight, it says the cert is invalid. Can you guys provide any suggestions on how to modify this bit of batch code to work with Log Insight? The meat of the batch is listed below (I just left out all the variables that are set beforehand)
CD /d %Cert_Path%\loginsight
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config loginsight.cfg
certreq -submit -f -q -config "%CA_NAME%" -attrib "CertificateTemplate:%Cert_Template%" rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -out rui.pem
copy /B rui.crt + %CA_Cert_Chain% chain.pem
You need to have one file that contains both the key and the chain or else you will get an error. This command:
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -out rui.pem
Will create one file, however rui.pem is incorrect. It is actually creating a rui.pfx (see bottom of this link: The Most Common OpenSSL Commands). I believe the issue is that you need the -nodes flag at the end of the command (see What is the purpose of the -nodes argument in openssl? - Stack Overflow). One visual way to check is to open the <file>.pem and ensure a contains a --- BEGIN RSA PRIVATE KEY --- section. The chain.pem does not and the rui.pem is binary as such both will fail. I hope this helps!
The following link is known to work, but is for Linux: http://panoptic.com/wiki/aolserver/How_to_generate_self-signed_SSL_certificates
Can you upload your PEM file per the instructions here: http://kb.vmware.com/kb/1008525 (no need for a SR, just create a folder called imthemp3king)
ok, I logged in and created a folder and I believe the files were uploaded but when I refresh I don't see anything, even thought the applet indicated they were uploaded successfully
Were you able to see my certificate upload from last week? As I said, I couldn't tell if anything actually uploaded, even though I did receive a successful message afterward
Yes, I just downloaded the certificate and took a look. I assume you are uploading the chain.pem file to Log Insight, right? If so, the issue is that your private key is not included in your chain.pem file. From the Log Insight install/admin guide:
Verify that your custom SSL certificate meets the following requirements.
I've tried importing both the chain.pem file and the rui.pem file. Wouldn't the following line include the .key in the .pem file?
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -out rui.pem
You need to have one file that contains both the key and the chain or else you will get an error. This command:
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -out rui.pem
Will create one file, however rui.pem is incorrect. It is actually creating a rui.pfx (see bottom of this link: The Most Common OpenSSL Commands). I believe the issue is that you need the -nodes flag at the end of the command (see What is the purpose of the -nodes argument in openssl? - Stack Overflow). One visual way to check is to open the <file>.pem and ensure a contains a --- BEGIN RSA PRIVATE KEY --- section. The chain.pem does not and the rui.pem is binary as such both will fail. I hope this helps!
Thanks for the informative response. I will try this out and report back. Much appreciated!
So I finally got around to trying your suggestion and unfortunately it doesn't work. The batch file now looks like this:
%OpenSSL_BIN% genrsa 2048 > rui.key
%OpenSSL_BIN% req -out rui.csr -key rui.key -new -config loginsight.cfg
certreq -submit -f -q -config "%CA_NAME%" -attrib "CertificateTemplate:%Cert_Template%" rui.csr rui.crt
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -out rui.pfx
%OpenSSL_BIN% pkcs12 -in rui.pfx -out rui.pem -nodes
What confuses me about this, if that if I open the rui.key file, I see that it starts with -----BEGIN RSA PRIVATE KEY-----
However, when I open the rui.pem file after converting the rui.pfx file, the key section start with -----BEGIN PRIVATE KEY----- and the key information looks entirely different. I would think that if the .key file is being included in the .pfx file then it should still read -----BEGIN RSA PRIVATE KEY-----
Is that an incorrect assumption?
There is another method, not official, not supported, but it always works!
Regards!
I just created a new blog post that walks through the steps needed to generate a signed certificate from a Microsoft CA and apply it to the vCenter Log Insight 1.5 Virtual Appliance. The blog post can be found at this url: vmLand - The World of Virtualisation: Replacing the SSL Certificate for Microsoft CA Signed on vCent...
Finally, I created a script to generate a proper certificate for (almost) any SSL (VMware) service. It works very well with LogInsight!
You can find it here.