Hello,
I would like to change the SSL by an internal one.
I found in the install and admin doc the entry to "Install a Custom SSL Certificate for Log Insight" Page 23.
one point, but crucial though is missing in the procedure:
Copy the custom SSL certificate to the following folder:
the folder location is missing from the doc.
could you tell me where is supposed to be uploaded the cert file?
thank you
Eric
You need to upload it to /storage/var/loginsight/apache-tomcat/conf. I will ensure the documentation gets updated.
I just realized that the documentation lists the wrong directions. You do not need to upload a SSL certificate onto the virtual appliance. Instead, go to http://<loginsight>/admin/ssl and configure from the web UI.
Thank you for the update.
I must check because, my PEM, which has been correctly generated is not imported by the WUI.
my PEM contains the complete chain : cert public and private key and CA public key
our CA is an internal one. does this could matter? not being present in a keystore or something?
thank you
Eric
Are you getting an error? What does the web UI say upon import? How are you generating the PEM something like this (of course not self-signed): How to generate self-signed SSL certificates - AOLserver Wiki?
Hi Eric,
Can you send us (zhub@vmware.com) your PEM file if possible? What's your domain name when getting your certificate?
Thanks,
Bo
HI
As an aside to this, will the Certificate file format remain PEM or will the option of PKCS12 also be available akin to most other things vSphere?
For GA it will be PEM, but we are considering making changes going forward.
Hi Eric,
How do you generate your private key in the pem file? If you follow the instruction below, you should see "-----BEGIN RSA PRIVATE KEY-----" in your pem file. But in your pem file, you only have "-----BEGIN PRIVATE KEY-----", which causes the problem. Can you tell me how you generate your private key and also try the following tutorial to see if it works?
http://panoptic.com/wiki/aolserver/How_to_generate_self-signed_SSL_certificates
Thanks,
Bo
Hi Eric,
I did a bit more research. It might be related to the version of openssl you used. Would you please let me know which version of openssl you used when you generate your private key?
Thanks,
Bo
Hi Bo,
the version is openssl for Windows: OpenSSL 1.0.1c 10 May 2012
thank you
Eric
Hi Eric,
I tried it, but it works for me. Can you let me know the commands you generated your private key and certificate? It will help us debug the problem.
In the meantime, you can follow the following guide step by step. It should work.
http://panoptic.com/wiki/aolserver/How_to_generate_self-signed_SSL_certificates
Thanks,
Bo
Hi Bo,
I see that in the procedure the key is generated at 1024. to generate the certificate I'm trying to implement, I used the VMware kb :
http://kb.vmware.com/kb/2034833
in this procedure, it set the encryption at 2048. which is good because our internal CA doesn't generate certs below 2048.
otherwise the format is also RSA.
might this be the problem?
thank you
Eric
Hi Eric,
I tested 2048-based key works. Please follow the guide I sent you and let me know if it still has a problem.
Thanks,
Bo
I had the same issue, and also noticed my private key, generated by the "openssl genrsa" command and supposedly already in PEM format, also started out with "-----BEGIN PRIVATE KEY-----". I used the following command to output a new PEM version:
openssl rsa -in loginsight.key -out loginsight_pem.key -outform PEM
This version properly began with "-----BEGIN RSA PRIVATE KEY-----", which I inserted at the beginning of my PEM cert file, and it imported successfully into Log Insight.
I am trying to generate a cert for Log Insight by using the method that is described in this blog post (at the bottom) using an automated batch file
http://www.derekseaman.com/2012/09/vmware-vcenter-51-installation-part-2.html
The resulting chain.pem file includes my cert and CA cert chain. When I attempt to add it to Log Insight, it says the cert is invalid. Can you guys provide any suggestions on how to modify this bit of batch code to work with Log Insight?
Can you please open a separate thread for this question?
From the Log Insight install/admin guide: Verify that your custom SSL certificate meets the following requirements.
If I am reading the script right then the certificate generated is actually in PFX format (not supported) and contains a pass phrase (not supported):
%OpenSSL_BIN% pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx
Will do, and no, I modified my command. I will update my question with the commands I am running
