VMware Cloud Community
eric_krejci
Enthusiast
Enthusiast

Install a Custom SSL Certificate for Log Insight

Hello,

I would like to change the SSL by an internal one.

I found in the install and admin doc the entry to "Install a Custom SSL Certificate for Log Insight" Page 23.

one point, but crucial though is missing in the procedure:

Copy the custom SSL certificate to the following folder:

the folder location is missing from the doc.

could you tell me where is supposed to be uploaded the cert file?

thank you

Eric

Tags (1)
Reply
0 Kudos
17 Replies
sflanders
Commander
Commander

You need to upload it to /storage/var/loginsight/apache-tomcat/conf. I will ensure the documentation gets updated.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
sflanders
Commander
Commander

I just realized that the documentation lists the wrong directions. You do not need to upload a SSL certificate onto the virtual appliance. Instead, go to http://<loginsight>/admin/ssl and configure from the web UI.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
eric_krejci
Enthusiast
Enthusiast

Thank you for the update.

I must check because, my PEM, which has been correctly generated is not imported by the WUI.

my PEM contains the complete chain : cert public and private key and CA public key

our CA is an internal one. does this could matter? not being present in a keystore or something?

thank you

Eric

Reply
0 Kudos
sflanders
Commander
Commander

Are you getting an error? What does the web UI say upon import? How are you generating the PEM something like this (of course not self-signed): How to generate self-signed SSL certificates - AOLserver Wiki?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
admin
Immortal
Immortal

Hi Eric,

Can you send us (zhub@vmware.com) your PEM file if possible? What's your domain name when getting your certificate?

Thanks,

Bo

Reply
0 Kudos
dks00k
Enthusiast
Enthusiast

HI

As an aside to this, will the Certificate file format remain PEM or will the option of PKCS12 also be available akin to most other things vSphere?

Reply
0 Kudos
sflanders
Commander
Commander

For GA it will be PEM, but we are considering making changes going forward.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
admin
Immortal
Immortal

Hi Eric,

How do you generate your private key in the pem file? If you follow the instruction below, you should see "-----BEGIN RSA PRIVATE KEY-----" in your pem file. But in your pem file, you only have "-----BEGIN PRIVATE KEY-----", which causes the problem. Can you tell me how you generate your private key and also try the following tutorial to see if it works?

http://panoptic.com/wiki/aolserver/How_to_generate_self-signed_SSL_certificates

Thanks,

Bo

Reply
0 Kudos
admin
Immortal
Immortal

Hi Eric,

I did a bit more research. It might be related to the version of openssl you used. Would you please let me know which version of openssl you used when you generate your private key?

Thanks,

Bo

Reply
0 Kudos
eric_krejci
Enthusiast
Enthusiast

Hi Bo,

the version is openssl for Windows: OpenSSL 1.0.1c 10 May 2012

thank you

Eric

Reply
0 Kudos
admin
Immortal
Immortal

Hi Eric,

I tried it, but it works for me. Can you let me know the commands you generated your private key and certificate? It will help us debug the problem.

In the meantime, you can follow the following guide step by step. It should work.

http://panoptic.com/wiki/aolserver/How_to_generate_self-signed_SSL_certificates

Thanks,

Bo

Reply
0 Kudos
eric_krejci
Enthusiast
Enthusiast

Hi Bo,

I see that in the procedure the key is generated at 1024. to generate the certificate I'm trying to implement, I used the VMware kb :

http://kb.vmware.com/kb/2034833

in this procedure, it set the encryption at 2048. which is good because our internal CA doesn't generate certs below 2048.

otherwise the format is also RSA.

might this be the problem?

thank you

Eric

Reply
0 Kudos
admin
Immortal
Immortal

Hi Eric,

I tested 2048-based key works. Please follow the guide I sent you and let me know if it still has a problem.

Thanks,

Bo

Reply
0 Kudos
danbarr
Enthusiast
Enthusiast

I had the same issue, and also noticed my private key, generated by the "openssl genrsa" command and supposedly already in PEM format, also started out with "-----BEGIN PRIVATE KEY-----". I used the following command to output a new PEM version:

openssl rsa -in loginsight.key -out loginsight_pem.key -outform PEM

This version properly began with "-----BEGIN RSA PRIVATE KEY-----", which I inserted at the beginning of my PEM cert file, and it imported successfully into Log Insight.

Reply
0 Kudos
imthemp3king
Contributor
Contributor

I am trying to generate a cert for Log Insight by using the method that is described in this blog post (at the bottom) using an automated batch file

http://www.derekseaman.com/2012/09/vmware-vcenter-51-installation-part-2.html

The resulting chain.pem file includes my cert and CA cert chain.  When I attempt to add it to Log Insight, it says the cert is invalid.  Can you guys provide any suggestions on how to modify this bit of batch code to work with Log Insight?

Reply
0 Kudos
sflanders
Commander
Commander

Can you please open a separate thread for this question?

From the Log Insight install/admin guide: Verify that your custom SSL certificate meets the following requirements.

  • The certificate file contains both a valid private key and a valid certificate chain.
  • The private key is generated by the RSA or the DSA algorithm.
  • The private key is not encrypted by a pass phrase.
  • If the certificate is signed by a chain of other certificates, all other certificates are included in the certificate file that you plan to import.
  • All the certificates and the private key that are included in the certificate file are PEM-encoded. Log Insight does not support DER-encoded certificates and private keys.
  • All the certificates and the private key that are included in the certificate file are in the PEM format.
  • Log Insight does not support certificates in the PFX, PKCS12, PKCS7, or other formats.


If I am reading the script right then the certificate generated is actually in PFX format (not supported) and contains a pass phrase (not supported):


%OpenSSL_BIN%  pkcs12 -export -in rui.crt -inkey rui.key -certfile %CA_Cert_Chain% -name rui -passout pass:testpassword -out rui.pfx

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
imthemp3king
Contributor
Contributor

Will do, and no, I modified my command.  I will update my question with the commands I am running

Reply
0 Kudos