VMware Cloud Community
FredericSOSSON
Contributor
Contributor

SSL certificate for Orchestrator cluster

Dear Community,

I installed and configured a new Orchestrator cluster (v7.3.1) and I do need a SSL certificate signed from my CA that match the DNS name of the loadbalancing.

How can I generate (from keytool) the Certificate Signing Request matching loadbalancing name?  Is it possible to have a certificate for both loadbalancing and hostnames?

Thanks in advance,

Fred

4 Replies
sbeaver
Leadership
Leadership

You should issue the certificate to the VIP and list the nodes of the cluster as Subject Alternative Name.  Here is an example of the template I use to create the request

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS:server1.domain.com, DNS:server2.domain.com, DNS:server3.domain.com, DNS:server4.domain.com

[ req_distinguished_name ]

countryName = US

stateOrProvinceName = Some State

localityName = Some City

0.organizationName = Company

organizationalUnitName = Group

commonName = vip.domain.com

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
Reply
0 Kudos
FredericSOSSON
Contributor
Contributor

Thank you very much sbeaver I will give a try with 'Subject Alternative Name'.

Reply
0 Kudos
iiliev
VMware Employee
VMware Employee

And just one minor detail to add - if you anticipate possible changes in cluster nodes' list, you can issue the certificate using wildcard. That is, instead of hard coding server1.domain.com, server2.domain.com, etc. you can use *.domain.com.

FredericSOSSON
Contributor
Contributor

Thanks a lot Ilian Iliev

Reply
0 Kudos