Last updated: 4/19/2024
Today we are going to do something simple. We are going to create a certificate for VMWare Realize Log. Yes we could create a self-signed certificate. Yes we would use a handy dandy Microsoft Server CA. [And this is an important skill to have] but for today’s purpose we are going to use “easy-rsa”.
Easy-RSA is a utility for managing X.509 PKI, or Public Key Infrastructure.
In short this can be used to build a certificate of authority that we can use to issue certs. Put simply, we can build our own certs much like GoDaddy, “Let’s Encrypt”n and others. So with “our” root cert and an issued cert we are on our way to ensuring trust..
Note #1: As an aside – I preach regularly the importance of setting up NTP services on servers. It is easy to be neglectful. How can time effect me? After all I am in a hurry and I am working on certificates. Well in my case I failed to set NTP up on my server and was producing a certificate that started the next day. Opps. Yes I shook my head the entire time I fixed what I should have done right the first time..
Note #2: The first URL referenced below is the VMWare DOC that describes this process in general terms.
Note #3. Building on our past foundations one important note is to take stock of the /home/user/easy-rsa/pki folder and its contents.. Of great importance is the ca.crt file. This will be the ROOT CA cert for your Easy-RSA deployment. In our simple example we merely need to “Teach” our machines to trust this cert. Issued [valid] certs then likewise trusted. If you are using Microsoft you can use a GPO to push these cert out in your environment and save effort. Or, you could manually teach your machine to trust the CA file.
Note #4. This example does assume you have installed Easy-RSA. Take note that for the example found on this site and referenced here, it was installed in “/home/ubuntu/easy-rsa”
Now to make life easier I am going to create a “configuration file” to help create my cert. This will make it easy to develop a template like structure for other machines. It also will make it easy to re-create it down the road. In this case I am going to use VI in the /tmp directory and create a file named “vmlog.cnf”
cd /tmp
vi vmlog.cnf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = Ohio
localityName = Dayton
organizationName = sparelab
commonName = vmlog.sparelab.net
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = vmlog.sparelab.net
IP.1 = 172.16.104.5
We will use the “conf” file to create create our request file. Note: this process does create a key [myserver.key] that is used in is used to shape the key request.
openssl req -out myserver.csr -newkey rsa:2048 -nodes -keyout myserver.key -config vmlog.cnf
The above command will create a new request creating the "key" and "csr" in the process.
Results:
myserver.csr
myserver.key
The above command will have created an “encrypted private key”. For the purpose of this example we are going to dumb things down a bit and create a “key” that is NOT encrypted. Rather than have to specify two (2) files we are going to to do a little leg work and bind three (3) files together.
openssl rsa -in myserver.key -out new.key
Now we can use easy-rsa and allow our “ca” to use our request to create and sign a cert for us.
cd /home/ubuntu/easy-rsa/
./easyrsa import-req /tmp/myserver.csr vmlog
./easyrsa sign-req server vmlog
The above should create your cert for you. Note it will ask for the passphrase you used during the initial CSR creation step. It will store it in the Easy-RSA structure. So it’s good to know where it’s going to store the file. Now we can copy it to some place easier to work with.
Certificate created at: /home/ubuntu/easy-rsa/pki/issued/vmlog.crt
Enter pass phrase for /home/ubuntu/easy-rsa/pki/private/ca.key
cp /home/ubuntu/easy-rsa/pki/issued/vmlog.crt /tmp
cd /tmp
Now – as mentioned – we need a bit of a special construction for our cert to keep the VMWare vRealize app happy. We are going to create a CERT/PEM that has three PEMs copied into it. Open a file called “vmlog.pem”. In it copy the text for the PRIVATE KEY. To that add the key for the certificate we produced and then we will add the certificate for the “ca.crt:.
As a PEM file with this format you are not going to be able to have Microsoft decode and examine the cert. However the “VMWare vRealize Log” app should be happy with it.
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCwEO7SITlPfrQ0
...
NwSsUplvwdXHCXobsIKkrmMtjwnQnCyhVFQWFrSDIMBqL/5m7HaJR5vK8SAacK0j
ae3HGDffpiNO/jWeGlRazsaA
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQdU9bFNiPNkFVNns+HaPnbjANBgkqhkiG9w0BAQsFADAW
...
dLW7Bq0t6oq2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIULGWCbcob/MNhCqocZAaCObijzhowDQYJKoZIhvcNAQEL
...
dokl1fKrlU6gCSC6IAHf9TrwGOuOXTpK5RsUy+5KhQ==
-----END CERTIFICATE-----
You should now be ready to install the PEM style cert. Log in as an “admin” to your VMLog Realize portal and select “system” and at the bottom under “organization” the last item is SSL.
You should now be able select the “Choose File” button to select your new certificate.
My browser of choice is Chrome. You probably will have to close out and get back in. When you do you should see that the cert is trusted.
Reference:
https://docs.vmware.com/en/vRealize-Log-Insight/8.8/com.vmware.log-insight.administration.doc/GUID-93E0A9FA-9C72-47AE-9E54-9982F4604FE1.html