Certificate Uncategorized

easy-rsa in the field example 1

Reading Time: 4 minutes

Today we are going to do something simple. We are going to create a certificate for VMWare Realize Log. Yes we could create a self-signed certificate. Yes we would use a handy dandy Microsoft Server CA. [And this is an important skill to have … so learn this as well] but for today’s purpose we are going to use Easy-Rsa – treat this as a more enterprise solution. In this way if we have already trusted out CA certificate we can deploy our new certificate with the confidence that it too will be trusted.

Note #1: As an aside – I preach regularly the importance of setting up NTP services on servers. It is easy to be neglectful. How can time effect me? After all I am in a hurry and I am working on certificates. Well in my case I failed to set NTP up on my server and was producing a certificate that started the next day. Opps. Yes I shook my head the entire time I fixed what I should have done right the first time..

Note #2: The first URL referenced below is the VMWare DOC that describes this process in general terms.

Note #3. With Certificates one important lesson might be to learn about the /home/user/easy-rsa/pki folder and what is there. Of great importance is the ca.crt file. This will be the CA cert for your Easy-Rsa deployment. In our simple example we merely need to “Teach” our machines to trust this cert once. The “server” cert that is created as referencing this cert then will be trusted. If you are using Microsoft you can use a GPO to push this cert out in your environment to save you the effort. Or, you could manually teach your machine to trust the CA file.

Note #4. This example does assume you followed the example elseware on this site to install “Easy-Rsa”. For this example you should assume it was installed in “/home/ubuntu/easy-rsa”

Now to make life easier I am going to create a “configuration file” to help create my cert. This will make it easy to develop a template like structure for other machines. It also will make it easy to re-create it down the road. In this case I am going to use VI in the /tmp directory and create a file named “vmlog.cnf”

cd /tmp
vi vmlog.cnf
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no
[ req_distinguished_name ]
countryName                = US
stateOrProvinceName        = Ohio
localityName               = Dayton
organizationName           = sparelab
commonName                 = vmlog.sparelab.net
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = vmlog.sparelab.net
IP.1    = 172.16.104.5

We will use the “conf” file to create create our request file. Note: this process does create a key [myserver.key] that is used in is used to shape the key request.

openssl req -out myserver.csr -newkey rsa:2048 -nodes -keyout myserver.key -config vmlog.cnf
The above command will create a new request creating the "key" and "csr" in the process.
Results:
  myserver.csr
  myserver.key

The above command will have created an “encrypted private key”. For the purpose of this example we are going to dumb things down a bit and create a “key” that is NOT encrypted. Rather than have to specify two (2) files we are going to to do a little leg work and bind three (3) files together.

 openssl rsa -in myserver.key -out new.key

Now we can use easy-rsa and allow our “ca” to use our request to create and sign a cert for us.

cd /home/ubuntu/easy-rsa/
./easyrsa import-req /tmp/myserver.csr vmlog
./easyrsa sign-req server vmlog

The above should create your cert for you. Note it will ask for the passphrase you used during the initial CSR creation step. It will store it in the Easy-RSA structure. So it’s good to know where it’s going to store the file. Now we can copy it to some place easier to work with.

Certificate created at: /home/ubuntu/easy-rsa/pki/issued/vmlog.crt
Enter pass phrase for /home/ubuntu/easy-rsa/pki/private/ca.key
cp /home/ubuntu/easy-rsa/pki/issued/vmlog.crt /tmp
cd /tmp

Now – as mentioned – we need a bit of a special construction for our cert to keep the VMWare vRealize app happy. We are going to create a CERT/PEM that has three PEMs copied into it. Open a file called “vmlog.pem”. In it copy the text for the PRIVATE KEY. To that add the key for the certificate we produced and then we will add the certificate for the “ca.crt:.

As a PEM file with this format you are not going to be able to have Microsoft decode and examine the cert. However the “VMWare vRealize Log” app should be happy with it.

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCwEO7SITlPfrQ0
...
NwSsUplvwdXHCXobsIKkrmMtjwnQnCyhVFQWFrSDIMBqL/5m7HaJR5vK8SAacK0j
ae3HGDffpiNO/jWeGlRazsaA
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQdU9bFNiPNkFVNns+HaPnbjANBgkqhkiG9w0BAQsFADAW
...
dLW7Bq0t6oq2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIULGWCbcob/MNhCqocZAaCObijzhowDQYJKoZIhvcNAQEL
...
dokl1fKrlU6gCSC6IAHf9TrwGOuOXTpK5RsUy+5KhQ==
-----END CERTIFICATE-----

You should now be ready to install the PEM style cert. Log in as an “admin” to your VMLog Realize portal and select “system” and at the bottom under “organization” the last item is SSL.

You should now be able select the “Choose File” button to select your new certificate.

My browser of choice is Chrome. You probably will have to close out and get back in. When you do you should see that the cert is trusted.

Reference:
https://docs.vmware.com/en/vRealize-Log-Insight/8.8/com.vmware.log-insight.administration.doc/GUID-93E0A9FA-9C72-47AE-9E54-9982F4604FE1.html

Related posts

CORE STUDY: easy-rsa

Tom Hamilton

openssl

Tom Hamilton