In this post I’m going to explain how to create a Certificate Sign Request (CSR) from an external resource for vRealize LogInsight.
According to the VMware instruction for a LogInsight with 3 nodes in the cluster we have a VIP which is belong to the Network Load Balancer we need to create CSR with common name and subject alternative name (SAN)
As follow our 3 nodes should be written in subject Alternative name section (SAN):
- vrli-01a.corp.local
- vrli-02a.corp.local
- vrli-03a.corp.local
And our loadbalancer FQDN which should be written in common name is : vrli.corp.local
To create a CSR for our vRLI we need to log into vRealize loginsight console with root account, then to configure Subject Alternative Name (SAN) we should configure the file /etc/ssl/openssl.cnf
Then uncomment the req_extensions = v3_req as shown below
Then under [v3_req] section add a line to define the Subject Alternative Name
subjectAltName = DNS:vrli-01a.corp.local, IP:192.168.1.41, DNS:vrli-02a.corp.local, IP:192.168.1.42, DNS:vrli-03a.corp.local, IP:192.168.1.43the IP section is not mandatory you can also define this section without ip address
and then save it with :wq
Now we issue the command for creating a new csr
openssl req -nodes -new -newkey rsa:2048 -sha256 -out csr.pemAfter issuing this command, it asks you about some general info in your certificate but the only thing that is important is common name that must be define as your VIP or Netwrol Loadbalancer FQDN (vrli.corp.local)
Now the CSR is ready, two files have been created during these process:
privatekey.pem and csr.pem
To show what information is included in the CSR we can issue this command:
$ openssl req -in csr.pem -text -noout
To show the public key:
$ openssl req -in csr.pem -noout -pubkey
