How to issue CSR for vRealize Log Insight certificate with 3 nodes in a cluster

In this post I’m going to explain how to create a Certificate Sign Request (CSR) from an external resource for vRealize LogInsight.

According to the VMware instruction for a LogInsight with 3 nodes in the cluster we have a VIP which is belong to the Network Load Balancer we need to create CSR with common name and subject alternative name (SAN)

As follow our 3 nodes should be written in subject Alternative name section (SAN):

  • vrli-01a.corp.local
  • vrli-02a.corp.local
  • vrli-03a.corp.local

And our loadbalancer FQDN which should be written in common name is : vrli.corp.local

To create a CSR for our vRLI we need to log into vRealize loginsight console with root account, then to configure Subject Alternative Name (SAN) we should configure the file /etc/ssl/openssl.cnf

Then uncomment the req_extensions = v3_req as shown below

Then under [v3_req] section add a line to define the Subject Alternative Name

subjectAltName = DNS:vrli-01a.corp.local, IP:192.168.1.41, DNS:vrli-02a.corp.local, IP:192.168.1.42, DNS:vrli-03a.corp.local, IP:192.168.1.43

the IP section is not mandatory you can also define this section without ip address

and then save it with :wq

Now we issue the command for creating a new csr

openssl req -nodes -new -newkey rsa:2048 -sha256 -out csr.pem

After issuing this command, it asks you about some general info in your certificate but the only thing that is important is common name that must be define as your VIP or Netwrol Loadbalancer FQDN (vrli.corp.local)

Now the CSR is ready, two files have been created during these process:

privatekey.pem and csr.pem

To show what information is included in the CSR we can issue this command:

 $ openssl req -in csr.pem -text -noout

To show the public key:

$ openssl req -in csr.pem -noout -pubkey



Leave a Reply

Your email address will not be published. Required fields are marked *

8 + 2 =