Generate a Key Pair and Certificate Signing Request for vRealize Log Insight in Region B

To create a CA-signed certificate for vRealize Log Insight in Region B, generate a certificate signing request (CSR) on the Linux appliance for the master node and use the intermediate certificate authority on the child AD server to sign the certificate.

Procedure

1. On your computer, create a configuration file for OpenSSL certificate request generation, called vrli-lax.cfg.

   Because all nodes in the cluster share the same certificate, the Subject Alternative Name field, subjectAltName, of the uploaded certificate must contain the IP addresses and FQDNs of all nodes and of the load balancer. For common name, use the full domain name of the integrated load balancer.

   ``` {#GUID-14AF6D09-88BC-4950-873F-30AAD0AEDB3C__ID-3432-00000026 .pre .codeblock} [ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req

   [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vrli-cluster-51, DNS: vrli-cluster-51.lax01.rainpole.local, DNS:vrli-mstr-51.lax01.rainpole.local, DNS:vrli-mstr-51, DNS:vrli-wrkr-51.lax01.rainpole.local, DNS:vrli-wrkr-51, DNS:vrli-wrkr-52.lax01.rainpole.local, DNS:vrli-wrkr-52

   [ req_distinguished_name ] countryName = US stateOrProvinceName = CA localityName = Palo Alto organizationName = Rainpole Inc., organizationalUnitName = rainpole.local commonName = vrli-cluster-51.lax01.rainpole.local ```

2. Log in to the master node of vRealize Log Insight by using a Secure Shell (SSH) client.

   1. Open an SSH connection to the virtual machine vrli-mstr-51.lax01.rainpole.local.

   2. Log in using the following credentials.

      Setting

      Value

      User name

      root

      Password

      vrli_master_root_password

3. Create a sub-directory called vrli in the root home directory and navigate to it.

   {#GUID-14AF6D09-88BC-4950-873F-30AAD0AEDB3C__codeblock_F4083F474BBF4C57941518F62C4164F7 .pre .codeblock} mkdir /root/vrli cd /root/vrli

4. From the /root/vrli folder, generate an RSA private key that is 2048 bits long, and save it as a vrli.key file.

   {#GUID-14AF6D09-88BC-4950-873F-30AAD0AEDB3C__ID-3432-00000043 .pre .codeblock} openssl genrsa -out vrli.key 2048

   

5. Copy the vrli-lax.cfg to the /root/vrli folder on the master node virtual appliance.

   You can use scp, FileZilla or WinSCP.

6. Use the vrli.key private key and the vrli-lax.cfg configuration file to create a CSR and save it as a vrli-lax01.csr file to the /root/vrli folder.

   {#GUID-14AF6D09-88BC-4950-873F-30AAD0AEDB3C__codeblock_1AAB9A03DB224F09930E16E409D51E14 .pre .codeblock} openssl req -new -key vrli.key -out vrli-lax01.csr -config vrli-lax.cfg

   The /root/vrli folder contains the vrli-lax.cfg, vrli.key and vrli-lax01.csr files.

7. Copy the vrli.key and vrli-lax01.csr file to C:\manual-certs\vrli.lax01 folder on the Windows host that you use to access your data center.

8. Rename vrli.key to vrli-lax01.key

Parent topic: Generate Manually Key Pairs and Certificate Signing Requests for the Management Components in Region B