Generate Manually a Key Pair and Certificate Signing Request for vRealize Log Insight in Region A

To create a CA-signed certificate for vRealize Log Insight, generate a certificate signing request (CSR) on the virtual appliance for the master node and use the intermediate certificate authority that is available on the child Active Directory (AD) server to sign the certificate.

Procedure

1. On your computer, create a configuration file for OpenSSL certificate request generation, called vrli-sfo.cfg.

   Because all nodes in the cluster share the same certificate, the Subject Alternative Name field, subjectAltName, of the uploaded certificate must contain the IP addresses and FQDNs of all nodes and of the load balancer. For common name, use the full domain name of the integrated load balancer. The following can be used as an example to create a the certificate request:

   ``` {#GUID-35882B31-8BE5-44D2-BB36-E63175DB5772__ID-3645-00000029 .pre .codeblock} [ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req

   [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vrli-cluster-01, DNS: vrli-cluster-01.sfo01.rainpole.local, DNS:vrli-mstr-01.sfo01.rainpole.local, DNS:vrli-mstr-01, DNS:vrli-wrkr-01.sfo01.rainpole.local, DNS:vrli-wrkr-01, DNS:vrli-wrkr-02.sfo01.rainpole.local, DNS:vrli-wrkr-02

   [ req_distinguished_name ] countryName = US stateOrProvinceName = CA localityName = Palo Alto organizationName = Rainpole Inc., organizationalUnitName = rainpole.local commonName = vrli-cluster-01.sfo01.rainpole.local ```

2. Log in to the master node of vRealize Log Insight by using a Secure Shell (SSH) client.

   1. Open an SSH connection to the virtual machine vrli-mstr-01.sfo01.rainpole.local.

   2. Log in using the following credentials.

      Setting

      Value

      User name

      root

      Password

      vrli_master_root_password

3. Create a sub-directory called vrli in the root home directory and navigate to it.

   {#GUID-35882B31-8BE5-44D2-BB36-E63175DB5772__codeblock_B8E96F910E094497B39EBAD503BF4CF0 .pre .codeblock} mkdir /root/vrli cd /root/vrli

4. From the /root/vrli folder, generate an RSA private key that is 2048 bits long, and save it as a vrli.key file.

   {#GUID-35882B31-8BE5-44D2-BB36-E63175DB5772__ID-3645-00000044 .pre .codeblock} openssl genrsa -out vrli.key 2048

   

5. Copy the vrli-sfo.cfg to the /root/vrli folder on the master node virtual appliance.

   You can use SCP, FileZilla, WinSCP or similar.

6. Use the vrli.key private key and the vrli-sfo.cfg configuration file to create a CSR and save it as a vrli-sfo01.csr file to the /root/vrli folder.

   {#GUID-35882B31-8BE5-44D2-BB36-E63175DB5772__codeblock_094E287C90A045599A51793EFCD28231 .pre .codeblock} openssl req -new -key vrli.key -out vrli-sfo01.csr -config vrli-lax.cfg

   The /root/vrli folder contains the vrli-sfo.cfg, vrli.key and vrli-sfo01.csr files.

7. Copy the vrli.key and vrli-sfo01.csr file to the C:\manual-certs\vrli.sfo01 folder on the Windows host that you use to access your data center.

8. Rename vrli.key to vrli-sfo01.key

What to do next

Obtain a signed certificate from the Microsoft certificate authority. See Generate CA-Signed Certificates for the SDDC Management Components in Region A .

Parent topic: Generate Manually Key Pairs and Certificate Signing Requests for the Management Components in Region A