How to replace the self-signed certificate from vRealize Network Insight by a custom-cert from your own internal CA.
- Installed OpenSSL on Windows (http://gnuwin32.sourceforge.net/packages/openssl.htm)
- ESXi host with SSH enabled and reachable from the Network Insight Platform VM
- Filezilla client
First thing we need to do is create an CSR with OpenSSL for the vRNI custom certificate. Let’s start with creating the config file. I will name it vrni.cfg, and i place it in the “C:\OpenSSL-Win64\bin” where currently OpenSSL is installed. The config file looks like this:
distinguished_name = req_distinguished_name encrypt_key = no prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vrni.wesleygeelhoed.local
[ req_distinguished_name ]
countryName = NL
stateOrProvinceName = Zuid-Holland
localityName = Alphen aan den Rijn
organizationName = WesleyGeelhoed
organizationalUnitName = IT
commonName = vrni.wesleygeelhoed.local
*When you want to use multiple Subject ALternative Names just create more ‘DNS:’ entries in the subjectAltName section. Like this: DNS:dns1.local, DNS:dns2.local, DNS:dns3.local and so on…
Open command prompt and change your working directory to the directory where openssl is installed. In my case this is again this path: “C:\OpenSSL-Win64\bin”. Use the following command to create the key file.
openssl genrsa -out vrni.key 2048
Let’s create the CSR based on this key file and the previously created config file.
openssl req -new -key vrni.key -out vrni.csr -config vrni.cfg
Now we are ready to request the certificate from the PKI. Open the *.csr file with Notepad++ (you can also use wordpad or text editor instead). Copy the content of the *.csr file and use this to request the certificate. In my case i’m using my own internal Microsoft CA which has been deployed with an very useful web enrollment service 🙂
Use the default ‘Web Server’ template from the Microsoft CA to request the Certificate.
After the certificate has been issued we need to download it in 64-based encoded form.
Currently we both have the vrni.key and the vrni.cer in place. Additionally we need the Root CA certificate and if it is in the chain, the intermediate certificate. For vRealize Network Insight we need to have two files; the *.key and a *.crt file. First download the Root CA certificate from your CA. I can use again my Certificate Web Enrollment Service to download the Root CA *.cer file.
Open the vrni.cer, rootca.cer in Notepad++ and copy the 64base encoded content from the root CA and place it vrni.cer after the content that is already in place. In case you have an intermediate CA you first need to copy the content of the intermediate CA and subsequently the content of the Root CA. In my case it looked like this:
—–BEGIN CERTIFICATE—– (Machine Cert)
—–BEGIN CERTIFICATE—– (Root CA Cert)
Rename the *.cer file to *.crt and your certificate and key pair is now ready to be imported to vRealize Network Insight.
I used an ESXi host as SSH server to copy the certificate and key file to the vRealize Network Insight platform VM. Filezilla is the client which I used to upload the file to the ESXi host. Start filezilla client, connect to the ESXi host with the root account and password on port 22 and upload the vrni.crt and vrni.key to /tmp folder on ESXi host.
Next thing we need to do is SSH into the vRealize Network Insight Platform VM. By default the credentials you need to use are consoleuser/ark1nc0ns0l3. When you are logged in use the following commands to upload the certificate and key file and to apply it to the vRealize Network Insight platform VM.
(cli) custom-cert remove
Removed all custom certificates
(cli) custom-cert copy –host 192.168.77.221 –user root –port 22 –path /tmp/vrni.crt
Enter root password:
(cli) custom-cert copy –host 192.168.77.221 –user root –port 22 –path /tmp/vrni.key
Enter root password:
(cli) custom-cert apply
Successfully applied new certificate. All active UI sessions have to be restarted.
*–host is the IP of the ESXi host where you uploaded the files to
As a best practice, reboot the vRNI Platform VM and you are all set!
Many thanks to my colleague Viresh Oedayrajsingh Varma who helped me out with the openssl config file.