How to replace the self-signed certificate from vRealize Network Insight by a custom-cert from your own internal CA.

Prerequisites:

• Installed OpenSSL on Windows (http://gnuwin32.sourceforge.net/packages/openssl.htm)
• ESXi host with SSH enabled and reachable from the Network Insight Platform VM
• Filezilla client

First thing we need to do is create an CSR with OpenSSL for the vRNI custom certificate. Let’s start with creating the config file. I will name it vrni.cfg, and i place it in the “C:\OpenSSL-Win64\bin” where currently OpenSSL is installed. The config file looks like this:

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Fill in the country name (NL)
stateOrProvinceName = Fill in the state or province (ZH)
localityName = Fill in your locality (AADR)
organizationName = Fill in the organization name (WGE)
commonName = Fill in the commonName of the certificate (FQDN)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = vrni.wesleygeelhoed.local
DNS.2 = vrealize-network-insight.wesleygeelhoed.local

*When you want to use multiple Subject ALternative Names just create more ‘DNS:’ entries in the subjectAltName section. Like this: DNS:dns1.local, DNS:dns2.local, DNS:dns3.local and so on…

Open command prompt and change your working directory to the directory where openssl is installed. In my case this is again this path: “C:\OpenSSL-Win64\bin”. Use the following command to create the key file.

openssl genrsa -out vrni.key 2048

Let’s create the CSR based on this key file and the previously created config file.

openssl req -new -key vrni.key -out vrni.csr -config vrni.cfg

Now we are ready to request the certificate from the PKI. Open the *.csr file with Notepad++ (you can also use wordpad or text editor instead). Copy the content of the *.csr file and use this to request the certificate. In my case i’m using my own internal Microsoft CA which has been deployed with an very useful web enrollment service 🙂
Use the default ‘Web Server’ template from the Microsoft CA to request the Certificate.

After the certificate has been issued we need to download it in 64-based encoded form.

Currently we both have the vrni.key and the vrni.cer in place. Additionally we need the Root CA certificate and if it is in the chain, the intermediate certificate. For vRealize Network Insight we need to have two files; the *.key and a *.crt file. First download the Root CA certificate from your CA. I can use again my Certificate Web Enrollment Service to download the Root CA *.cer file.

Open the vrni.cer, rootca.cer in Notepad++ and copy the 64base encoded content from the root CA and place it vrni.cer after the content that is already in place. In case you have an intermediate CA you first need to copy the content of the intermediate CA and subsequently the content of the Root CA. In my case it looked like this:

—–BEGIN CERTIFICATE—– (Machine Cert)
47z8bjbi12juqo
W9RsIHIJpza4lbqMoVSCmZSCjYveu0Oxb3AanDBqlGH+rHPB8XnnVfxTlxjwEpOY
S1aKEZ0og+i5deygMnO2hk9SiWVkovY9DHzotZYZ3ighwU0BU/eMeSP/u7sZv1SB
VhV3ZXxa3w==
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—– (Root CA Cert)
MIIDmTCCAoGgAwIBAgIQdDXn6EUw0ptPjpVl3KpFzjANBgkqhkiG9w0BAQUFADBT
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxHjAcBgoJkiaJk/IsZAEZFg53ZXNsZXln
ZWVsaG9lZDEaMBgGA1UEAxMRV0dFLVNSVkRDMDItQ0EtNzcwHhcNMTcxMTE2MTQ0
MjQwWhcNMjIxMTE2MTQ1MjQwWjBTMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxHjAc
BgoJkiaJk/IsZAEZFg53ZXNsZXlnZWVsaG9lZDEaMBgGA1UEAxMRV0dFLVNSVkRD
MDItQ0EtNzcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMqDoNLTI8
UOtbq5RfbjfcoEgM+MI8N1fGpUkktEOn6HFu5BmgBEN3ItWvaTqQiGvnNr2oODzL
EsyRnzlmIHjY/a6OG86t9mVTWIU1xnWHkqnLDbuMPj8EsU27HuH+CNdwNgh+utem
9+IJMlOmEcQ06xo9Oo3MQWJve9ccroJwXQV/9f22GZWi17X0kaAbZ09Kh05W6cYi
mxY6boEcc1o0dZP3sqZxGH3efBYQflrkXrDuKDGkMWTsGR5Ek77B5aArg6ztrfE4
T5JRz6qSEQNfrjpQQ8SUyYodym90HKJ8DtIB56PHxXcXJZn2r4BExeuQO6gr5wVl
2SJZ86wyXeQTAgMBAAGjaTBnMBMGCSsGAQQBgjcUAgQGHgQAQwBBMA4GA1UdDwEB
/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRWJ0iWo2Tcft/PkBKP
m+qQk6biAjAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAAOCAQEAJX2V
n9UlGW8kq3FFHxN8gL5ohUsRMuc4howwFZIzH0I1K5/29RqHMpObp5OVsVZ7qu7Z
gAUC2ADboFjAs54AGoJBf+CDcEcHqWeYeolIzFvHwWoSh2f2Y+XBklqN1x99NpaS
Y/+eE3fAHexf9yY1ntiC7NHLzXFy1yWl4gPpVZrN4MFYlGUF0EXg8ud9tiZtCPqS
HKGyCsdh/Yny4NqQxIqhmjZbfAqtfaNIARvTy2jmARBAK3zn1I7Xr283RdouisvY
ZuijSYoITrZndZedc77SHic33PLGSpmseiPzJfGR+6oijjHqX75MKdhavQSeZkP9
y4YcPYfauQPrRoUfAw==
—–END CERTIFICATE—–

Rename the *.cer file to *.crt and your certificate and key pair is now ready to be imported to vRealize Network Insight.

I used an ESXi host as SSH server to copy the certificate and key file to the vRealize Network Insight platform VM. Filezilla is the client which I used to upload the file to the ESXi host. Start filezilla client, connect to the ESXi host with the root account and password on port 22 and upload the vrni.crt and vrni.key to /tmp folder on ESXi host.

Next thing we need to do is SSH into the vRealize Network Insight Platform VM. By default the credentials you need to use are consoleuser/ark1nc0ns0l3. When you are logged in use the following commands to upload the certificate and key file and to apply it to the vRealize Network Insight platform VM.

(cli) custom-cert remove
Removed all custom certificates
(cli) custom-cert copy –host 192.168.77.221 –user root –port 22 –path /tmp/vrni.crt
Enter root password:
copying…
successfully copied
(cli) custom-cert copy –host 192.168.77.221 –user root –port 22 –path /tmp/vrni.key
Enter root password:
copying…
successfully copied
(cli) custom-cert apply
Successfully applied new certificate. All active UI sessions have to be restarted.

*–host is the IP of the ESXi host where you uploaded the files to 

As a best practice, reboot the vRNI Platform VM and you are all set!

Many thanks to my colleague Viresh Oedayrajsingh Varma who helped me out with the openssl config file.

source: vmware.com