NFV Suite

Replacing SSL Certificates in VMware vRealize Network insight

Balaji Saravanan

With NFV in place , i had to manage our vRNI as part of NFV suite and replace its SSL certificates for integrity in environment.

Prerequisites:

  • Validate that there is a recent backup of vRNI virtual machines[Both proxy and platform VMs] are available in environment.
  • Generate a list of fully qualified domain names and their associated IP addresses.
  • Gather all root password of all appliances, admin account of vRealize log insight login.

Execution:

Execution is categorized into three sections as below.

  1. Generate a Certificate Signing request and Key pair [ I have used XCA poratble tool to generate and a separate blog page is available for this procedure- Link ]
  2. Preparing CA Certificates for Applying into vRNI
  3. Applying Custom Certs in vRNI appliance

Preparing CA Certificates for Applying into vRNI

  • Open the vrni_cert.cer , cacerts.cer and intermediate CA in a notepad and paste them in the below order.
    • vrni_cert.cer —— > Certificate for the vRNI machine[Machine certificate]
    • Intermediateca.cer —- > Intermediate CA certificate exported
    • cacerts.cer —– > RootCA certificate [ CA certificate of the Root authority]
  • Save the notepad with filename [ vrni.crt ]

Applying Custom Certs in vRNI appliance

  • Now, we need to copy all the certs and keys to the vRNI platform node.
  • Unfortunately, platform nodes cannot be accessed via WinSCP and thus we need to use a remote SSH – SCP session for copying the necessary files to the platform Node.
  • We can take a test ESXi host for performing the operation. It will not impact the ESXi host.
  • Start WinSCP client, connect to the ESXi host with the root account and password on port 22 and upload the vrni.crt and vrni.key to /tmp folder on ESXi host.
  • SSH into vRealize Network insight platform VM. Use the console user account / password.

Commands:

Custom-cert remove

Custom-cert copy -host <ESXi host name> -user root -port 22 -path /tmp/vrni.crt

Custom-cert copy -host <ESXi host name> -user root -port 22 -path /tmp/vrni.key

Custom-cert apply

  • Reboot the vRNI platform virtual machine to ensure all the changes take effect.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.