In this article we will go through Generating & Installing an SSL Certificate in Nutanix Prism using OpenSSL & Microsoft Certificate Authority.
Note: Supported Key Configurations:
| Key Type | Size/Curve | Signature Algorithm |
| RSA | 2048 | SHA256-with-RSA Encryption |
| EC DSA 256 | prime256v1 | ecdsa-with-sha256 |
| EC DSA 384 | secp384r1 | ecdsa-with-sha384 |
Generating CSR & Private Key Using Win32 OpenSSL:
1. Download & Setup the Shining Light Productions installer for OpenSSL:
http://slproweb.com/products/Win32OpenSSL.html
2. Set the Location of the OpenSSL configuration file using command Line:
Set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg
Openssl.cfg Example:
[ req ]
default_bits = 2048
default_keyfile = key.pem
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:NTNX-CVM-A-01, DNS:NTNX-c179de64-A-CVM, DNS:NTNX-CVM-A-01.Domain.Local, IP:192.168.100.101
[ req_distinguished_name ]
0.organizationName = NTNX
organizationalUnitName = Prism
commonName = NTNX-CVM-A-01
3. Generate the CSR & Private Key Files using the OpenSSL command line:
openssl req -new -nodes -out prism.csr -config openssl.cfg -sha256
Issuing the certificate using Microsoft CA (Windows Server 2012 R2)
1. Login to the Microsoft CA certificate authority Web interface https://servername/CertSrv/.
2. Click Request a certificate.
3. Click advanced certificate request.
4. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
5. Open the certificate request file (prism.csr) in Notepad and paste this text into the Saved Request box.
6. Select the Web Server under the Certificate Template.
7. Click Submit.
8. Click Base 64 encoded on the Certificate issued screen.
9. Click Download Certificate.
10. Save the certificate as prism.pem under the OpenSSL folder “C:\OpenSSL-Win64\bin”.
11. Review the Certificate Details and make sure that the hash algorithm is set to SHA256
12. Navigate back to the home page of the CA server and click Download a CA certificate, certificate chain or CRL.
13. Click the Base 64 option.
14. Click Download CA Certificate chain.
15. Save the certificate chain as ca.p7b.
16. Double-click the ca.p7b file and navigate to \ca.p7b > Certificates.
17. Right-click the certificate listed and click All Tasks > Export.
18. Click Next.
19. Select Base-64 encoded X.509 (.CER), then click Next.
20. Save the export to C:\OpenSSL-Win64\bin\ca.pem and click Next.
21. Click Finish.
Uploading the Signed Certificate to Nutanix Prism
1. Login to Prism.
2. In the gear icon pull-down list of the main menu, select SSL Certificate.
3. Click Replace Certificate.
4. Click Import Key and Certificate, and then click Next.
5. Select the Private Key type (RSA 2048 bit) and upload the signed Certificate files in PEM format.
6. Click Import Files.
Note: After uploading the new certificate, the interface gateway restarts. If the certificate and credentials are valid, the interface gateway uses the new certificate immediately. If anything is wrong with the certificate (such as wrong certificate type), the new certificate is discarded.
7. Re-login again, you can notice that the new signed certificate is used by Prism.
References:
Nutanix: Installing an ssl certificate
OpenSSL - certificate request and certificate generating utility
https://openssl.org/docs/manmaster/apps/req.html
Microsoft: Change the CA hash algorithm to SHA-2
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
https://technet.microsoft.com/en-us/library/dn771627.aspx
Microsoft: Migrating your Certification Authority Hashing Algorithm from SHA1 to SHA2
No comments:
Post a Comment