SSL signed certificate are used to encyrpt communication between client and server. Signed Certificate ensures the server is authenticated. Self-signed certificates are not signed by 3rd Party and therefore cannot be fully trusted. For internal services, you can use internal Certificate Authority (Internal CA).Nutanix uses SSL to secure communication with a cluster and web console allows you to install SSL certificates.
Nutanix provides simplest way to configure SSL signed certificate to encrypt communication between console and server. You need Microsoft CA and openssl. Openssl can be downloaded from here. Installation of Microsoft CA is explained here. As with any step Certificate Signing Request (CSR) is first step.In order to create csr, you need openssl.cfg file. Following is the file I created. I used similar file for VMware Certificates.
[ req ] default_bits = 2048 default_keyfile = rui.pem distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:sssnut, IP:192.168.1.190, DNS:sssnut.shsee.com, DNS:NTNX-f8b67341-A-CVM, IP:192.168.1.170, DNS:NTNX-f8b67341-A-CVM.shsee.com [ req_distinguished_name ] countryName = AE stateOrProvinceName = AbuDhabi localityName = ME12 0.organizationName = SHSEE organizationalUnitName = Nutanix Services commonName = sssnut.shsee.com
Pay special attention to line 14. Do note country codes are two letters only. I was using UAE, but was getting error while creating csr. For UAE, it is AE. Line 2 is the key length. Various key lengths supported by default. Do ensure CA you are configuring has at least 2048 key length. In cfg file I have edited only line 14, 17-22 only. Everything else remains default. After you have downloaded openssl from http://slproweb.com/products/Win32OpenSSL.html, extract as it to C:\ as shown. Take a backup of openssl.cfg.
You can refer my previous post of openssl.cfg file here
Run following command to create csr request. Do note rui.pem file is private key which is unique per request.
Browse to http://CertificateAuthorityFQDN/certsrv/
Upload CSR to Microsoft CA as shown below. Review Slide Share for detail steps
This is all needed.
Finally wish to Thank Marc for promoting my previous post. Believe me or not, post hit highest count so far. Power of social media
— Marc Huppert (@MarcHuppert) April 24, 2016