[NUTANIX] Internal CA Signed Certificate for console Access for Prism

SSL signed certificate are used to encyrpt communication between client and server. Signed Certificate ensures the server is authenticated. Self-signed certificates are not signed by 3rd Party and therefore cannot be fully trusted. For internal services, you can use internal Certificate Authority (Internal CA).Nutanix uses SSL to secure communication with a cluster and web console allows you to install SSL certificates.

Nutanix provides simplest way to configure SSL signed certificate to encrypt communication between console and server. You need Microsoft CA and openssl. Openssl can be downloaded from here. Installation of Microsoft CA is explained here. As with any step Certificate Signing Request (CSR) is first step.In order to create csr, you need openssl.cfg file. Following is the file I created. I used similar file for VMware Certificates.

[ req ]
default_bits = 2048
default_keyfile = rui.pem
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:sssnut, IP:, DNS:sssnut.shsee.com, DNS:NTNX-f8b67341-A-CVM, IP:, DNS:NTNX-f8b67341-A-CVM.shsee.com

[ req_distinguished_name ]
countryName = AE
stateOrProvinceName = AbuDhabi
localityName = ME12
0.organizationName = SHSEE
organizationalUnitName = Nutanix Services
commonName = sssnut.shsee.com

Pay special attention to line 14. Do note country codes are two letters only. I was using UAE, but was getting error while creating csr. For UAE, it is AE. Line 2 is the key length. Various key lengths supported by default. Do ensure CA you are configuring has at least 2048 key length. In cfg file I have edited only line 14, 17-22 only. Everything else remains default. After you have downloaded openssl from http://slproweb.com/products/Win32OpenSSL.html, extract as it to C:\ as shown. Take a backup of openssl.cfg.

You can refer my previous post of openssl.cfg file here

Run following command to create csr request. Do note rui.pem file is private key which is unique per request.


Browse to http://CertificateAuthorityFQDN/certsrv/

Upload CSR to Microsoft CA as shown below. Review Slide Share for detail steps


This is all needed.

Finally wish to Thank Marc for promoting my previous post. Believe me or not, post hit highest count so far. Power of social media