Creating vROps Certificates

Create SSL config file. In this example, I’ve named it openssl.cfg. Update variable sections specific to customer. If using Load Balancer (LB) for UI traffic, use LB FQDN as CommonName and initial Subject Alternate Name (SAN). Include all vROps nodes in SAN. Suggest using Notepad++.

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:loadbalancer, DNS:loadbalancer.fqdn.com, DNS:masternode, DNS:masternode.fqdn.com, DNS:masterreplica, DNS:masterreplica.fqdn.com, DNS:remotecollector, DNS:remotecollector.fqdn.com

[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = State
localityName = LocalityName
0.organizationName = OrganisationName
organizationalUnitName = OU
commonName = loadbalancer.fqdn.com

Upload to a server with OpenSSL installed, typically a vROps analytics node or a VCSA. Navigate to location of SSL config file. Run the following command:

ssl req -new -nodes -config openssl.cfg -keyout rui.key -out clustername.csr

Submit the created .csr file to Certificate Authority (CA) and obtain the certificate in Base64 (.pem) format. The returned certificate should look like this:

It should not look like this:

In addition, also request a copy of the root and (if they exist) one or more intermediate certificates from the customer along with the generated certificate file. You should now (most likely) have four (4) files:
1. Private Key (rui.key)
2. Certificate file generated from submission of CSR to customer CA (.crt)
3. Intermediate certificate file (.ca) – Note: Some customers may have more than one Intermediate certificate, or none at all.
4. Root certificate file (.ca)
Make a copy of the root certificate and rename it something sensible, such as chain.pem
Cut and paste the key text from each certificate file into the chain.pem file, leaving the original text from the root certificate at the bottom.

When complete, it should look something like this:

-----Begin RSA Private Key-----
Contents of Private Key
-----End RSA Private Key-----
-----Begin Certificate-----
Contents of Certificate File
-----End Certificate-----
-----Begin Certificate-----
Contents of Intermediate Certificate File
-----End Certificate-----
-----Begin Certificate-----
Contents of Root Certificate File
-----End Certificate-----

Now log in to the admin UI on one of the vROps analytics nodes. Click on the gold SSL Certificate icon in the top right-hand corner of the screen.

Click the ‘Install New Certificate’ button on the screen that appears.

Click ‘Browse’ and navigate to your completed certificate.

Starting with vROps 6.2 onwards, additional checks are carried out on the uploaded certificate. If the certificate is valid and passes these validation checks, it should successfully upload to all nodes in the cluster automatically.