SAN Certificate in VIO and How to Create With OpenSSL
Article ID: 321846
Updated On:
Products
VMware
VMware Integrated OpenStack
Issue/Introduction
Symptoms:
- There is a need to change at least the public endpoints to be an FQDN instead of an IP and then apply a certificate to them. The installer only accepts an IP address for the public endpoint. The CSR generation tool does not allow for changing the common name. It only creates requests with the internal names (eg keystone.vio.cluster.local) and the IP Address.
Environment
VMware Integrated OpenStack 6.x
VMware Integrated Openstack 7.x
VMware Integrated Openstack 7.x
Resolution
Create a signing request on your OMS server.
Note: Update [ req_distinguished_name ] commonName and [alt_names] with your IPs and DNS. [alt_names] is required. DNS.1 should remain keystone-api.openstack.svc.cluster.local
Note: If your import is successful the message will be:
- Get an existing private key from deployment.
osctl get secret certs -o jsonpath='{.data.private_key}'|base64 -d > private.key
- Create vio.cnf similar to:
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
default_md = sha256
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_req
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = CA
localityName = Palo Alto
organizationName = VMware
organizationalUnitName = VIO
commonName = 192.168.45.101
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
subjectAltName = @alt_names
keyUsage = digitalSignature, keyAgreement, keyCertSign, keyEncipherment
[alt_names]
IP.1 = 192.168.45.101
IP.2 = 10.196.228.115
DNS.1 = keystone-api.openstack.svc.cluster.local
DNS.2 = pubapi.vioad.eng.vmware.com
default_bits = 2048
default_keyfile = privkey.pem
default_md = sha256
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_req
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = CA
localityName = Palo Alto
organizationName = VMware
organizationalUnitName = VIO
commonName = 192.168.45.101
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
subjectAltName = @alt_names
keyUsage = digitalSignature, keyAgreement, keyCertSign, keyEncipherment
[alt_names]
IP.1 = 192.168.45.101
IP.2 = 10.196.228.115
DNS.1 = keystone-api.openstack.svc.cluster.local
DNS.2 = pubapi.vioad.eng.vmware.com
Note: Update [ req_distinguished_name ] commonName and [alt_names] with your IPs and DNS. [alt_names] is required. DNS.1 should remain keystone-api.openstack.svc.cluster.local
- Create CSR to submit to the Public Authority or Internal CA.
openssl req -new -key private.key -out vio.csr -config vio.cnf
- After receiving vio.crt signed by Public Authority append root CA cert to the end of vio.crt and place it in the new folder.
- Import signed certificate to VIO with the command.
viocli import certificate -d crt/
Note: If your import is successful the message will be:
2020/02/27 17:09:00 Begin to update certificates.
2020/02/27 17:09:00 Update certificates successful.
2020/02/27 17:09:00 Update certificates successful.
- Restart vio services:
viocli stop services
viocli start services
viocli start services
Additional Information
- Add Certificates to Your Deployment
https://docs.vmware.com/en/VMware-Integrated-OpenStack/6.0/com.vmware.openstack.admin.doc/GUID-558CE36D-E515-4C23-99C5-C29D81CC2AC5.html
- External DNS to FQDN/Ingress
https://docs.openstack.org/openstack-helm/latest/install/ext-dns-fqdn.html
- Example of generating self-signed cert
openssl req -x509 -days 3650 -in vio.csr -key private.key -out vio.crt -config vio.cnf -extensions 'v3_req'
Impact/Risks:
Current certificate and private key should be backed up before proceeding.
kubectl -n openstack get secret certs -o=jsonpath='{.data.vio_certificate}'|base64 -d > ~/old_cert.crt
kubectl -n openstack get secret certs -o=jsonpath='{.data.private_key}'|base64 -d > ~/old_private.key
kubectl -n openstack get secret certs -o=jsonpath='{.data.private_key}'|base64 -d > ~/old_private.key
Feedback
Yes
No
Powered by
