SAN Certificate in VIO and How to Create With OpenSSL
search cancel

SAN Certificate in VIO and How to Create With OpenSSL


Article ID: 321846


Updated On:


VMware VMware Integrated OpenStack


  • There is a need to change at least the public endpoints to be an FQDN instead of an IP and then apply a certificate to them. The installer only accepts an IP address for the public endpoint. The CSR generation tool does not allow for changing the common name. It only creates requests with the internal names (eg keystone.vio.cluster.local) and the IP Address.


VMware Integrated OpenStack 6.x
VMware Integrated Openstack 7.x


Create a signing request on your OMS server.
  1. Get an existing private key from deployment.
osctl get secret certs -o jsonpath='{.data.private_key}'|base64 -d > private.key
  1.  Create vio.cnf similar to:
[ req ]
default_bits           = 2048
default_keyfile        = privkey.pem
default_md             = sha256
prompt                 = no
distinguished_name     = req_distinguished_name
req_extensions         = v3_req
x509_extensions        = v3_req
[ req_distinguished_name ]
countryName            = US
stateOrProvinceName    = CA
localityName           = Palo Alto
organizationName       = VMware
organizationalUnitName = VIO
commonName             =
[ v3_req ]
basicConstraints      = CA:FALSE
subjectKeyIdentifier  = hash
subjectAltName        = @alt_names
keyUsage              = digitalSignature, keyAgreement, keyCertSign, keyEncipherment
IP.1 =
IP.2 =
DNS.1 = keystone-api.openstack.svc.cluster.local
DNS.2 =
Note: Update [ req_distinguished_name ] commonName and [alt_names] with your IPs and DNS.  [alt_names] is required. DNS.1 should remain keystone-api.openstack.svc.cluster.local
  1. Create CSR to submit to the Public Authority or Internal CA.
   openssl req -new -key private.key -out vio.csr -config vio.cnf
  1. After receiving vio.crt signed by Public Authority append root CA cert to the end of vio.crt and place it in the new folder.
  2. Import signed certificate to VIO with the command.
   viocli import certificate -d crt/
Note:  If your import is successful the message will be:
2020/02/27 17:09:00 Begin to update certificates.
2020/02/27 17:09:00 Update certificates successful.
  1. Restart vio services:
viocli stop services
viocli start services

Additional Information

  • Add Certificates to Your Deployment

  • External DNS to FQDN/Ingress

  • Example of generating self-signed cert
openssl req -x509 -days 3650 -in vio.csr -key private.key -out vio.crt -config vio.cnf -extensions 'v3_req'

Current certificate and private key should be backed up before proceeding.
kubectl -n openstack get secret certs -o=jsonpath='{.data.vio_certificate}'|base64 -d > ~/old_cert.crt
kubectl -n openstack get secret certs -o=jsonpath='{.data.private_key}'|base64 -d > ~/old_private.key