Create a signing request on your OMS server.
- Get an existing private key from deployment.
osctl get secret certs -o jsonpath='{.data.private_key}'|base64 -d > private.key
- Create vio.cnf similar to:
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
default_md = sha256
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_req
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = CA
localityName = Palo Alto
organizationName = VMware
organizationalUnitName = VIO
commonName = 192.168.45.101
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
subjectAltName = @alt_names
keyUsage = digitalSignature, keyAgreement, keyCertSign, keyEncipherment
[alt_names]
IP.1 = 192.168.45.101
IP.2 = 10.196.228.115
DNS.1 = keystone-api.openstack.svc.cluster.local
DNS.2 = pubapi.vioad.eng.vmware.com
Note: Update [ req_distinguished_name ] commonName and [alt_names] with your IPs and DNS. [alt_names] is required. DNS.1 should remain
keystone-api.openstack.svc.cluster.local
- Create CSR to submit to the Public Authority or Internal CA.
openssl req -new -key private.key -out vio.csr -config vio.cnf
- After receiving vio.crt signed by Public Authority append root CA cert to the end of vio.crt and place it in the new folder.
- Import signed certificate to VIO with the command.
viocli import certificate -d crt/
Note: If your import is successful the message will be:
2020/02/27 17:09:00 Begin to update certificates.
2020/02/27 17:09:00 Update certificates successful.
- Restart vio services:
viocli stop services
viocli start services