Piszki Lab | EN

My case study in the clouds…

SSL Certificates in VMware Log Insight 1.5

| 0 comments

Edit 2014.04.15: Finally, I created a script to generate a proper certificate for (almost) any SSL (VMware) service. It works very well with LogInsight! You can find it here. You do not have to perform the steps described below! :)

 

Today I tried to replace the SSL certificate on a freshly installed instance of VMware Log Insight 1.5. Whatever I did, however, would not generate a key pair + certificate (does not matter whether it was openssl or Microsoft CA), always display the message “Invalid certificate format”:

loginsight2

And it is not a separate case, I have three instances of Log Insight, and each behaves in exactly the same way. I searched the Internet, but I found very little and nothing that would solve my problem. After a few lost hours, I decided to solve this problem, as it has already done , picking the console. At the beginning we prepare ourselves in our CA (in my case Microsoft Server 2008R2 CA) parcel (pfx, or PKCS12) containing the CA certificate, RSA key and server certificate. Copy file in to our machine Log Insight. In the virtual machine console create a user in the group “wheel”, log in using putty and execute a series of commands (as root), starting from stop service loginsight.

loginsight4

We already have a keystore file location and password to him and to the private key. In the next steps we substitute our own key and certificates. Using PKCS12 format has the advantage that it does not need to generate a private key in the keystore, it will be installed from our pfx file. If we carry out the process using openssl, it is best to also prepare the file in PKCS12 format, otherwise awaits us classical path (key generation, request and finally upload the certificate).

loginsight6

Please note, the password for the key in pfx file was different than the keystore, so the last command, change the key password, so that was the same as the keystore file! We change it to the correct alias of the certificate:

loginsight7

At the very end we start loginsight service and look forward to our new, wonderful, certificate:

loginsight8

 

loginsight9

Of course, this method is not officially supported, but it works very well. Long analyzed the logs in a virtual machine, I have not found the cause for which I could not import the certificate and key by the web interface. Exactly the same certificate + key pair, who did not want to import the web, acted after a manual import. The problem probably lies somewhere in the application code and hopefully that will eventually be corrected (also appeared in Log Insight 1.0). I hope I helpedSmile

Was this information is helpful? Tell me, please leave a comment!

Rate this article:
[Total: 0    Average: 0/5]

Author: Piotr Pisz

Computer always, since I got a Commodore 64 at the end of primary school, through his beloved Amiga and Linux infinite number of consoles, until today, fully virtual day. Since 2001, Unix/Linux Systems Administrator, for seven years a faithful companion and protector of Solaris system, until his sad end. In the year 2011 came in the depths of virtualization, then smoothly ascended into the clouds and continues there today. Professionally working as Systems Architect in the Polish Security Printing Works.

Leave a Reply

Required fields are marked *.


.

Enjoyed the post? Support Piszki Lab | EN, click on the AD! :-)

.