In this article we will go through Generating & Installing an SSL Certificate in Nutanix Prism using OpenSSL & Microsoft Certificate Authority.

Note: Supported Key Configurations:

Key Type

Size/Curve

Signature Algorithm

RSA

2048

SHA256-with-RSA Encryption

EC DSA 256

prime256v1

ecdsa-with-sha256

EC DSA 384

secp384r1

ecdsa-with-sha384

Generating CSR & Private Key Using Win32 OpenSSL:

1. Download & Setup the Shining Light Productions installer for OpenSSL:

http://slproweb.com/products/Win32OpenSSL.html

2. Set the Location of the OpenSSL configuration file using command Line:

Set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg

clip_image002

Openssl.cfg Example:

[ req ]

default_bits = 2048

default_keyfile = key.pem

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS:NTNX-CVM-A-01, DNS:NTNX-c179de64-A-CVM, DNS:NTNX-CVM-A-01.Domain.Local, IP:192.168.100.101

[ req_distinguished_name ]

0.organizationName = NTNX

organizationalUnitName = Prism

commonName = NTNX-CVM-A-01

3. Generate the CSR & Private Key Files using the OpenSSL command line:

openssl req -new -nodes -out prism.csr -config openssl.cfg -sha256

clip_image004

 

Issuing the certificate using Microsoft CA (Windows Server 2012 R2)

1. Login to the Microsoft CA certificate authority Web interface https://servername/CertSrv/.

2. Click Request a certificate.

clip_image006

3. Click advanced certificate request.

clip_image008

4. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

clip_image010

5. Open the certificate request file (prism.csr) in Notepad and paste this text into the Saved Request box.

clip_image012

6. Select the Web Server under the Certificate Template.

7. Click Submit.

8. Click Base 64 encoded on the Certificate issued screen.

clip_image014

9. Click Download Certificate.

10. Save the certificate as prism.pem under the OpenSSL folder “C:\OpenSSL-Win64\bin”.

clip_image016

11. Review the Certificate Details and make sure that the hash algorithm is set to SHA256

clip_image018

12. Navigate back to the home page of the CA server and click Download a CA certificate, certificate chain or CRL.

clip_image019

13. Click the Base 64 option.

clip_image021

14. Click Download CA Certificate chain.

15. Save the certificate chain as ca.p7b.

clip_image023

16. Double-click the ca.p7b file and navigate to \ca.p7b > Certificates.

clip_image025

17. Right-click the certificate listed and click All Tasks > Export.

clip_image027

18. Click Next.

clip_image029

19. Select Base-64 encoded X.509 (.CER), then click Next.

clip_image031

20. Save the export to C:\OpenSSL-Win64\bin\ca.pem and click Next.

clip_image033

21. Click Finish.

clip_image035

 

Uploading the Signed Certificate to Nutanix Prism

1. Login to Prism.

2. In the gear icon pull-down list of the main menu, select SSL Certificate.

clip_image037

3. Click Replace Certificate.

clip_image038

4. Click Import Key and Certificate, and then click Next.

clip_image039

5. Select the Private Key type (RSA 2048 bit) and upload the signed Certificate files in PEM format.

clip_image040

6. Click Import Files.

Note: After uploading the new certificate, the interface gateway restarts. If the certificate and credentials are valid, the interface gateway uses the new certificate immediately. If anything is wrong with the certificate (such as wrong certificate type), the new certificate is discarded.

clip_image041

7. Re-login again, you can notice that the new signed certificate is used by Prism.

clip_image043

clip_image044

clip_image046

References:

Nutanix: Installing an ssl certificate

https://portal.nutanix.com/#/page/docs/details?targetId=Web_Console_Guide-NOS_v4_1:wc_security_ssl_certificate_wc_t.html

OpenSSL – certificate request and certificate generating utility

https://openssl.org/docs/manmaster/apps/req.html

Microsoft: Change the CA hash algorithm to SHA-2

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

https://technet.microsoft.com/en-us/library/dn771627.aspx

Microsoft: Migrating your Certification Authority Hashing Algorithm from SHA1 to SHA2

http://blogs.technet.com/b/askds/archive/2015/04/01/migrating-your-certification-authority-hashing-algorithm-from-sha1-to-sha2.aspx

Advertisements