Another tech blog
Nanner.Ninja
Nanner.Ninja

vRealize Orchestrator – SAN certificate replacement (Windows CA)

by |Published -Updated

This guide will run you through replacing your standalone vRO certificate when you are using SAN names.

Ingredients

1 External vRO node with 2 DNS records.

Fresh vRO 7.4 Server

Setup the config file to generate the .csr

vro-04:/# cd /tmp
vro-04:/tmp # mkdir cert
vro-04:/tmp # cd cert
vro-04:/tmp/cert # touch san.cnf
vro-04:/tmp/cert # vi san.cnf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = CO
L = Broomfield
O = Nanner
OU = IT
CN = vro-04.nanner.ninja

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = vro-04.nanner.ninja

Now we will use openssl to create the CSR

vro-04:/tmp/cert # openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf
Generating a 2048 bit RSA private key
………………………………………………………………..+++
……………..+++
writing new private key to ‘private.key’

This command will output the SAN names included in the CSR.
vro-04:/tmp/cert # openssl req -text -noout -verify -in sslcert.csr | grep DNS
verify OK
DNS:vro74.nanner.ninja

Pass the .CSR to your CA

Download the Base 64 encoded cert.  This will give you a .cer file.  In the next step we will use the information in this file to create your .pem file.

Create your .pem file for import into VRO

Now we need to merge the .cer with the private.key.

Open the .cer file you received from your CA with a text editor.
Take this text and paste it into a text editor

Then take the private key and paste it above —-BEGIN CERTIFICATE—-
vro-04:/tmp/cert # cat private.key
—–BEGIN PRIVATE KEY—–
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwWximLQqDsgvR

The file should look like this.  (I omitted the actual key + cert here)

—–BEGIN PRIVATE KEY—–
—–END PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
—–END CERTIFICATE—–

Now save the file as cert.pem

Import the PEM into vRO

Login to the vRO control center and browse to the certificates section.

Give the vRO service a couple minutes to restart.
You can run tail -f /var/log/vmware/vco/app-server/server.log to watch the service come back up

Now if you examine the cert presented by vRO you should see your SAN name

 

 

 

Leave a comment

Your email address will not be published. Required fields are marked *