Lab:Use OpenSSL to generate the Certificate Signing Request (CSR) for VMware NSX (with multiple SANs)

From Iwan
Jump to: navigation, search

In this lab I am working with the following software and versions:

Software Version Filename
VMware NSX 4.0.0.1 nsx-unified-appliance-4.0.0.1.0.20159694.ova
Windows Server 2019 en_windows_server_2019_updated_feb_2020_x64_dvd_de383770.iso
OpenSSL 1.1.1q Win64OpenSSL_Light-1_1_1q.exe
Visual C++ Redistributable Packages 2017 14.16.27033 VC_redist.x64.exe
  1. Create a “wildcard” CSR that can be used to sign and that can be used for all NSX Manager Nodes including the NSX Manager VIP address.

Untitled.png

⚠️ You can not use the NSX Manager to generate a new CSR that are usable for the signing and replacement of CA signed certificates. The NSX Manager does not provides the private key with the CSR. This private key is required later in this step. For this reason you need to use another tool to generate the CSR. I am using OpenSSL in this article.

The Steps

  • STEP 1: Install OpenSSL and Visual C++ Redistributable Packages
  • STEP 2: Create a the certificate config file
  • STEP 3: Use OpenSSL to generate the .csr and .key file


STEP 1: Install OpenSSL and Visual C++ Redistributable Packages

Visual C++ Redistributable Packages

Agree on the license terms and conditions and click “Install”.

Untitled%201.png

Review the progress.

Untitled%202.png

Click on “

Untitled%203.png

Open SSL

Select “I accept the agreement” and click “Next”.

Untitled%204.png

Click “Next”.

Untitled%205.png

Click “Next”.

Untitled%206.png

Select “The OpenSSL binaries (/bin) directory” and click “Next”.

Untitled%207.png

Click “Install”.

Untitled%208.png

Click “Finish”.

Untitled%209.png

The OpenSSL executable file is stored in this directory:

C:\Program Files\OpenSSL-Win64\bin

STEP 2: Create the certificate config file

I am using the information in the table below of the Pod-120-NSXT-LM (wildcard) as input for the config file.

NSX Manager Node C(ommon N(Name) O(rganization) O(rg) (Unit) C(ountry) ST(ate) L(ocality) (SAN) DNS Names Key Size Algorithm
Pod-120-NSXT-LM-1 pod-120-nsxt-lm-1.sddc.lab NSX Academy Education NL ZH Rotterdam pod-120-nsxt-lm-1.sddc.lab 2048 RSA
Pod-120-NSXT-LM-2 pod-120-nsxt-lm-2.sddc.lab NSX Academy Education NL ZH Rotterdam pod-120-nsxt-lm-2.sddc.lab 2048 RSA
Pod-120-NSXT-LM-3 pod-120-nsxt-lm-3.sddc.lab NSX Academy Education NL ZH Rotterdam pod-120-nsxt-lm-3.sddc.lab 2048 RSA
Pod-120-NSXT-LM pod-120-nsxt-lm.sddc.lab NSX Academy Education NL ZH Rotterdam pod-120-nsxt-lm.sddc.lab 2048 RSA
Pod-120-NSXT-LM (wildcard) pod-120-nsxt-lm.sddc.lab NSX Academy Education NL ZH Rotterdam pod-120-nsxt-lm.sddc.lab

pod-120-nsxt-lm-1.sddc.lab
pod-120-nsxt-lm-2.sddc.lab
pod-120-nsxt-lm-3.sddc.lab
pod-120-nsxt-lm
pod-120-nsxt-lm-1
pod-120-nsxt-lm-2
pod-120-nsxt-lm-3

2048 RSA

Create a new file named nsx.cfg with the following content.

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:pod-120-nsxt-lm, DNS:pod-120-nsxt-lm.sddc.local, DNS:pod-120-nsxt-lm-1, DNS:pod-120-nsxt-lm-1.sddc.local, DNS:pod-120-nsxt-lm-2, DNS:pod-120-nsxt-lm-2.sddc.local, DNS:pod-120-nsxt-lm-3, DNS:pod-120-nsxt-lm-3.sddc.local
[ req_distinguished_name ]
countryName = NL
stateOrProvinceName = ZH
localityName = Rotterdam
0.organizationName = NSX Academy
organizationalUnitName = Education
commonName = pod-120-nsxt-lm.sddc.local

Save the file in a separate /certs folder (to keep things clean).

Untitled%2010.png

STEP 3: Use OpenSSL to generate the .csr and .key file

Use the following command to generate the .csr and .key file.

C:\Program Files\OpenSSL-Win64\bin>openssl req -out ./certs/nsxcert.csr -newkey rsa:2048 -nodes -keyout ./certs/nsxcert.key -config ./certs/nsx.cfg
Generating a RSA private key
..............+++++
...............+++++
writing new private key to './certs/nsxcert.key'
-----

C:\Program Files\OpenSSL-Win64\bin>

Verify if the .csr and .key file are available.

Untitled%2011.png

The CSR output:
-----BEGIN CERTIFICATE REQUEST-----
MIID4zCCAssCAQAwfTELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAlpIMRIwEAYDVQQH
EwlSb3R0ZXJkYW0xFDASBgNVBAoTC05TWCBBY2FkZW15MRIwEAYDVQQLEwlFZHVj
YXRpb24xIzAhBgNVBAMTGnBvZC0xMjAtbnN4dC1sbS5zZGRjLmxvY2FsMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvDqoVcDu6hxqalmsKRwNETnVcIfp
rll5jo3PvkZH8c6j6yH5QldM0KuCa9N0Bo4M6VJ7hhNi7BQfWdLxLctR7PSS3eLc
3xvmL5Ed2WNtdgXqyLUA1LaIKQBT8X9FQZ3sal9OHJkDLWw7aJvnsuhNGIcykB+L
C9CVd99w+wGqNXSVbk1AFOKekCZuboQ+FmPxjZTH2a/Bct9FzvQRi5M1tA+4g+yu
sVoYe5zn89h2u6qtCVpHpd/0F3BmSIQsciSrtdQJ3+24RNhvETYNhyoXGfWVbObU
16nIIKd/UaNuG3JVKcyDxl7CdcxJHPjNoUU9js5Om7BN1Wqv6G1O+N6OFQIDAQAB
oIIBHzCCARsGCSqGSIb3DQEJDjGCAQwwggEIMAwGA1UdEwQFMAMBAf8wCwYDVR0P
BAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBywYDVR0RBIHD
MIHAgg9wb2QtMTIwLW5zeHQtbG2CGnBvZC0xMjAtbnN4dC1sbS5zZGRjLmxvY2Fs
ghFwb2QtMTIwLW5zeHQtbG0tMYIccG9kLTEyMC1uc3h0LWxtLTEuc2RkYy5sb2Nh
bIIRcG9kLTEyMC1uc3h0LWxtLTKCHHBvZC0xMjAtbnN4dC1sbS0yLnNkZGMubG9j
YWyCEXBvZC0xMjAtbnN4dC1sbS0zghxwb2QtMTIwLW5zeHQtbG0tMy5zZGRjLmxv
Y2FsMA0GCSqGSIb3DQEBCwUAA4IBAQA6fDcPpFJ1ozTMh0F9a7+JCen6s1n9gg3K
KOs9uqCBYYsNmRLmH33dM5GifTL7GRpu5vrjyiA7pFwFU7DjWS/NK+sRZAlb5FTV
wA678mLkhsXj1HW8HxB6+UuQ/2fBehZ7MkYLukFRYxcBuqupZkGrp/n7NnRj9l5p
1f2gUjfyR3Wn2J8Dp/iFDkJ8feUYIHvRKni44B6NPo6nysGXCOeFclBnQ61gja28
yhhEOzsUwXTmsBSByUzHII9VqyhTP2sdZq0nT7sLhcyy47Q2JtvQ2B7dp6M1kHG1
XvJg/OTrdJE9O+8IRQ3qDn9bSrgW6FUPUgJbL4wSO1u7h2uArcud
-----END CERTIFICATE REQUEST-----
The Private Key output:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC8OqhVwO7qHGpq
WawpHA0ROdVwh+muWXmOjc++RkfxzqPrIflCV0zQq4Jr03QGjgzpUnuGE2LsFB9Z
0vEty1Hs9JLd4tzfG+YvkR3ZY212BerItQDUtogpAFPxf0VBnexqX04cmQMtbDto
m+ey6E0YhzKQH4sL0JV333D7Aao1dJVuTUAU4p6QJm5uhD4WY/GNlMfZr8Fy30XO
9BGLkzW0D7iD7K6xWhh7nOfz2Ha7qq0JWkel3/QXcGZIhCxyJKu11Anf7bhE2G8R
Ng2HKhcZ9ZVs5tTXqcggp39Ro24bclUpzIPGXsJ1zEkc+M2hRT2Ozk6bsE3Vaq/o
bU743o4VAgMBAAECggEAfwn34yi8FzXmfLDZCUXta9rku3Z/uTSaXiRIOdulYwZc
i636VVQmfA/FjpDAlkv5WuBYjj03Xq6WGkHMlWPMf2jyVt9uwwZJbYE77CS3FBka
RSwky2wGqeWWwj9rtsWncoOwbIy5IEcUMZ5H2u/+WLem4K7pYaf9uVINJtwQzNIg
obg7EfuHzfIQAS35kiGUKzwnPCrXBUrriNYkLlfUP7EdRTm6VWecW30cn6jNFeGz
pNhiQwWZQKSJZwPn7jx7iui2hvRjGF3kNRUmnBywBXmFYWnlu9o1TBAmM/FdbzYW
ycbme2XMtq1ndGPyRio+CcPwV5rQy1EWI/8U0/X2AQKBgQD0b3cYbu1qNmB+Zf4l
j4O6S3+xMWEAUnGtKObTpvmU3RgEHQhb+FNxLr0Rl07SX5SeowrAmMu/BkfDLMJB
wxWl/XOstxVOn3nJiAQMxll/D6ZWK/xtOzlPaEzRWXJWevKajEOQIAfLcRU9kdzo
UMwtyaEUPsu08moGBqctohlTsQKBgQDFIm/wrQD0ZmcT/Zu/uGZoK7eLqLZbudwF
KD3IZotx8HLWZY4Q+trvU8PHMX4KC4dknwGnZWBZJVvhgIZVQc7uV3Fw1uvkx6xc
LWsSM5OjL7ZMG71nn8X7w0vNwTwOx7Idyye3rR8IQ01ZmNc9FuTrWqwU1pnRek3u
nCcgcQ2tpQKBgDVFkbQegNmUDkWd3ty6wV+5kpPAij5yuVmev2fDTUOXR+OlnCvH
HBBfuk76JfCNaiuEpxRAeK8iJEOyHogMh0xMx4gNwrQG55j3bsKF+/1IIN1I6tO3
g4790TgTAWs9kmACT7s6b9hzxchMYNO0wDr+ZX+vC+BcsKStkIPOfyyRAoGAIpCW
Ngnvh+rImg22mFgZxJwds6QiTVT6SgEzTAcG3jR9vi/SSBHj/2CdjDiWU+aPl8n1
fUdeLGNLh++EHkDKqqm0X0ef1t5Xz1W7V1apxUwhV5jpjdjK2wj0KqB+Ck1jYqvz
S9ZUAZvjXRlabACupMGiOIkkMUGTlonUpnCMKG0CgYEAknpiKBTjh/agU99qRWI2
BX6ZEQnEdnX0o5Jb/Ceckjx/gC3H179jjhKztMySvc/Li12S6ViwptetLLgJTtQo
HUUV7UzA29zplTJxJUHqM+REk7xQONbUMUX8XjDejfqxR+yvJ1ojIxTx6Rv9qtKF
Fm6TSrqXD76hx7P+WrztcVc=
-----END PRIVATE KEY-----

Continue with >> Lab: Signing the NSX CSR with a Microsoft (root) CA Server