How to generate a Signed SSL Certificates for LogInsight Cluster (this has been done on v3.0 but I know the same process works on at least v2.5)
This will be done using a local Microsoft CA
Download and Install Openssl from here, then run the installer. Once it has been installed(I normally install all files to a c:\openssl directory), open a cmd prompt as Administrator and run
I additionally will use Notepad++ for editing files by default
set OPENSSL_CONF=c:\openssl\bin\openssl.cfg
Then create a folder to store the LogInsight config and key files c:\openssl\LI\
Then create a OpenSSL config file as follows from which to create a CSR; (loginsight.corp.local is the cluster name we will provide, and IPS in the SAN have been provided for all 3 cluster nodes and the cluster ip address), change the bold values. This setup is based on 3 node cluster. Save this file as c:\openssl\li\li.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:log-01a.corp.local, DNS:log-01b.corp.local, DNS:log-01c.corp.local IP:192.168.110.24,IP:192.168.110.25,IP:192.168.110.26,IP:192.168.110.27[ req_distinguished_name ]
CountryName = UK
stateOrProvinceName = London
localityName = London
0.organizationName = VMware
organizationalUnitName = corp.local
commonName = loginsight.corp.local
With OpenSSL generate a private key in the RSA format
openssl genrsa -out c:\openssl\li\server.key 2048
Create a CSR
openssl req -new -key c:\openssl\li\server.key -out c:\openssl\li\server.csr -config c:\openssl\li\li.cfg
Submit the CSR to the certificate authority
certreq -submit -attrib “CertificateTemplate:WebServer” c:\openssl\li\server.csr c:\openssl\li\server.pem
Now we need to combine this pem file with our key file to create pem to give to LogInsight. open Notepad++ and create a new file called LogInsight-Upload.pem. Copy all the contents of the Server.Key file into the new test file and then directly below the contents of the Server.PEM file (i have truncated the content of each key in the image below so your file maybe longer)
As always ENSURE YOU HAVE A SNAPSHOT BEFORE YOU START MAKING CHANGES TO A PROD SYSTEM
Then log into your master node of the LogInsight Cluster (normally the first one deployed) and upload the PEM file and Save the change.
Then upload the same file to each other node in the cluster.