CUGC Blogs

How to Add a Domain Based SSL Cert to Nutanix PE

By Ray Davis posted 04-19-2022 01:36 PM

  

One of the things I've needed to do was to replace the *.Nutanix.local Self Signed SSL Cert on Prism Element. I used many Nutanix articles to do this in the beginning, however, above testing in Chrome and Edge. These browsers didn't like this SSL cert. I would go through one article at a time, getting the certs updated, and the chromium-based browser didn't like it. I spent a good bit of hours figuring out what I did incorrectly.


One of the many things in our line of work is security, and having a self-signed cert may work in some places. But, it's best to replace them with your internal CA. Citrix doesn't really need the CA cert to make the hypervisor connection from my experience. Because of the Nutanix Plugins, things work well. However, why not just do it anyway to avoid having to do it later down the road? I do it anyway, to make sure things are 100%.


I went to another article and the same results. I ended up contacting support on this, and they explained that it needed a SAN. As it turns out, I needed to add the names in my SAN file and not use the common name the way I was using it. 99.99% of the time, Nutanix articles are spot-on-point. But in my opinion, they struggled a bit around this topic. As I worked with the support engineer on the phone, we built a document explaining all this and outlining the steps below. The gentleman asked me to use this document to make a new KB in the portal, which I don't mind. After all, sharing is caring. I used a wildcard in the common area when generating the Key file (server.key) with the csr file. Now I am not sure why it would not work, but the SAN route honored it, and I found some other articles that talk about using chromium-based browsers that need the names in the SAN location in the certification.

Most of you understand what a SAN is in a cert realm. It's just DNS names listed in the cert that, when called upon, it can see that the name is good and, therefore, you won't have an SSL not trusted error. Below is a breakdown of how I replaced my self-signed SSL cert with an MS CA cert with a wildcard in the SAN. I have been using the Nutanix AHV/Prism/Files for over a year at this point in my career. I have learned a lot about this Hypervisor and how things revolve around Nutanix AHV and the whole product line. Things are smooth in my experience, but I still have a lot to learn compared to my 12+years with VMware. Let's get started below! 



1. You will need to create san.conf file

  1. Use vi to create the file:
  2. Copy the text for the san.conf
  3. vi san.conf
  4. type "i" to insert
  5. paste the text below by clicking the right mouse button
  6. press "esc"
  7. :wq!

2. Check the file with:
    1. cat san.conf

3. SAN File Output below:

[ req ]

default_bits       = 2048

default_keyfile    = server.key

distinguished_name = req_distinguished_name

req_extensions     = req_ext

 

[ req_distinguished_name ]

countryName                 = US

countryName_default         = US

stateOrProvinceName         = FL

stateOrProvinceName_default = FL

localityName                = Jax

localityName_default        = Jax

organizationName            = RaysLab

organizationName_default    = VyStar

commonName                  = ntxcls.lab.local

commonName_default          = ntxcls.lab.local

commonName_max              = 64

 

[ req_ext ]

subjectAltName = @alt_names

 

[alt_names]

DNS.0   = pe01.lab.local

DNS.1   = *. lab.local

4. Run the following commands:
  1. openssl genrsa -out server.key 2048
  2. openssl req -new -nodes -sha256 -config san.conf -out server.csr
  3. openssl req -in server.csr -noout -text  (You don't need this command, this is a way to open up the csr file to copy the contents from it.) 
  4. Winscp the CSR file to the laptop to a folder location.

5. Winscp the CSR file to the laptop to a folder location.



6. Open your MS CA location
 a. https://myca01.lab.local/certsrv





a. Paste CSR file that you generated from 2b.

b. The certificate template needs to be "Web Server."




d. You have to select "Base 64" always
e. Download the certificate, and save the file as prism.pem
f. Download the Certificate Chain





g. Example:




7. For the certnew.p7b, which is the chain, you will need to open it.






a. It will open up the cert in MMC




b. Right-click and export it.



c. Select "Base-64 encoded X.509" option.



d. Save the file as ca.pem.



e. Save.




d. Next


g. Finish.




8. Go to PRISM Element, Click the Gear in the Top Right.
a. Select SSL certificate.



b. Select import Key and Certificate.



c. Private Key = server.key  ( that you export from #2a. above)

d. Public Certificate = prism.pem ( that you downloaded from MS Cert Auth and name prism.pen #4e)
e. CA Certificate/Chain = ca.pem ( that exported form the p7b and name ca.pem #5)





f. Import files.




g. Prims Element is good with Chromium-based browsers now.



That concludes this article. Thank you.
​​
#Blog
#Citrix
#Nutanix
#SSL