October 12, 2020

How to Replace the Self-signed Certificate for Nutanix Prism Element and Prism Central

Purpose:

Demonstration on how to replace the self-signed certificate on Nutanix Prism Element and Prism Central.

Introduction:

There are many blogs out there about how to replace the self-signed certificate in Nutanix Prism Element and Prism Central with a domain signed certificate. A lot of the blogs reference the need to create the Certificate Signing Request (CSR) in the command line of OpenSSL on a Linux or Windows machine. There are alternatives to this, the certificate can very easily be created using the Microsoft certificate snap-in and then using OpenSSL to convert the certificate into an acceptable format for Prism Element and Prism Central to use. This is useful as a lot of workloads (Citrix, VMware, etc...) are being migrated to Nutanix for the hyper-converged benefits and this eliminates the certificate warning and improves security posture for the environment.

Configuration Steps:

Launch the Microsoft Certificate Snap-in for the Local Computer.

In this case I going to create a custom request as I want to be able to define the Subject Alternative Name and use the same certificate for Prism Central and Prism Element. At a minimum there at least needs to be one Subject Alternative Name which is the Common Name or popular browsers such as Mozilla Firefox, Google Chrome or Chromium Edge will produce a certificate warning stating the Subject Alternative Name is missing.

Right Click in the Certificate Snap-in, go to All Task -> Advanced Operations -> Create Custom Request.


Click Next

Since we are creating a custom CSR and do not want to be dependent on an Active Directory Enrollment Policy, select Proceed without an Enrollment Policy

On the Template dropdown, select (No Template) Legacy Key -> Click Next

Expand Details -> Click Properties

On the Friendly Name fill in the friendly name of the certificate. In my case prism.domain.lab.

Fill in all of the certificate details such as the Common Name, Organization, Organizational Unit, Locality and State under the Subject name section. Under the Alternative Name section fill in All of the Alternative Names, in my case prism.domain.lab, prism, prismcentral.domain.lab and prismcentral. This allows for both short names and fully qualified domain names to not produce certificate warnings. 

Under the Private Key tab make sure that the Key Size is 2048 bit (always use this) and that Mark private key exportable is checked or after completing the signing the certificate cannot be exported. -> Click Apply

Save the CSR to a location for easy access

Now head over to your Domain CA Web Enrollment portal, typically from a browser go to: https://domaincafqdn/certsrv. Click Request a certificate.
Click advanced certificate request

Click Submit a certificate request by using a base-64 encoded CMS or PKCS #10 file


Open the CSR generated earlier, copy and paste the contents of this into the base-64 encoded certificate request or PKCS #10 or PKCS #7 field. On the Template select the appropriate Web Server Template defined by your Domain CA administrator. In my case Web Server 2048Bit SHA256.

Once the CSR has been submitted and the request has been answered by the domain CA the file should be saved in a place for easy access. In my case the file is named prism.domain.lab.answer.cer

Now back on the machine where the CSR was generated in the Microsoft Certificate Snap-in Right Click -> All Tasks -> Import 

Click Next


Click Browse


Browse to the previous location where the answer file was saved. -> Click Open


Click Next


Make sure the Personal Store is selected -> Click Next


Confirm settings -> Click Finish

Now the certificate needs to be exported as a PFX file which contains the private key. When exporting from Windows the private key is encrypted with a password. This will need to be retained in order to perform the next steps in OpenSSL which will extract the certificate pieces and remove the password on the private key.

We can extract the private key form a PFX to a PEM file with this command:
# openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Exporting the certificate only:
# openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Removing the password from the extracted private key:
# openssl rsa -in key.pem -out server.key


Open the .key file and remove the bag attributes and issuer information or Prism Element and Prism Central will not be able to use it. In addition the intermediate and root certificates for the Domain CA need be available and if there is both an intermediate and root they should be copied into a single file and simply named with a .cer format.


Login to either Prism Element or Prism Central


In the settings, go to SSL Certificate -> Click Replace Certificate



Make sure Import Key and Certificate are selected -> Click Next

RSA 2048 should be selected by default. Select the appropriate files. In my example prsim.domain.lab.key for the Private Key, prism.domain.lab.cert.pem for the public certificate and domain1.ca.cer for the CA certificate chain -> Click Import Files

It may take a few moments and the window should reload and now there no longer is a certificate warning on Prism. The certificate installation is the same for both Prism Element and Prism Central.

The certificate can be viewed and it should be the same certificate from before.




1 comment:

  1. Hi, you manual is not complete and skipping some important parts.
    1. My certification auhtority gave me certificate in DER or BASE64 format, which does not iclude pirvate key. To be able to get the private key, you have to import generated certificate as you do, but then you have tu run certutil -repairstore my "SerialNumber" and export the certificate, this time in PFX format with private key and you have to specify password.
    2. Nutanix require to specify CA certifica/chain in PEM format and windows give you crt format. So you have to run one more command to extract ca certificate chanin from PFX openssl pkcs12 -in cert.pfx -nodes -nokeys -cacerts -out cert-ca.pem

    Please try to update your manual so it is usable for others.
    Overall its allright and I was able to use it.

    Thank you

    ReplyDelete