Signing Nutanix Prism certificates with Microsoft ADCS

Changing the Prism Self-signed certificate of your Nutanix cluster is a relatively straight forward process.

In this example I will show you how to generate a certificate request and sign it with Microsoft Active Directory Certificate Services (ADCS). Crypto

The following processes were tested on ADCS 2012 R2, AOS (NOS) 4.6.1.1 and Acropolis Hypervisor (AHV) 20160217.2 but should work on most other releases.

 

Nutanix certificates are best served with SHA256. If your CA (2012 R2) issues certificates with a hashing algorithm of RSAASS-PSS you will need to change this as it’s not supported.

In the below example I have used the ADCS WebServer template and have 3 nodes in my cluster (and the VIP). To swap out the self-signed certificate you will need 3 files.

  • The Private Key (clustervip.key generated with openssl)
  • The Public Key (clustervip.cer generated by the CA)
  • The CA Chain (cachain.txt)

On to the certification process!

 

On the CVM

  1. SSH to one of the Controller Virtual Machines (CVMs) in your cluster.
  2. Type the following openssl command to create your Private Key and Certificate Request file:
    openssl req -out clustervip.req -new -newkey rsa:2048 -nodes -sha256 -subj "/C=AU/ST=ACT/L=Canberra/O=Mik3y net/OU=Home/CN=clustervip.mik3y.net" -keyout clustervip.key
  3. Copy both the clustervip.req and clustervip.key file from the CVM (do this via SFTP or simply ‘cat’ each file and copy the contents).
  4. Place the .req on the file system of your CA and the .key file on your desktop to upload to Prism later.

 

On the Certificate Server

The CA server will need to have the capability of issuing certificates with Subject Alternative Names (SANs).

Security best practises recommend that SAN generation be turned off by default. Allowing users to generate certificates with these additional properties could open your environment up to impersonation attacks!

A SAN certificate will let you specify the Virtual IPs as well as the hostnames and IPs of your nodes in one certificate.

  1. Run a command prompt
  2. Sign the certificate:
    certreq -submit -attrib "CertificateTemplate:WebServer\nSAN:DNS=clustervip.mik3y.net&DNS=host1.mik3y.net&DNS=host2.mik3y.net&DNS=host3.mik3y.net&DNS=192.168.0.100&DNS=192.168.0.101&DNS=192.168.0.102&DNS=192.168.0.103" .\clustervip.req .\clustervip.cer
  3. You may now delete the .req file. Copy the clustervip.cer file to your desktop.

A certificate chain will also be required when importing the keys in to Prism. This is as simple as combining the Public Key of each signing server in your hierarchy. You can export these from your local certificate store. Be sure to save them as Base-64 encoded X.509 (.cer).

A typical hierarchy might include:

RootCA -> Subordinate CA -> Issued Certificate

  1. Create a CA Chain file by copying and pasting the public keys in to a text file. The text file will look like the code snippet below with the Subordinate CA at the top and the Root CA at the bottom. For the sake of brevity I’ve removed some lines.
    -----BEGIN CERTIFICATE-----
    MIIFhjCCBG6gAwIBAgIEByeaqTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ
    SL6RE4288kPpjnngLJev7050UblVUfbvG4=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MgAwIBAgIEByeaqTANBgkqhkiG9w0BAQsByeaqTANBgkqhkiG9w0BAQsFADBaMc
    E4288kPpjnngLJev7AQsByejnngLJev7AQ9n
    -----END CERTIFICATE-----
  2. Save the file to “cachain.txt” on your desktop.

 

Uploading to Prism

Now you have your 3 files (private key, public key and ca chain). Time to load up the Prism Elements web interface

  1. Navigate to the cluster VIP or a CVM IP. eg: http://192.168.0.100
  2. Login and click the Cog, followed by SSL Certificates.
  3. Choose RSA 2048 and import the 3 files when prompted and apply them.

Alternatively you can upload the files to the CVM via SFTP or paste them back in to your SSH session and type:
ncli ssl-certificate import certificate-path=/home/nutanix/clustervip.cer cacertificate-path=/home/nutanix/cachain.txt key-path=/home/nutanix/clustervip.key key-type=RSA_2048

Prism will apply the certificates and restart the web service with your new PKI signed certs.

Voila!

 

Rolling Back…..

If for any reason you cannot log back in to the Prism web portal you can easily change back to a self-signed certificate with the following steps. I discovered this due to an earlier version of NOS containing a bug that butchered the CA Chain file when uploaded…..

  1. SSH to one of the Controller Virtual Machines (CVMs) in your cluster.
  2. Type:
    ncli ssl-certificate generate