Whilst setting up our shiny Nutanix cluster earlier on in the year, we needed to import an certificate from our Enterprise Certificate Authority. As Nutanix is built on Linux it isn’t as easy as requesting an certificate from your CA.
We found that we needed to use OpenSSL to extract the Private Key from the PFX generated by the server and then upload that separately with the server certificate.
At the time when we did this, we were running AOS 5 and we have not yet had to regenerate the cert for AOS 6
Install OpenSSL from slproweb, if you haven’t already got it
Once installed, open Win64 OpenSSL Command Prompt
Run the command to generate a key (serverkey.pem) and the CSR (server.csr):
openssl req -new -newkey 2048 -nodes -sha256 -keyout serverkey.pem -addext "subjectAltName = DNS.1:prism.domain.tld,DNS.2:prism,IP.1:10.1.4.1" -out server.csr
After running the command, you will be prompted to fill out details for the certificate. For example:
Country Name
We now need to convert the serverkey.pem into a readable format by Nutanix Prism. To do this, run the following command:
openssl rsa -in serverkey.pem -out nutanix.key
Navigate to the web interface of your certificate server (i.e. https://enterpriseca.domain.local/certsrv/certrqxt.asp).
Open the server.csr in your favourite IDE and copy and paste the contents of the file in to the Base-64 encoded certificate request (CMC or PKCS #10 or PKCS #7) field
Change the Certificate Template field to Web Server (or whatever you use for your web server certificates) and then click submit
Set the radio button to Base 64 Encoded and then click Download Certificate
Now we have our certificates, we can upload them to Nutanix Prism.
In the Private Key, find the previously generated nutanix.key file from earlier
In the Public Certificate, find the certificate file you generated earlier
In the CA Certificate/Chain, use the certificate which has your Root CA/Issuing CA Certs. This could be just be your intermediate certificate which has both in.
Once uploaded, click the Import Files button and then close your browser session and reopen.
Sometimes when this is run, you may sometimes end up with a weird error, which kind of looks like:
org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to org.bouncycastle.openssl.PEMKeyPair
We found that to get around this error, we needed to convert the serverkey.pem using a Linux based system/server
You will need to SCP the files over to your Linux host (not the Nutanix cluster)
scp C:\temp\nutanixcerts\serverkey.pem admin@linuxhost:~/serverkey.pem
Once prompted for credentials, enter your credentials for the Linux host and then run from a SSH session:
openssl rsa -in serverkey.pem -out nutanix.key
After this has run you can SCP the nutanix.key file back to your Windows host
scp admin@linuxhost:~/nutanix.key C:\temp\nutanixcerts\nutanix.key
Now upload the nutanix.key file and it should successfully upload.