Generating SSL Certificate for Nutanix using Active Directory Certificate Services and OpenSSL

Whilst setting up our shiny Nutanix cluster earlier on in the year, we needed to import an certificate from our Enterprise Certificate Authority. As Nutanix is built on Linux it isn’t as easy as requesting an certificate from your CA.

We found that we needed to use OpenSSL to extract the Private Key from the PFX generated by the server and then upload that separately with the server certificate.

At the time when we did this, we were running AOS 5 and we have not yet had to regenerate the cert for AOS 6

Generating the CSR, Key and finally the certificate

1. Install OpenSSL from slproweb, if you haven’t already got it

2. Once installed, open Win64 OpenSSL Command Prompt

3. Run the command to generate a key (serverkey.pem) and the CSR (server.csr):

   openssl req -new -newkey 2048 -nodes -sha256 -keyout serverkey.pem -addext "subjectAltName = DNS.1:prism.domain.tld,DNS.2:prism,IP.1:10.1.4.1" -out server.csr

   After running the command, you will be prompted to fill out details for the certificate. For example:

4. Country Name

   • State
   • Locality Name(or City)
   • Organisation Name
   • Organisational Unit
   • Common Name (Server FQDN)
   • Email Address

5. We now need to convert the serverkey.pem into a readable format by Nutanix Prism. To do this, run the following command:

   openssl rsa -in serverkey.pem -out nutanix.key

6. Navigate to the web interface of your certificate server (i.e. https://enterpriseca.domain.local/certsrv/certrqxt.asp).

7. Open the server.csr in your favourite IDE and copy and paste the contents of the file in to the Base-64 encoded certificate request (CMC or PKCS #10 or PKCS #7) field

8. Change the Certificate Template field to Web Server (or whatever you use for your web server certificates) and then click submit

9. Set the radio button to Base 64 Encoded and then click Download Certificate

Uploading the certificates to Nutanix Prism

Now we have our certificates, we can upload them to Nutanix Prism.

1. Now navigate to https://prism.domain.local:9440/console/#login. Login with your admin credentials for Nutanix.
2. Once authenticated navigate to https://prism.domain.local:9440/console/#page/settings/prism_pem_key. This will take you straight to the certificate settings for your cluster.
3. Click Replace Certificate and select Import Key and Certificate

   • In the Private Key, find the previously generated nutanix.key file from earlier

   • In the Public Certificate, find the certificate file you generated earlier

   • In the CA Certificate/Chain, use the certificate which has your Root CA/Issuing CA Certs. This could be just be your intermediate certificate which has both in.

     Once uploaded, click the Import Files button and then close your browser session and reopen.

Dealing with a possible bouncy castle error

Sometimes when this is run, you may sometimes end up with a weird error, which kind of looks like:

org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to org.bouncycastle.openssl.PEMKeyPair

We found that to get around this error, we needed to convert the serverkey.pem using a Linux based system/server

1. You will need to SCP the files over to your Linux host (not the Nutanix cluster)

   scp C:\temp\nutanixcerts\serverkey.pem admin@linuxhost:~/serverkey.pem

2. Once prompted for credentials, enter your credentials for the Linux host and then run from a SSH session:

   openssl rsa -in serverkey.pem -out nutanix.key

3. After this has run you can SCP the nutanix.key file back to your Windows host

   scp admin@linuxhost:~/nutanix.key      C:\temp\nutanixcerts\nutanix.key

   Now upload the nutanix.key file and it should successfully upload.