SSL Certificates for your VMware Integrated OpenStack Dev Lab

I’ve been working with secure OpenStack endpoints since VMware Integrated OpenStack prefers communication over HTTPS. If you don’t have ready access to a trusted Root CA, how are you supposed to sign your development lab’s certificate signing requests (CSR)? Easy! Use your own Root CA.

<<Insert obligatory warning to never, EVER, use the configurations below in production…EVER…Only use signed certificates from trusted CA’s in production!>>

Step 1: Generate your CSR on the VMware Integrated OpenStack management server:


sudo vioconfig cert-req-create

Feel free to either change or accept the default values. After the prompts are complete, you will see text similar to the example that follows output to the screen.

-----BEGIN CERTIFICATE REQUEST-----
MIIDRTCCAi0CAQAwfjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH
EwlQYWxvIEFsdG8xDzANBgNVBAoTBlZNd2FyZTEMMAoGA1UECxMDVklPMS8wLQYD
VQQDEyZwcm1lLWhhYXMtdmlvLWRhc2hib2FyZC5lbmcudm13YXJlLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN1hu0QB3s0VLaaxSEBRjIXdmzIS
8kx5R5FBDLsNDMhL3yWrz0vHJmIG71qmHUTLlOHQEf6NXiRbXbN1kUXda7zMykjD
gfNWreg84pBfuGbqPoiUlAk6iFacUcCLU4ggy4I5Q4ZD8ECS+d1TleFUqXKOsl/R
GEtGIctJOGNQ6gCbCAgmHCaPVWJ3UEzrHM5XiQlCf/ZAlOybjEMZ7XDgIhZq2uNw
9oq8xNNr1Jj90N8oYMRW+B3aK6qNpOS8yHMtiJe1XgIZ44Z1HQhOcrjXrsxYz+4P
k9zD7+vdP1LGfqZVZNRT53nYxeyMRdboUcuqcp3RRTV1Yi7FmRXaQlhTmRsCAwEA
AaCBgTB/BgkqhkiG9w0BCQ4xcjBwMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLtYZ8oo
1n9/yfbq4mh9NA42frSiMDcGA1UdEQQwMC6CJnBybWUtaGFhcy12aW8tZGFzaGJv
YXJkLmVuZy52bXdhcmUuY29thwQKc2ABMAsGA1UdDwQEAwICjDANBgkqhkiG9w0B
AQsFAAOCAQEAgbgkqzL4g/bBN5GQtjrLxKpWo58Wn1Hxg0T9DiAcKqLS7Nnr+aTW
ePwkd5Fb0e7sReXhkQaWXhZT5mfvF89LXwC7tY2xx/lZzcwGAW0upvz85bjMrZVS
AksDJ70Z3JFABkHVgPNRaklrmpcGa0VzdjTHcx3b5y+3EGKRCZVwWY4fY68Wwq6+
Nmn/vTnc5YUxFDmHd7zmLP1XKpUYKTwNfIjN1ZgyNSTZMEVrNKO6A8jDuRxIPJ5u
DJykBB1NmVS1K+R06z2+1m62dIzVzIE6vg+Kq1fq/EFzYElFhQaDj/YDIWIjnU+4
BY3h6vLdlqC5IRl7jMlsz35vVn59z5u+tQ==
-----END CERTIFICATE REQUEST-----

IMPORTANT: Copy and paste this CSR content, including the BEGIN and END lines, into a file. In my lab, I gave my request file the name vmware-integrated-openstack.csr:

Step 2: On your Mac or Linux desktop, create your own Root CA certificate:


openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem

Step 3: On your Mac or Linux desktop, sign your CSR from Step 1:


openssl x509 -req -in vmware-integrated-openstack.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500

Step 4: Transfer the device.crt file to your VMware Integrated OpenStack management server, and import it (IMPORTANT – Do this step when the system is not in active use as it causes a brief interruption.):


sudo vioconfig cert-update -f /home/viouser/device.crt

Step 5: Import the Root CA (rootCA.pem) certificate to the web browser(s) that you use for the lab environment.

certifcate import
Import your root CA certificate to your web browser

Step 6: Copy rootCA.pem to rootCA.crt and use this new file to install the certificate on any machines that you will use the OpenStack CLI/API from.

Workstation Desktop (Mac):


sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/vmtrooper/Development/openstack-dev/rootCA.crt

Workstation Desktop (Ubuntu):


sudo cp /vagrant/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
sudo update-ca-certificates

Step 7: Enjoy assorted OpenStack goodness. For example: using one of the Vagrant OpenStack plugins out there (more on that in a future blog post)

A big thank you to Tony Bourke whose blog post helped me get most of the way through this configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *