NSX Advanced Load Balancer 中,如果将控制器中的 shared_ssl_certificates 标记设置为 True,则非 admin 租户可以共享 admin 租户中的证书。

默认行为

任何租户中的对象都可以使用系统默认证书。例如,这些证书包括 System-Default-CertSystem-Default-Cert-ECSystem-Default-Portal-CertSystem-Default-Portal-Cert-EC256System-Default-Root-CASystem-Default-Secure-Channel-Cert,该组对象预计会随时间而扩展。在特定租户(包括 admin 租户)中创建的对象只能在相应租户中进行查看和使用。证书自动链接在一起,并且仅链接到相应租户中的证书。

共享的 SSL 证书

NSX Advanced Load Balancer 中,shared_ssl_certificates 将被添加到 Controller Properties 对象。默认情况下,该标记设置为 False。如果 shared_ssl_certificates 设置为 True,将发生以下行为:

  • 可以从非 admin 租户中查看 admin 租户中的所有证书。

  • 可以在非 admin 对象(即虚拟服务、池等)中使用 admin 租户中的证书。

  • 非 admin 租户中的应用程序证书将链接到 admin 租户中的颁发者证书。

  • NSX Advanced Load Balancer 不会将 admin 租户中的证书链接到非 admin 租户中的颁发者证书。因此,如果在 admin 租户中具有中间证书,而相应的 CA 证书位于非 admin 租户中,则不会链接这些对象。

  • 如果具有任何跨租户链接(即,admin 租户中的中间证书和非 admin 租户中的应用程序证书),NSX Advanced Load Balancer 将禁止更改 shared_ssl_certificates 标记。

  • 对于非 admin 租户中未链接的应用程序证书以及 admin 租户中的相应中间证书,如果用户将 shared_ssl_certificates 标记从 False 切换到 True,则不会链接中间证书和应用程序证书。如果要链接这些证书,请删除并重新创建应用程序证书。

  • 您可以使用 NSX Advanced Load Balancer REST API 或 CLI 配置该功能。目前,NSX Advanced Load Balancer UI 不支持此功能。

注:
  • 在低于版本 21.1.4 的 NSX Advanced Load Balancer 中启用证书共享时,将始终选择到期天数最多的证书。

  • NSX Advanced Load Balancer 版本 21.1.4 中启用证书共享时,将始终选择当前租户中到期时间最长的中间证书或 CA 证书。如果当前租户没有中间证书或 CA 证书,则会选择 admin 租户中的相应中间证书或 CA 证书(如果有)。

使用准则

由于 admin 租户中的证书可以链接到系统中的任何证书,以下准则适用:

  • shared_ssl_certificates 标记切换为 True,并在创建应用程序证书之前在 admin 租户中创建共享的中间或根证书。

  • 应用程序证书必须位于具有相应应用程序的租户中。

  • 尽管在 admin 租户中添加或更新证书是 CPU 密集型操作,但这些操作的影响很小,因为很少执行这些操作。

CLI 配置

[admin:10-10-28-16]: > configure controller properties                                                                                                                                           
Updating an existing object. Currently, the object is:
+--------------------------------------------+--------------------+
| Field                                      | Value              |
+--------------------------------------------+--------------------+
| uuid                                       | global             |
| unresponsive_se_reboot                     | 300 sec            |
| crashed_se_reboot                          | 900 sec            |
| se_offline_del                             | 172000 sec         |
| vs_se_create_fail                          | 1500 sec           |
| vs_se_vnic_fail                            | 300 sec            |
| vs_se_bootup_fail                          | 480 sec            |
| se_vnic_cooldown                           | 120 sec            |
| vs_se_vnic_ip_fail                         | 120 sec            |
| fatal_error_lease_time                     | 120 sec            |
| upgrade_lease_time                         | 360 sec            |
| query_host_fail                            | 180 sec            |
| vnic_op_fail_time                          | 180 sec            |
| dns_refresh_period                         | 60 min             |
| se_create_timeout                          | 900 sec            |
| max_dead_se_in_grp                         | 1                  |
| dead_se_detection_timer                    | 360 sec            |
| api_idle_timeout                           | 15 min             |
| allow_unauthenticated_nodes                | False              |
| cluster_ip_gratuitous_arp_period           | 60 min             |
| vs_key_rotate_period                       | 360 min            |
| secure_channel_controller_token_timeout    | 60 min             |
| secure_channel_se_token_timeout            | 60 min             |
| max_seq_vnic_failures                      | 3                  |
| vs_awaiting_se_timeout                     | 60 sec             |
| vs_apic_scaleout_timeout                   | 360 sec            |
| secure_channel_cleanup_timeout             | 60 min             |
| attach_ip_retry_interval                   | 360 sec            |
| attach_ip_retry_limit                      | 4                  |
| persistence_key_rotate_period              | 0 min              |
| allow_unauthenticated_apis                 | False              |
| warmstart_se_reconnect_wait_time           | 480 sec            |
| vs_se_ping_fail                            | 60 sec             |
| se_failover_attempt_interval               | 300 sec            |
| max_pcap_per_tenant                        | 4                  |
| ssl_certificate_expiry_warning_days[1]     | 30 days days       |
| ssl_certificate_expiry_warning_days[2]     | 7 days days        |
| ssl_certificate_expiry_warning_days[3]     | 1 days days        |
| seupgrade_fabric_pool_size                 | 20                 |
| seupgrade_segroup_min_dead_timeout         | 360 sec            |
| allow_ip_forwarding                        | False              |
| appviewx_compat_mode                       | False              |
| upgrade_dns_ttl                            | 5 sec              |
| bm_use_ansible                             | True               |
| vs_se_attach_ip_fail                       | 600 sec            |
| max_seq_attach_ip_failures                 | 3                  |
| cleanup_expired_authtoken_timeout_period   | 60 min             |
| cleanup_sessions_timeout_period            | 60 min             |
| consistency_check_timeout_period           | 60 min             |
| process_locked_useraccounts_timeout_period | 1 min              |
| process_pki_profile_timeout_period         | 1440 min           |
| enable_memory_balancer                     | True               |
| warmstart_vs_resync_wait_time              | 300 sec            |
| api_perf_logging_threshold                 | 10000 milliseconds |
| se_from_marketplace                        | IMAGE              |
| cloud_reconcile                            | True               |
| enable_api_sharding                        | True               |
| vs_scaleout_ready_check_interval           | 60 sec             |
| shared_ssl_certificates                    | False              |
+--------------------------------------------+--------------------+
[admin:10-10-28-16]: controllerproperties> shared_ssl_certificates 
Overwriting the previously entered value for shared_ssl_certificates
[admin:10-10-28-16]: controllerproperties> save
+--------------------------------------------+--------------------+
| Field                                      | Value              |
+--------------------------------------------+--------------------+
| uuid                                       | global             |
| unresponsive_se_reboot                     | 300 sec            |
| crashed_se_reboot                          | 900 sec            |
| se_offline_del                             | 172000 sec         |
| vs_se_create_fail                          | 1500 sec           |
| vs_se_vnic_fail                            | 300 sec            |
| vs_se_bootup_fail                          | 480 sec            |
| se_vnic_cooldown                           | 120 sec            |
| vs_se_vnic_ip_fail                         | 120 sec            |
| fatal_error_lease_time                     | 120 sec            |
| upgrade_lease_time                         | 360 sec            |
| query_host_fail                            | 180 sec            |
| vnic_op_fail_time                          | 180 sec            |
| dns_refresh_period                         | 60 min             |
| se_create_timeout                          | 900 sec            |
| max_dead_se_in_grp                         | 1                  |
| dead_se_detection_timer                    | 360 sec            |
| api_idle_timeout                           | 15 min             |
| allow_unauthenticated_nodes                | False              |
| cluster_ip_gratuitous_arp_period           | 60 min             |
| vs_key_rotate_period                       | 360 min            |
| secure_channel_controller_token_timeout    | 60 min             |
| secure_channel_se_token_timeout            | 60 min             |
| max_seq_vnic_failures                      | 3                  |
| vs_awaiting_se_timeout                     | 60 sec             |
| vs_apic_scaleout_timeout                   | 360 sec            |
| secure_channel_cleanup_timeout             | 60 min             |
| attach_ip_retry_interval                   | 360 sec            |
| attach_ip_retry_limit                      | 4                  |
| persistence_key_rotate_period              | 0 min              |
| allow_unauthenticated_apis                 | False              |
| warmstart_se_reconnect_wait_time           | 480 sec            |
| vs_se_ping_fail                            | 60 sec             |
| se_failover_attempt_interval               | 300 sec            |
| max_pcap_per_tenant                        | 4                  |
| ssl_certificate_expiry_warning_days[1]     | 30 days days       |
| ssl_certificate_expiry_warning_days[2]     | 7 days days        |
| ssl_certificate_expiry_warning_days[3]     | 1 days days        |
| seupgrade_fabric_pool_size                 | 20                 |
| seupgrade_segroup_min_dead_timeout         | 360 sec            |
| allow_ip_forwarding                        | False              |
| appviewx_compat_mode                       | False              |
| upgrade_dns_ttl                            | 5 sec              |
| bm_use_ansible                             | True               |
| vs_se_attach_ip_fail                       | 600 sec            |
| max_seq_attach_ip_failures                 | 3                  |
| cleanup_expired_authtoken_timeout_period   | 60 min             |
| cleanup_sessions_timeout_period            | 60 min             |
| consistency_check_timeout_period           | 60 min             |
| process_locked_useraccounts_timeout_period | 1 min              |
| process_pki_profile_timeout_period         | 1440 min           |
| enable_memory_balancer                     | True               |
| warmstart_vs_resync_wait_time              | 300 sec            |
| api_perf_logging_threshold                 | 10000 milliseconds |
| se_from_marketplace                        | IMAGE              |
| cloud_reconcile                            | True               |
| enable_api_sharding                        | True               |
| vs_scaleout_ready_check_interval           | 60 sec             |
| shared_ssl_certificates                    | True               |
+--------------------------------------------+--------------------+
[admin:10-10-28-16]: > configure sslkeyandcertificate admin-intermediate

[admin:10-10-28-16]: sslkeyandcertificate> certificate
[admin:10-10-28-16]: sslkeyandcertificate:certificate> certificate --
-----BEGIN CERTIFICATE-----                                                                                                                                                                      [280/18075]
MIIFZzCCA0+gAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwPzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMQwwCgYDVQQKDANBdmkxFTATBgNVBAMMDEludGVybWVkaWF0
ZTAeFw0xNzEyMjAyMzM0MzVaFw0zNzEyMTUyMzM0MzVaMEkxCzAJBgNVBAYTAlVT
MQswCQYDVQQIDAJDQTEMMAoGA1UECgwDQXZpMR8wHQYDVQQDDBZTYW1lLU5hbWUt
SW50ZXJtZWRpYXRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy0kq
S48Ngxg1KJ1hmwMxbSEJnGuz0bfxf/FbcVK0OQZzOfl7K1nrg8CIjLyywEkgzBqf
/b1GwEwNRNvCxAgIP78kCw39chdGzW2jRcjiWPV6OrOizrkXHKlhCJ7LnONSeQH1
rGehFSzpLT8g6KY+DCkeVQBVscV4cFJFTL484EoOhgxMuqj0jij3T+GctqsK5p2Y
VCy71ZEbJvvET3x6/rDNIJU9njJxCvlJyk3T78sTSsW7+xjhCRVsvBAHyUhUGWuC
9ol6EcJdOBUVUKIJX8t+qT1iGtMEd2oV0rUv+2cvHJrhZW24BSVnebW05n32z9Je
oPcHgdrH0ZJN9O0DV46QP1HTdVe7GvY1Fd+UjUFh4oIjwQyYSpO/smBHUffCmtyX
wljCbmjYM2yKyQe04C/+s8ZO+AFFtqx6srvnElQTXtfxkTWYPSrodDKmxqY81aR9
TFd5wWtApMeFT9DK5dDlneBpqn0gDE+JixlEx+pEZM6SDdO1arAg3PKZotuzndo0
1c0mqG6Lp5r464xi5g4kbPHNe1PFe+2tDCEW9BuYADe0v8PvpHMbGJNxOt+w8CcV
R/muH/KoKYs8Y9Ej03MRob1r7Xpv4/NO/1KLHhggxlihiUib1GVDguRNJmMYloo+
8FfoSMixPRJxUg03yZA479e4QSNI+5AryxzohXUCAwEAAaNjMGEwHQYDVR0OBBYE
FEamhG8kGg3PCElsgH8XYIWO04BXMB8GA1UdIwQYMBaAFEqs0+NaumvRXZkP+sTw
NMNvbr61MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3
DQEBCwUAA4ICAQCVeQKhOIDK0z8XdohL/vkypGGayBtU17lFfwZEiWuIeeLnZDrB
vzz1T1j91tx6MBWFEbP2FoJYCwaU9YSuOP8mhtmJM4v1MgC3aOGdMa3nKo2PbS9M
ECMLFB6Jpo7zVjVxwEz7WXA7/YJgR0g5ft/turJnbbUis0K0FBO/aYzc9gyBvg8I
GTB6GX6DDNuwT5EOjkynT3SqnRrnD2piZ0oQ2IIDMaYm/r/DFaMLoU6GRLmj74N0
P3Lefks4JX5C2KKEuM3/6/udMlmNrObjkIACe34icImkdxSXjmKj8Mg4YG8PBRU1
/j1yizB6GokGq2//0BkRMzBLJfUifOVa9mH/C303kA/CvJ42nQyDPLU77nunng3f
T//+/dQYk+OuMTTuVul2WSef+wW+kEspE8uTo/GH1ZmMRV0T7aPxt8/ASDbhEcQM
Okhbo49AhxuTHlOWS3xKxVIbxJ4P/P0v8c5bb/4D5gdGgBCoXQptiBRtS2suBt1M
g0eCtusMuUqPkwB5o5IU2MPGbHiiPzB4up5ZJHYe97rtKduM1cD+0v+w7ZxDrqdD
ebfAJjqaZLKNWEmy5fYt0lWUgDsA8aWUSLN2j/R3BbtXHcClmsZap3CSFzJlhbPz
9tQBVsfx6UJYZR2eAXTpEtEMYous6tKHcRS04/mCPBq+WhoYG39aX85g2Q==
-----END CERTIFICATE-----
END
[admin:10-10-28-16]: sslkeyandcertificate:certificate> save
[admin:10-10-28-16]: sslkeyandcertificate> save
+------------------------+------------------------------------------------------------------------------+
| Field                  | Value                                                                        |
+------------------------+------------------------------------------------------------------------------+
| uuid                   | sslkeyandcertificate-2348ba24-1a56-4e9d-9833-c8c3c1158714                    |
| name                   | admin-intermediate                                                           |
| type                   | SSL_CERTIFICATE_TYPE_CA                                                      |
| certificate            |                                                                              |
|   version              | 2                                                                            |
|   serial_number        | 4098                                                                         |
|   self_signed          | False                                                                        |
|   issuer               |                                                                              |
|     common_name        | Intermediate                                                                 |
|     organization       | Avi                                                                          |
|     state              | CA                                                                           |
|     country            | US                                                                           |
|     distinguished_name | C=US, ST=CA, O=Avi, CN=Intermediate                                          |
|   subject              |                                                                              |
|     common_name        | Same-Name-Intermediate                                                       |
|     organization       | Avi                                                                          |
|     state              | CA                                                                           |
|     country            | US                                                                           |
|     distinguished_name | C=US, ST=CA, O=Avi, CN=Same-Name-Intermediate                                |
|   signature_algorithm  | sha256WithRSAEncryption                                                      |
|   not_before           | 2017-12-20 23:34:35                                                          |
|   not_after            | 2037-12-15 23:34:35                                                          |
|   fingerprint          | SHA1 Fingerprint=CD:96:22:87:B2:58:39:7C:7A:26:4B:3A:18:B2:99:CD:DB:73:B5:79 |
|                        |                                                                              |
|   expiry_status        | SSL_CERTIFICATE_GOOD                                                         |
|   days_until_expire    | 365                                                                          |
| key_params             |                                                                              |
|   algorithm            | SSL_KEY_ALGORITHM_RSA                                                        |
|   rsa_params           |                                                                              |
|     key_size           | SSL_KEY_4096_BITS                                                            |
|     exponent           | 65537                                                                        |
| status                 | SSL_CERTIFICATE_FINISHED                                                     |
| ca_certs[1]            |                                                                              |
|   name                 | Intermediate                                                                 |
| format                 | SSL_PEM                                                                      |
| certificate_base64     | False                                                                        |
| key_base64             | False                                                                        |
| tenant_ref             | admin                                                                        |
+------------------------+------------------------------------------------------------------------------+
[admin:10-10-28-16]: > switchto tenant t1
Switching to tenant t1
[t1:10-10-28-16]: > show sslkeyandcertificate
+------------------------------------+------------------------+------------------------+------+-----------+
| Name                               | Issuer                 | Subject                | Self | Algorithm |
+------------------------------------+------------------------+------------------------+------+-----------+
| System-Default-Cert                | System Default Cert    | System Default Cert    | True | -         |
| System-Default-Cert-EC             | System Default EC Cert | System Default EC Cert | True | -         |
| System-Default-Portal-Cert         | Default Portal Cert    | Default Portal Cert    | True | -         |
| System-Default-Portal-Cert-EC256   | Default Portal EC Cert | Default Portal EC Cert | True | -         |
| System-Default-Root-CA             | ca.local               | ca.local               | True | -         |
| System-Default-Secure-Channel-Cert | ca.local               | node.controller.local  | -    | -         |
| admin-intermediate                 | Intermediate           | Same-Name-Intermediate | -    | -         |
+------------------------------------+------------------------+------------------------+------+-----------+
[t1:10-10-28-16]: > configure sslkeyandcertificate t1-app

[t1:10-10-28-16]: sslkeyandcertificate> key --
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC+CGpOcfqxuUvl
sCa1+iYUu7EyrvJObDSdorIbjbu5qXpqL7lScGQq6uhbKKMAGM/JIiI75hOAeHN9
hYa/0v8BndV/AJ1zGpK3K5ahuVfrtsNIHk6q0SSw3YtB63/8nhwUiz/ZBgthfCJ/
eroG7RBEh8uOpPhXLJf88o1UOF5FcbrFsW5qvXQHMRSKK2I9wFkSSgNMCoOGOB7W
X+6aDG0ZAZt9eoQkPQNOxw9dEavqOZFqkHTSkyfWyHuw605dmRs2Cz8IZMhhEZvq
LUpe6HMFopxwTzt/5NyW0FJJW1K81WS46ab/tOIOLbkgNV9wLWMNeKvAEWzYPONS
QDzBOhrlAgMBAAECggEAEwNKh5C10WRFqLRoGxrtBnQE9Zo1Wg1Pclod0c3rc1b2
jXs64nmmO/kGyGAXduIEoA4POMj7OIZUn8FlSvn0U5gUDUHlfuewuCzfRE0D8+x0
O1n06vhD4II59Z13T7IOAywvdio5p0ZBOVnxFNJRJ1oizqHIywgGKOOnqj59iBr9
pw/LTthM1mozfUxVYxftSwDr91C7PTaYDE9prmw8wH1TL6I4skxKRVmagFwY0rtr
ViNhNigPjUB3xlEtv6RuwFeEmfcZMzkLCAoXbg1yv6Av5tGJwdCVwDwrpP6I/FHz
PwQdFmZRGZJI8QqdEcWYI/ewXYevCfDrQIWH+gFVIQKBgQDrcCmclzSqQt4xczJ2
ajXAaxnxLSJC/WYOIsIp3L5b/gqs+SUAIJXoVZMinOcygtJs3J4f0Zuy9NkddNn9
JVeMXs7rr7quXKSzX0100acB1NR4Sfq1RWboOxoiSgrUSx8D/ooaJE0JSlj0DtHl
+FVlSECAK2wpM8dFEMf9cAEIeQKBgQDOoRlQzkdnoDVL+gyIXnsA3ArnXDcig1x1
tSj0VqCEaGHhjngYHsmissaIw9ABlwZkt9maylX9PrLaAceGXPzeBvlK0PcgImZ+
2hYVp00znj4//JOsFe9joruKfaXrTLPvY8N0jYAmip6FJJ1eq4x8rL8gU/NdlMQf
5diVimhizQKBgCGs82bAgfnwgpOUJJ2nZ3TUXOuQRxxJ3nUbJ6aROnEyDxjash4o
iwimZNtIkhE5gRutGrj2ZEzelMeP1TZORw1+6h3wDsWt3qkBcrTI4Bh09scV3dRb
zvJcscpByPbAn/kUSXCfzJ0Nk1elXwSD1sMb6I3sqBXkoBYS5mgrwxoRAoGAXJmB
uN7YzS3U9LmYiDyfLyFtmYWQB92KwA1xzx5LTUtiIi0w0M5rWoh3xK7MNwoxiU2D
LYVjx9wjVuPZQPPHNtE1Qzwmo7YG7O5bW1TgmjNeflp463PhFmvFVCk/BBYZxTyW
SVNojN0ucUiZZeXHTdA0zw4QUG3s/saIq2udoDkCgYBS9FJxYZV/3eWZTV7E8RHO
4ABpujonzZcrxB/pIlQJhehVABopbMAGE0aGc7gGacu0DKsLNYL8Wkdqgs6WN9Yo
erlGXlJelgs4CSlZulInntFgdqC9Rj0sHjx6gCVEgg1lGkB++YrCLj2YuYN7L9JW
wk/YYUmjGLjqcHvBNDl0Gw==
-----END PRIVATE KEY-----
END
[t1:10-10-28-16]: sslkeyandcertificate> certificate
[t1:10-10-28-16]: sslkeyandcertificate:certificate> certificate --
-----BEGIN CERTIFICATE-----
MIIFAzCCAuugAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMQwwCgYDVQQKDANBdmkxHzAdBgNVBAMMFlNhbWUtTmFtZS1J
bnRlcm1lZGlhdGUwHhcNMTcxMjIwMjMzNDU2WhcNMzcxMjE1MjMzNDU2WjA3MQsw
CQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDDAKBgNVBAoMA0F2aTENMAsGA1UEAwwE
QXBwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4Iak5x+rG5S+Ww
JrX6JhS7sTKu8k5sNJ2ishuNu7mpemovuVJwZCrq6FsoowAYz8kiIjvmE4B4c32F
hr/S/wGd1X8AnXMakrcrlqG5V+u2w0geTqrRJLDdi0Hrf/yeHBSLP9kGC2F8In96
ugbtEESHy46k+Fcsl/zyjVQ4XkVxusWxbmq9dAcxFIorYj3AWRJKA0wKg4Y4HtZf
7poMbRkBm316hCQ9A07HD10Rq+o5kWqQdNKTJ9bIe7DrTl2ZGzYLPwhkyGERm+ot
Sl7ocwWinHBPO3/k3JbQUklbUrzVZLjppv+04g4tuSA1X3AtYw14q8ARbNg841JA
PME6GuUCAwEAAaOCAQUwggEBMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZA
MDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlm
aWNhdGUwHQYDVR0OBBYEFBFU4BzZ35LC8gZlhXQG6pB9sDxNMGgGA1UdIwRhMF+A
FEamhG8kGg3PCElsgH8XYIWO04BXoUOkQTA/MQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExDDAKBgNVBAoMA0F2aTEVMBMGA1UEAwwMSW50ZXJtZWRpYXRlggIQAjAO
BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEL
BQADggIBAAfp7d3STNGOQvPxMb+w9b4MjxXAdcFLCLiowcnh6wRS5/ALIjr+7oAt
5T+SzFx1jiZltRf7wk5Ot48+lKwSJ93oaqow82QAZZFeNvkYecL/HHqW7squC7Su
lmdxQ0DT/fkpedKu3koWjUvf90zb/LotdKN9GN4R2KwKY+p/73w1cDMxyqyPiSOH
dCX1fkG1du4HEujG+zVTlEO5Wc94zer4+C9g/QwTVkBH11MOLd9RSlStadYzy8Qs
wu1pPEXZbePA7urZGqgiYUTYKbW+Ck/EKqt8NxvyqvmYBqmfuEnOW1W7XH7Zlzli
dAFEfZ5U9we1YlduDT7KUHizBn8Uex1O1TCjn2XMt+5KhJ8yfNjqbwTyg7G1pHcG
ifl+u/PYTyrLwnf0s09/iw27oacSczDxB/yRe5W6wmhsgL0Rry1tZvAcIHPR2c5t
xstiAJVZVp+WSqJRbCR+KZYZS7IX3J09gtZy8ZDaEhCGtiE/liin4yxLEP4cgbCd
ctIdYP+3pYFC7Ij4BvT+cHtKFAIQ8gD3pSx+NHjX/cWnhjQIo4ljt+ash9YQz+70
hbsp3zDB+Qbnc6j1MuITHQneKKxVPBkvYK7bcqKmKRfjOIpFgtClWd9+YRBriBKo
CayuZ7LuJYYgVqnU6waCJaA9eZC/BSNUqqHzBYV49oBUpyDIWOTW
-----END CERTIFICATE-----
END
[t1:10-10-28-16]: sslkeyandcertificate:certificate> save
[t1:10-10-28-16]: sslkeyandcertificate> save
+------------------------+------------------------------------------------------------------------------+
| Field                  | Value                                                                        |
+------------------------+------------------------------------------------------------------------------+
| uuid                   | sslkeyandcertificate-9ec6948b-f57c-49ac-b9da-28092a3fd72a                    |
| name                   | t1-app                                                                       |
| type                   | SSL_CERTIFICATE_TYPE_VIRTUALSERVICE                                          |
| certificate            |                                                                              |
|   version              | 2                                                                            |
|   serial_number        | 4097                                                                         |
|   self_signed          | False                                                                        |
|   issuer               |                                                                              |
|     common_name        | Same-Name-Intermediate                                                       |
|     organization       | Avi                                                                          |
|     state              | CA                                                                           |
|     country            | US                                                                           |
|     distinguished_name | C=US, ST=CA, O=Avi, CN=Same-Name-Intermediate                                |
|   subject              |                                                                              |
|     common_name        | App1                                                                         |
|     organization       | Avi                                                                          |
|     state              | CA                                                                           |
|     country            | US                                                                           |
|     distinguished_name | C=US, ST=CA, O=Avi, CN=App1                                                  |
|   signature_algorithm  | sha256WithRSAEncryption                                                      |
|   not_before           | 2017-12-20 23:34:56                                                          |
|   not_after            | 2037-12-15 23:34:56                                                          |
|   fingerprint          | SHA1 Fingerprint=18:B1:FD:DC:AF:F0:62:0C:73:E1:56:FC:75:AE:86:93:2E:56:1E:75 |
|                        |                                                                              |
|   expiry_status        | SSL_CERTIFICATE_GOOD                                                         |
|   days_until_expire    | 365                                                                          |
| key_params             |                                                                              |
|   algorithm            | SSL_KEY_ALGORITHM_RSA                                                        |
|   rsa_params           |                                                                              |
|     key_size           | SSL_KEY_2048_BITS                                                            |
|     exponent           | 65537                                                                        |
| status                 | SSL_CERTIFICATE_FINISHED                                                     |
| ca_certs[1]            |                                                                              |
|   name                 | Same-Name-Intermediate                                                       |
|   ca_ref               | admin-intermediate                                                           |
| ca_certs[2]            |                                                                              |
|   name                 | Intermediate                                                                 |
| format                 | SSL_PEM                                                                      |
| certificate_base64     | False                                                                        |
| key_base64             | False                                                                        |
| tenant_ref             | t1                                                                           |
+------------------------+------------------------------------------------------------------------------+
[t1:10-10-28-16]: >