在 NSX Advanced Load Balancer 中,如果将控制器中的 shared_ssl_certificates 标记设置为 True
,则非 admin 租户可以共享 admin 租户中的证书。
默认行为
任何租户中的对象都可以使用系统默认证书。例如,这些证书包括 System-Default-Cert
、System-Default-Cert-EC
、System-Default-Portal-Cert
、System-Default-Portal-Cert-EC256
、System-Default-Root-CA
和 System-Default-Secure-Channel-Cert
,该组对象预计会随时间而扩展。在特定租户(包括 admin 租户)中创建的对象只能在相应租户中进行查看和使用。证书自动链接在一起,并且仅链接到相应租户中的证书。
共享的 SSL 证书
在 NSX Advanced Load Balancer 中,shared_ssl_certificates 将被添加到 Controller Properties
对象。默认情况下,该标记设置为 False
。如果 shared_ssl_certificates 设置为 True
,将发生以下行为:
可以从非 admin 租户中查看 admin 租户中的所有证书。
可以在非 admin 对象(即虚拟服务、池等)中使用 admin 租户中的证书。
非 admin 租户中的应用程序证书将链接到 admin 租户中的颁发者证书。
NSX Advanced Load Balancer 不会将 admin 租户中的证书链接到非 admin 租户中的颁发者证书。因此,如果在 admin 租户中具有中间证书,而相应的 CA 证书位于非 admin 租户中,则不会链接这些对象。
如果具有任何跨租户链接(即,admin 租户中的中间证书和非 admin 租户中的应用程序证书),NSX Advanced Load Balancer 将禁止更改 shared_ssl_certificates 标记。
对于非 admin 租户中未链接的应用程序证书以及 admin 租户中的相应中间证书,如果用户将 shared_ssl_certificates 标记从
False
切换到True
,则不会链接中间证书和应用程序证书。如果要链接这些证书,请删除并重新创建应用程序证书。您可以使用 NSX Advanced Load Balancer REST API 或 CLI 配置该功能。目前,NSX Advanced Load Balancer UI 不支持此功能。
在低于版本 21.1.4 的 NSX Advanced Load Balancer 中启用证书共享时,将始终选择到期天数最多的证书。
在 NSX Advanced Load Balancer 版本 21.1.4 中启用证书共享时,将始终选择当前租户中到期时间最长的中间证书或 CA 证书。如果当前租户没有中间证书或 CA 证书,则会选择 admin 租户中的相应中间证书或 CA 证书(如果有)。
使用准则
由于 admin 租户中的证书可以链接到系统中的任何证书,以下准则适用:
将 shared_ssl_certificates 标记切换为
True
,并在创建应用程序证书之前在 admin 租户中创建共享的中间或根证书。应用程序证书必须位于具有相应应用程序的租户中。
尽管在 admin 租户中添加或更新证书是 CPU 密集型操作,但这些操作的影响很小,因为很少执行这些操作。
CLI 配置
[admin:10-10-28-16]: > configure controller properties Updating an existing object. Currently, the object is: +--------------------------------------------+--------------------+ | Field | Value | +--------------------------------------------+--------------------+ | uuid | global | | unresponsive_se_reboot | 300 sec | | crashed_se_reboot | 900 sec | | se_offline_del | 172000 sec | | vs_se_create_fail | 1500 sec | | vs_se_vnic_fail | 300 sec | | vs_se_bootup_fail | 480 sec | | se_vnic_cooldown | 120 sec | | vs_se_vnic_ip_fail | 120 sec | | fatal_error_lease_time | 120 sec | | upgrade_lease_time | 360 sec | | query_host_fail | 180 sec | | vnic_op_fail_time | 180 sec | | dns_refresh_period | 60 min | | se_create_timeout | 900 sec | | max_dead_se_in_grp | 1 | | dead_se_detection_timer | 360 sec | | api_idle_timeout | 15 min | | allow_unauthenticated_nodes | False | | cluster_ip_gratuitous_arp_period | 60 min | | vs_key_rotate_period | 360 min | | secure_channel_controller_token_timeout | 60 min | | secure_channel_se_token_timeout | 60 min | | max_seq_vnic_failures | 3 | | vs_awaiting_se_timeout | 60 sec | | vs_apic_scaleout_timeout | 360 sec | | secure_channel_cleanup_timeout | 60 min | | attach_ip_retry_interval | 360 sec | | attach_ip_retry_limit | 4 | | persistence_key_rotate_period | 0 min | | allow_unauthenticated_apis | False | | warmstart_se_reconnect_wait_time | 480 sec | | vs_se_ping_fail | 60 sec | | se_failover_attempt_interval | 300 sec | | max_pcap_per_tenant | 4 | | ssl_certificate_expiry_warning_days[1] | 30 days days | | ssl_certificate_expiry_warning_days[2] | 7 days days | | ssl_certificate_expiry_warning_days[3] | 1 days days | | seupgrade_fabric_pool_size | 20 | | seupgrade_segroup_min_dead_timeout | 360 sec | | allow_ip_forwarding | False | | appviewx_compat_mode | False | | upgrade_dns_ttl | 5 sec | | bm_use_ansible | True | | vs_se_attach_ip_fail | 600 sec | | max_seq_attach_ip_failures | 3 | | cleanup_expired_authtoken_timeout_period | 60 min | | cleanup_sessions_timeout_period | 60 min | | consistency_check_timeout_period | 60 min | | process_locked_useraccounts_timeout_period | 1 min | | process_pki_profile_timeout_period | 1440 min | | enable_memory_balancer | True | | warmstart_vs_resync_wait_time | 300 sec | | api_perf_logging_threshold | 10000 milliseconds | | se_from_marketplace | IMAGE | | cloud_reconcile | True | | enable_api_sharding | True | | vs_scaleout_ready_check_interval | 60 sec | | shared_ssl_certificates | False | +--------------------------------------------+--------------------+ [admin:10-10-28-16]: controllerproperties> shared_ssl_certificates Overwriting the previously entered value for shared_ssl_certificates [admin:10-10-28-16]: controllerproperties> save +--------------------------------------------+--------------------+ | Field | Value | +--------------------------------------------+--------------------+ | uuid | global | | unresponsive_se_reboot | 300 sec | | crashed_se_reboot | 900 sec | | se_offline_del | 172000 sec | | vs_se_create_fail | 1500 sec | | vs_se_vnic_fail | 300 sec | | vs_se_bootup_fail | 480 sec | | se_vnic_cooldown | 120 sec | | vs_se_vnic_ip_fail | 120 sec | | fatal_error_lease_time | 120 sec | | upgrade_lease_time | 360 sec | | query_host_fail | 180 sec | | vnic_op_fail_time | 180 sec | | dns_refresh_period | 60 min | | se_create_timeout | 900 sec | | max_dead_se_in_grp | 1 | | dead_se_detection_timer | 360 sec | | api_idle_timeout | 15 min | | allow_unauthenticated_nodes | False | | cluster_ip_gratuitous_arp_period | 60 min | | vs_key_rotate_period | 360 min | | secure_channel_controller_token_timeout | 60 min | | secure_channel_se_token_timeout | 60 min | | max_seq_vnic_failures | 3 | | vs_awaiting_se_timeout | 60 sec | | vs_apic_scaleout_timeout | 360 sec | | secure_channel_cleanup_timeout | 60 min | | attach_ip_retry_interval | 360 sec | | attach_ip_retry_limit | 4 | | persistence_key_rotate_period | 0 min | | allow_unauthenticated_apis | False | | warmstart_se_reconnect_wait_time | 480 sec | | vs_se_ping_fail | 60 sec | | se_failover_attempt_interval | 300 sec | | max_pcap_per_tenant | 4 | | ssl_certificate_expiry_warning_days[1] | 30 days days | | ssl_certificate_expiry_warning_days[2] | 7 days days | | ssl_certificate_expiry_warning_days[3] | 1 days days | | seupgrade_fabric_pool_size | 20 | | seupgrade_segroup_min_dead_timeout | 360 sec | | allow_ip_forwarding | False | | appviewx_compat_mode | False | | upgrade_dns_ttl | 5 sec | | bm_use_ansible | True | | vs_se_attach_ip_fail | 600 sec | | max_seq_attach_ip_failures | 3 | | cleanup_expired_authtoken_timeout_period | 60 min | | cleanup_sessions_timeout_period | 60 min | | consistency_check_timeout_period | 60 min | | process_locked_useraccounts_timeout_period | 1 min | | process_pki_profile_timeout_period | 1440 min | | enable_memory_balancer | True | | warmstart_vs_resync_wait_time | 300 sec | | api_perf_logging_threshold | 10000 milliseconds | | se_from_marketplace | IMAGE | | cloud_reconcile | True | | enable_api_sharding | True | | vs_scaleout_ready_check_interval | 60 sec | | shared_ssl_certificates | True | +--------------------------------------------+--------------------+ [admin:10-10-28-16]: > configure sslkeyandcertificate admin-intermediate [admin:10-10-28-16]: sslkeyandcertificate> certificate [admin:10-10-28-16]: sslkeyandcertificate:certificate> certificate -- -----BEGIN CERTIFICATE----- [280/18075] MIIFZzCCA0+gAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwPzELMAkGA1UEBhMCVVMx CzAJBgNVBAgMAkNBMQwwCgYDVQQKDANBdmkxFTATBgNVBAMMDEludGVybWVkaWF0 ZTAeFw0xNzEyMjAyMzM0MzVaFw0zNzEyMTUyMzM0MzVaMEkxCzAJBgNVBAYTAlVT MQswCQYDVQQIDAJDQTEMMAoGA1UECgwDQXZpMR8wHQYDVQQDDBZTYW1lLU5hbWUt SW50ZXJtZWRpYXRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy0kq S48Ngxg1KJ1hmwMxbSEJnGuz0bfxf/FbcVK0OQZzOfl7K1nrg8CIjLyywEkgzBqf /b1GwEwNRNvCxAgIP78kCw39chdGzW2jRcjiWPV6OrOizrkXHKlhCJ7LnONSeQH1 rGehFSzpLT8g6KY+DCkeVQBVscV4cFJFTL484EoOhgxMuqj0jij3T+GctqsK5p2Y VCy71ZEbJvvET3x6/rDNIJU9njJxCvlJyk3T78sTSsW7+xjhCRVsvBAHyUhUGWuC 9ol6EcJdOBUVUKIJX8t+qT1iGtMEd2oV0rUv+2cvHJrhZW24BSVnebW05n32z9Je oPcHgdrH0ZJN9O0DV46QP1HTdVe7GvY1Fd+UjUFh4oIjwQyYSpO/smBHUffCmtyX wljCbmjYM2yKyQe04C/+s8ZO+AFFtqx6srvnElQTXtfxkTWYPSrodDKmxqY81aR9 TFd5wWtApMeFT9DK5dDlneBpqn0gDE+JixlEx+pEZM6SDdO1arAg3PKZotuzndo0 1c0mqG6Lp5r464xi5g4kbPHNe1PFe+2tDCEW9BuYADe0v8PvpHMbGJNxOt+w8CcV R/muH/KoKYs8Y9Ej03MRob1r7Xpv4/NO/1KLHhggxlihiUib1GVDguRNJmMYloo+ 8FfoSMixPRJxUg03yZA479e4QSNI+5AryxzohXUCAwEAAaNjMGEwHQYDVR0OBBYE FEamhG8kGg3PCElsgH8XYIWO04BXMB8GA1UdIwQYMBaAFEqs0+NaumvRXZkP+sTw NMNvbr61MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3 DQEBCwUAA4ICAQCVeQKhOIDK0z8XdohL/vkypGGayBtU17lFfwZEiWuIeeLnZDrB vzz1T1j91tx6MBWFEbP2FoJYCwaU9YSuOP8mhtmJM4v1MgC3aOGdMa3nKo2PbS9M ECMLFB6Jpo7zVjVxwEz7WXA7/YJgR0g5ft/turJnbbUis0K0FBO/aYzc9gyBvg8I GTB6GX6DDNuwT5EOjkynT3SqnRrnD2piZ0oQ2IIDMaYm/r/DFaMLoU6GRLmj74N0 P3Lefks4JX5C2KKEuM3/6/udMlmNrObjkIACe34icImkdxSXjmKj8Mg4YG8PBRU1 /j1yizB6GokGq2//0BkRMzBLJfUifOVa9mH/C303kA/CvJ42nQyDPLU77nunng3f T//+/dQYk+OuMTTuVul2WSef+wW+kEspE8uTo/GH1ZmMRV0T7aPxt8/ASDbhEcQM Okhbo49AhxuTHlOWS3xKxVIbxJ4P/P0v8c5bb/4D5gdGgBCoXQptiBRtS2suBt1M g0eCtusMuUqPkwB5o5IU2MPGbHiiPzB4up5ZJHYe97rtKduM1cD+0v+w7ZxDrqdD ebfAJjqaZLKNWEmy5fYt0lWUgDsA8aWUSLN2j/R3BbtXHcClmsZap3CSFzJlhbPz 9tQBVsfx6UJYZR2eAXTpEtEMYous6tKHcRS04/mCPBq+WhoYG39aX85g2Q== -----END CERTIFICATE----- END [admin:10-10-28-16]: sslkeyandcertificate:certificate> save [admin:10-10-28-16]: sslkeyandcertificate> save +------------------------+------------------------------------------------------------------------------+ | Field | Value | +------------------------+------------------------------------------------------------------------------+ | uuid | sslkeyandcertificate-2348ba24-1a56-4e9d-9833-c8c3c1158714 | | name | admin-intermediate | | type | SSL_CERTIFICATE_TYPE_CA | | certificate | | | version | 2 | | serial_number | 4098 | | self_signed | False | | issuer | | | common_name | Intermediate | | organization | Avi | | state | CA | | country | US | | distinguished_name | C=US, ST=CA, O=Avi, CN=Intermediate | | subject | | | common_name | Same-Name-Intermediate | | organization | Avi | | state | CA | | country | US | | distinguished_name | C=US, ST=CA, O=Avi, CN=Same-Name-Intermediate | | signature_algorithm | sha256WithRSAEncryption | | not_before | 2017-12-20 23:34:35 | | not_after | 2037-12-15 23:34:35 | | fingerprint | SHA1 Fingerprint=CD:96:22:87:B2:58:39:7C:7A:26:4B:3A:18:B2:99:CD:DB:73:B5:79 | | | | | expiry_status | SSL_CERTIFICATE_GOOD | | days_until_expire | 365 | | key_params | | | algorithm | SSL_KEY_ALGORITHM_RSA | | rsa_params | | | key_size | SSL_KEY_4096_BITS | | exponent | 65537 | | status | SSL_CERTIFICATE_FINISHED | | ca_certs[1] | | | name | Intermediate | | format | SSL_PEM | | certificate_base64 | False | | key_base64 | False | | tenant_ref | admin | +------------------------+------------------------------------------------------------------------------+ [admin:10-10-28-16]: > switchto tenant t1 Switching to tenant t1 [t1:10-10-28-16]: > show sslkeyandcertificate +------------------------------------+------------------------+------------------------+------+-----------+ | Name | Issuer | Subject | Self | Algorithm | +------------------------------------+------------------------+------------------------+------+-----------+ | System-Default-Cert | System Default Cert | System Default Cert | True | - | | System-Default-Cert-EC | System Default EC Cert | System Default EC Cert | True | - | | System-Default-Portal-Cert | Default Portal Cert | Default Portal Cert | True | - | | System-Default-Portal-Cert-EC256 | Default Portal EC Cert | Default Portal EC Cert | True | - | | System-Default-Root-CA | ca.local | ca.local | True | - | | System-Default-Secure-Channel-Cert | ca.local | node.controller.local | - | - | | admin-intermediate | Intermediate | Same-Name-Intermediate | - | - | +------------------------------------+------------------------+------------------------+------+-----------+ [t1:10-10-28-16]: > configure sslkeyandcertificate t1-app [t1:10-10-28-16]: sslkeyandcertificate> key -- -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC+CGpOcfqxuUvl sCa1+iYUu7EyrvJObDSdorIbjbu5qXpqL7lScGQq6uhbKKMAGM/JIiI75hOAeHN9 hYa/0v8BndV/AJ1zGpK3K5ahuVfrtsNIHk6q0SSw3YtB63/8nhwUiz/ZBgthfCJ/ eroG7RBEh8uOpPhXLJf88o1UOF5FcbrFsW5qvXQHMRSKK2I9wFkSSgNMCoOGOB7W X+6aDG0ZAZt9eoQkPQNOxw9dEavqOZFqkHTSkyfWyHuw605dmRs2Cz8IZMhhEZvq LUpe6HMFopxwTzt/5NyW0FJJW1K81WS46ab/tOIOLbkgNV9wLWMNeKvAEWzYPONS QDzBOhrlAgMBAAECggEAEwNKh5C10WRFqLRoGxrtBnQE9Zo1Wg1Pclod0c3rc1b2 jXs64nmmO/kGyGAXduIEoA4POMj7OIZUn8FlSvn0U5gUDUHlfuewuCzfRE0D8+x0 O1n06vhD4II59Z13T7IOAywvdio5p0ZBOVnxFNJRJ1oizqHIywgGKOOnqj59iBr9 pw/LTthM1mozfUxVYxftSwDr91C7PTaYDE9prmw8wH1TL6I4skxKRVmagFwY0rtr ViNhNigPjUB3xlEtv6RuwFeEmfcZMzkLCAoXbg1yv6Av5tGJwdCVwDwrpP6I/FHz PwQdFmZRGZJI8QqdEcWYI/ewXYevCfDrQIWH+gFVIQKBgQDrcCmclzSqQt4xczJ2 ajXAaxnxLSJC/WYOIsIp3L5b/gqs+SUAIJXoVZMinOcygtJs3J4f0Zuy9NkddNn9 JVeMXs7rr7quXKSzX0100acB1NR4Sfq1RWboOxoiSgrUSx8D/ooaJE0JSlj0DtHl +FVlSECAK2wpM8dFEMf9cAEIeQKBgQDOoRlQzkdnoDVL+gyIXnsA3ArnXDcig1x1 tSj0VqCEaGHhjngYHsmissaIw9ABlwZkt9maylX9PrLaAceGXPzeBvlK0PcgImZ+ 2hYVp00znj4//JOsFe9joruKfaXrTLPvY8N0jYAmip6FJJ1eq4x8rL8gU/NdlMQf 5diVimhizQKBgCGs82bAgfnwgpOUJJ2nZ3TUXOuQRxxJ3nUbJ6aROnEyDxjash4o iwimZNtIkhE5gRutGrj2ZEzelMeP1TZORw1+6h3wDsWt3qkBcrTI4Bh09scV3dRb zvJcscpByPbAn/kUSXCfzJ0Nk1elXwSD1sMb6I3sqBXkoBYS5mgrwxoRAoGAXJmB uN7YzS3U9LmYiDyfLyFtmYWQB92KwA1xzx5LTUtiIi0w0M5rWoh3xK7MNwoxiU2D LYVjx9wjVuPZQPPHNtE1Qzwmo7YG7O5bW1TgmjNeflp463PhFmvFVCk/BBYZxTyW SVNojN0ucUiZZeXHTdA0zw4QUG3s/saIq2udoDkCgYBS9FJxYZV/3eWZTV7E8RHO 4ABpujonzZcrxB/pIlQJhehVABopbMAGE0aGc7gGacu0DKsLNYL8Wkdqgs6WN9Yo erlGXlJelgs4CSlZulInntFgdqC9Rj0sHjx6gCVEgg1lGkB++YrCLj2YuYN7L9JW wk/YYUmjGLjqcHvBNDl0Gw== -----END PRIVATE KEY----- END [t1:10-10-28-16]: sslkeyandcertificate> certificate [t1:10-10-28-16]: sslkeyandcertificate:certificate> certificate -- -----BEGIN CERTIFICATE----- MIIFAzCCAuugAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMx CzAJBgNVBAgMAkNBMQwwCgYDVQQKDANBdmkxHzAdBgNVBAMMFlNhbWUtTmFtZS1J bnRlcm1lZGlhdGUwHhcNMTcxMjIwMjMzNDU2WhcNMzcxMjE1MjMzNDU2WjA3MQsw CQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDDAKBgNVBAoMA0F2aTENMAsGA1UEAwwE QXBwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4Iak5x+rG5S+Ww JrX6JhS7sTKu8k5sNJ2ishuNu7mpemovuVJwZCrq6FsoowAYz8kiIjvmE4B4c32F hr/S/wGd1X8AnXMakrcrlqG5V+u2w0geTqrRJLDdi0Hrf/yeHBSLP9kGC2F8In96 ugbtEESHy46k+Fcsl/zyjVQ4XkVxusWxbmq9dAcxFIorYj3AWRJKA0wKg4Y4HtZf 7poMbRkBm316hCQ9A07HD10Rq+o5kWqQdNKTJ9bIe7DrTl2ZGzYLPwhkyGERm+ot Sl7ocwWinHBPO3/k3JbQUklbUrzVZLjppv+04g4tuSA1X3AtYw14q8ARbNg841JA PME6GuUCAwEAAaOCAQUwggEBMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZA MDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlm aWNhdGUwHQYDVR0OBBYEFBFU4BzZ35LC8gZlhXQG6pB9sDxNMGgGA1UdIwRhMF+A FEamhG8kGg3PCElsgH8XYIWO04BXoUOkQTA/MQswCQYDVQQGEwJVUzELMAkGA1UE CAwCQ0ExDDAKBgNVBAoMA0F2aTEVMBMGA1UEAwwMSW50ZXJtZWRpYXRlggIQAjAO BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEL BQADggIBAAfp7d3STNGOQvPxMb+w9b4MjxXAdcFLCLiowcnh6wRS5/ALIjr+7oAt 5T+SzFx1jiZltRf7wk5Ot48+lKwSJ93oaqow82QAZZFeNvkYecL/HHqW7squC7Su lmdxQ0DT/fkpedKu3koWjUvf90zb/LotdKN9GN4R2KwKY+p/73w1cDMxyqyPiSOH dCX1fkG1du4HEujG+zVTlEO5Wc94zer4+C9g/QwTVkBH11MOLd9RSlStadYzy8Qs wu1pPEXZbePA7urZGqgiYUTYKbW+Ck/EKqt8NxvyqvmYBqmfuEnOW1W7XH7Zlzli dAFEfZ5U9we1YlduDT7KUHizBn8Uex1O1TCjn2XMt+5KhJ8yfNjqbwTyg7G1pHcG ifl+u/PYTyrLwnf0s09/iw27oacSczDxB/yRe5W6wmhsgL0Rry1tZvAcIHPR2c5t xstiAJVZVp+WSqJRbCR+KZYZS7IX3J09gtZy8ZDaEhCGtiE/liin4yxLEP4cgbCd ctIdYP+3pYFC7Ij4BvT+cHtKFAIQ8gD3pSx+NHjX/cWnhjQIo4ljt+ash9YQz+70 hbsp3zDB+Qbnc6j1MuITHQneKKxVPBkvYK7bcqKmKRfjOIpFgtClWd9+YRBriBKo CayuZ7LuJYYgVqnU6waCJaA9eZC/BSNUqqHzBYV49oBUpyDIWOTW -----END CERTIFICATE----- END [t1:10-10-28-16]: sslkeyandcertificate:certificate> save [t1:10-10-28-16]: sslkeyandcertificate> save +------------------------+------------------------------------------------------------------------------+ | Field | Value | +------------------------+------------------------------------------------------------------------------+ | uuid | sslkeyandcertificate-9ec6948b-f57c-49ac-b9da-28092a3fd72a | | name | t1-app | | type | SSL_CERTIFICATE_TYPE_VIRTUALSERVICE | | certificate | | | version | 2 | | serial_number | 4097 | | self_signed | False | | issuer | | | common_name | Same-Name-Intermediate | | organization | Avi | | state | CA | | country | US | | distinguished_name | C=US, ST=CA, O=Avi, CN=Same-Name-Intermediate | | subject | | | common_name | App1 | | organization | Avi | | state | CA | | country | US | | distinguished_name | C=US, ST=CA, O=Avi, CN=App1 | | signature_algorithm | sha256WithRSAEncryption | | not_before | 2017-12-20 23:34:56 | | not_after | 2037-12-15 23:34:56 | | fingerprint | SHA1 Fingerprint=18:B1:FD:DC:AF:F0:62:0C:73:E1:56:FC:75:AE:86:93:2E:56:1E:75 | | | | | expiry_status | SSL_CERTIFICATE_GOOD | | days_until_expire | 365 | | key_params | | | algorithm | SSL_KEY_ALGORITHM_RSA | | rsa_params | | | key_size | SSL_KEY_2048_BITS | | exponent | 65537 | | status | SSL_CERTIFICATE_FINISHED | | ca_certs[1] | | | name | Same-Name-Intermediate | | ca_ref | admin-intermediate | | ca_certs[2] | | | name | Intermediate | | format | SSL_PEM | | certificate_base64 | False | | key_base64 | False | | tenant_ref | t1 | +------------------------+------------------------------------------------------------------------------+ [t1:10-10-28-16]: >