To obtain a certificate from the CA (Certificate Authority), you must generate a CSR (Certificate Signing Request). Later, you can replace the default, self-signed certificate, which is installed when installling App Volumes Manager, with the CA-signed certificate.

To generate a CSR, a config (.cfg ) file must be created which is used as one of the parameters in the openssl command.

Alternately, you can also create a custom self-signed certificate and later use this certificate to replace the default, self-signed certificate. For more information, see Generate a Custom Self-Signed Certificate.

Procedure

  1. Create and name a text file as <config_file_name>.cfg.
  2. Make note of the file location.
    You need this file to generate a CSR.
  3. Open the configuration (<config_file_name>.cfg) file in a text application and add the following settings:
    Note:
    • You can add custom values to these settings, however ensure that you use only digitalSignature, keyEncipherment, dataEncipherment for the keyUsage setting and serverAuth, clientAuth to extendedKeyUsage.
    • It is mandatory to provide the commonName, but optional to provide emailAddress.
    [ req ]
default_bits = 
default_keyfile = 
distinguished_name = 
encrypt_key = 
prompt = 
string_mask = 
req_extensions = 

[ v3_req ]
basicConstraints = 
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = 

[ req_distinguished_name ]
countryName = 
stateOrProvinceName = 
localityName = 
organizationName = 
emailAddress = 
commonName =
    For example: Here is a sample config_file_name.cfg file: 
    [ req ]
default_bits = 2048
default_keyfile = svserver.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: appvolumemanager, IP:10.0.0.10, DNS:appvolumemanager.vmware.com

[ req_distinguished_name ]
countryName = US
stateOrProvinceName = California
localityName = Palo Alto
organizationName = VMware, Inc.
emailAddress = [email protected]
commonName = appvolumemanager.vmware.com
  4. To generate the CSR, run the following command: openssl req -new -newkey rsa:2048 -nodes -out <csr_name>.csr -key out <key_name>.key -config <config_file_name>.cfg.
    The following two files are generated as outputs: <csr_name>.csr and <key_name>.key.
  5. Provide the <csr_name>.csr file to the Certificate Authority and obtain the certificate (.crt) in PEM format (base64).
    If the certificate obtained is in the P7B format, perform the following steps:
    1. Ensure that when you open the certificate, the following sections are visible: Root, Intermediate, and Certificate.
    2. Export each certificate in PEM (base64) format.
    3. Using a text application, create a <certificate_name>.crt file.
    4. Copy the Root, Intermediate, and Certificate sections into the <certificate_name>.crt file.

What to do next

Replace the App Volumes Default Self-Signed Certificate