This section explains the certificate management integration for trust anchor.

Installing Trust Anchor Signed Certificate

The NSX Advanced Load Balancer supports automation of the process for requesting and installing a certificate, signed by a trust anchor. This feature handles initial certificate registration and renewal of certificates based on expiration of certificate.

To establish this, a Certificate Management Profile object is used. This object is created by navigating to Templates > Security > Certificate Management. The Certificate Management object provides a way for configuring a path to a certificate script, and a set of parameters that the script needs (CSR, Common Name, and others) to integrate with a certificate management service within the customer’s internal network. The script itself is left opaque by design to accommodate the various certificate management services of different customers.

As a part of the SSL certificate configuration, the NSX Advanced Load Balancer user must only select CSR, fill in the necessary fields for the certificate, and select the certificate management profile to which this certificate is bound. The Controller then uses the CSR and the script to obtain the certificate, and renews the certificate upon expiration. As part of the renewal process, a new public-private key pair is generated and a certificate corresponding to this is obtained from the certificate management service.

Without this automation, the process of sending the CSR to the external trust anchor and installation of the signed certificate and keys, must be performed by the NSX Advanced Load Balancer user.

Note:

Python scripts are supported for this feature. Also Automated CSR workflow for SafeNet HSM is supported.

Configuring Certificate Management Integration

The following are the steps to configure certificate management integration:

  1. Prepare a Python script that defines a certificate_request() method. The method must accept the following inputs as a dictionary:

    • CSR.

    • Hostname for the Common Name field.

    • Parameters defined in the certificate management profile.

  2. Create a certificate management profile that calls the script.

Preparing the Script

The script must use the def certificate_request command as shown in the example below:

def certificate_request(csr, common_name, args_dict):
    """
    Check if a token exists that can be used:
    If not, authenticate against the service with the provided credentials.
    Invoke the certificate request and get back a valid certificate.
    Inputs:
      @csr : Certificate signing request string. This is a multi-line string output like what
             you get from openssl.
      @common_name: Common name of the subject.
      @args_dict: Dictionary of the key value pairs from the certificate management profile.
    "
Note:

The specific parameter values to be passed to the script are specified within the certificate management profile.

Hiding Sensitive Parameters

For parameters that are sensitive, for instance, passwords, the values can be hidden. Marking a parameter sensitive prevents its value from being displayed in the web interface or passed by the API.

Assigning Dynamic Parameter Values during CSR Creation

The value for a certificate management parameter can be assigned within the profile or within individual CSRs.

  • If the parameter value is assigned within the profile, the value applies to all CSRs generated using the profile.

  • To dynamically assign a parameter’s value, indicate within the certificate management profile that the parameter is dynamic. This leaves the parameter’s value unassigned. The dynamic parameter’s value is assigned when an individual CSR is created using the profile. The parameter value applies only to the created CSR.

Creating the Certificate Management Profile

The following are the steps to create a certificate management profile:

  1. Navigate to Templates > Security > Certificate Management and click CREATE.

  2. Specify the name for the profile.

  3. Select the control script for certificate management profile from the drop-down menu.

  4. If the profile must pass some parameter values to the script, select the Enable Custom Parameters check box, and specify the parameter names and values.

    For parameters that are sensitive (for example, passwords), select the Is Sensitive check box.

    1. Marking a parameter sensitive prevents its value from being displayed in the web interface or being passed by the API. For parameters that are to be dynamically assigned during CSR creation, select the Dynamic check box. This leaves the parameter unassigned within the profile.

  5. Click Save.

Using the Certificate Management Profile to generate Signed Certificates

After adding the script and creating the certificate management profile, the profile can be used to easily obtain and install Trust Anchor-signed certificates as follows:

  1. Navigate to Templates > Security > SSL/TLS Certificates and click Create.

  2. Select Application Certificate option from Create drop-down menu

  3. Specify the name and select CSRoption in the Type drop-down menu.

  4. Select the certificate management profile configured in the previous section from the Certificate Management Profile drop-down menu.

  5. Click Save.

The Controller generates a public-private key pair and CSR. It executes the script to request the Trust Anchor-signed certificate from the PKI service, and saves the signed certificate in persistent storage.