By default, vRealize Log Insight installs a self-signed SSL certificate on the virtual appliance.

About this task

The self-signed certificate generates security warnings when you connect to the vRealize Log Insight web user interface. If you do not want to use a self-signed security certificate, you can install a custom SSL certificate. The only feature requiring a custom SSL certificate is Event Forwarding through SSL. If you have a Cluster setup with ILB enabled, see Enable the Integrated Load Balancer for the specific requirements of a custom SSL certificate.

Note:

The vRealize Log Insight Web user interface and the Log Insight Ingestion protocol cfapi use the same certificate for authentication.

Prerequisites

  • Verify that your custom SSL certificate meets the following requirements.

    • The CommonName contains a wildcard or exact match for the M aster node or FQDN of the virtual IP address. Optionally, all other IP addresses and FQDNs are listed as subjectAltName.

    • The certificate file contains both a valid private key and a valid certificate chain.

    • The private key is generated by the RSA or the DSA algorithm.

    • The private key is not encrypted by a pass phrase.

    • If the certificate is signed by a chain of other certificates, all other certificates are included in the certificate file that you plan to import.

    • The private key and all the certificates that are included in the certificate file are PEM-encoded. vRealize Log Insight does not support DER-encoded certificates and private keys.

    • The private key and all the certificates that are included in the certificate file are in the PEM format. vRealize Log Insight does not support certificates in the PFX, PKCS12, PKCS7, or other formats.

  • Verify that you concatenate the entire body of each certificate into a single text file in the following order.

    1. The Private Key - your_domain_name.key

    2. The Primary Certificate - your_domain_name.crt

    3. The Intermediate Certificate - DigiCertCA.crt

    4. The Root Certificate - TrustedRoot.crt

  • Verify that you include the beginning and ending tags of each certificate in the following format.

    -----BEGIN RSA PRIVATE KEY----- 
    (Your Private Key: your_domain_name.key) 
    -----END RSA PRIVATE KEY----- 
    -----BEGIN CERTIFICATE----- 
    (Your Primary SSL certificate: your_domain_name.crt) 
    -----END CERTIFICATE----- 
    -----BEGIN CERTIFICATE----- 
    (Your Intermediate certificate: DigiCertCA.crt) 
    -----END CERTIFICATE----- 
    -----BEGIN CERTIFICATE----- 
    (Your Root certificate: TrustedRoot.crt) 
    -----END CERTIFICATE-----
  • Verify that you are logged in to the vRealize Log Insightportnumber Web user interface as a user with the Edit Admin permission. The URL format is https://log-insight-host, where log-insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.