- \n
- By default, the Aviatrix Controller uses a self-signed certificate. In this case, an option to generate a Certificate Signing Request (CSR) will be available. The CSR requires the Fully Qualified Domain Name (FQDN) of the controller, e.g., avx-controller.mycompany.com. When the CSR is generated, the controller will also generate and store a corresponding private key. The generated CSR is supplied to the Certificate Authority (CA) which will return a signed public certificate. In addition to this certificate, a CA certificate (generally publicly available from the CA) will also be required during the import process.<\/li>\n\n\n\n
- If a public certificate is already installed, you can no longer generate a CSR without first reverting to a self-signed certificate.<\/li>\n\n\n\n
- There is also an option to import an externally generated private key with corresponding public and CA certs. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- For Aviatrix CoPilot\n
- \n
- The Copilot does not support the generation of CSR\u2019s. Instead, an externally generated private key and corresponding CA-signed public key are required for importation. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
The processes above can be challenging for customers, especially when renewing existing certificates. This confusion is compounded by the variety of different certificate types of Certification Authorities, certificate formats and operating system tools.<\/p>\n\n\n\n
This blog intends to create a more standardized process for Aviatrix Customers to follow.<\/p>\n\n\n\n\n\n\n\n
OpenSSL<\/h2>\n\n\n\n
- \n
- To standardize the process of requesting a certificate, we will use a utility called OpenSSL<\/strong><\/a><\/li>\n\n\n\n
- OpenSSL is included in all major Linux distributions as well as all versions of MacOS.<\/li>\n\n\n\n
- For Windows, there is a list of 3rd party maintained binaries on https:\/\/wiki.openssl.org\/index.php\/Binaries<\/a>. For the examples below I\u2019m using Windows 10 with Win32OpenSSL<\/a> installed.<\/li>\n<\/ol>\n\n\n\n
Quick Win32OpenSSL install guide<\/strong><\/h2>\n\n\n\n
When downloading Win32 OpenSSL make sure to choose the binary matching your OS architecture. <\/p>\n\n\n\n
Please note:<\/strong> Do not select the *light* edition as it is missing openssl.cfg file.<\/p>\n\n\n\n
The following examples assume a default installation of OpenSSL in C:\\Program Files\\OpenSSL-Win64<\/strong><\/p>\n\n\n\n
Make sure system environment variables include a new variable name: OPENSSL_CONF<\/strong>
Value with a value of \u201cC:\\Program Files\\OpenSSL-Win64\\bin\\openssl.cfg<\/strong>\u201d<\/p>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/11\/image-8-1024x933.png\")
<\/figure>\n\n\n\nMake sure system environment variable Path<\/strong> includes C:\\Program Files\\OpenSSL-Win64\\bin<\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/11\/image-9-1024x693.png\")
<\/figure>\n\n\n\nRestart Windows for the system variables to take effect.<\/p>\n\n\n\n
NOTE: <\/strong>Microsoft Visual C++ 2015-2019 Redistributable must be installed for Win32OpenSSL to work.<\/p>\n\n\n\n
Certificate types<\/strong><\/h2>\n\n\n\n
Both Aviatrix Controller and CoPilot is looking for PEM encoded X.509 certificate<\/em><\/strong><\/p>\n\n\n\n
When a certificate with public key<\/strong> is opened in a text editor, it will look like following:<\/p>\n\n\n\n
-----BEGIN CERTIFICATE-----\n\nMIIGhz...\n\n...\n\n...WlLw==\n\n-----END CERTIFICATE-----<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
When a PEM encoded RSA private key<\/em><\/strong> is opened in a text editor, it will look like following:<\/p>\n\n\n\n
-----BEGIN RSA PRIVATE KEY-----\n\nMIIE...\n\n...\n\n...\n\n-----END RSA PRIVATE KEY-----<\/code><\/pre>\n\n\n\nNOTE:<\/strong> Any other encodings (DER, P7B\/PKCS#7 or PFX\/PKCS#12) are not supported but can be converted to PEM format by OpenSSL. Please see https:\/\/aboutssl.org\/convert-certificate-to-pem-crt-to-pem-crt-to-pem-der-to-pem\/<\/a> for instructions.<\/p>\n\n\n\n
Important! The private key cannot<\/u> have a password on it.<\/mark><\/strong><\/p>\n\n\n\n
If the private key has a password, use the following command to create a new key file without a password:<\/p>\n\n\n\n
- \n
- Run this command: openssl rsa -in [original.key] -out [new.key]<\/li>\n\n\n\n
- Enter the passphrase for the original key when asked.<\/li>\n\n\n\n
- The output file [new.key] should now be unencrypted.<\/li>\n<\/ul>\n\n\n\n
The process<\/strong> summarized<\/h2>\n\n\n\n
- \n
- Use OpenSSL to generate a private key.<\/li>\n\n\n\n
- Use OpenSSL to generate a CSR from that private key.<\/li>\n\n\n\n
- Submit CSR to your CA.<\/li>\n\n\n\n
- Your CA will issue a signed server certificate. In addition, a signed intermediate CA certificate should be obtained. <\/li>\n\n\n\n
- Install signed CA certificate, signed server certificate and private key on Controller\/CoPilot<\/li>\n<\/ol>\n\n\n\n
Use OpenSSL to generate a private key<\/strong><\/h3>\n\n\n\n
The following command is used to generate a 4096 bit RSA private key, outputting it to a file named \u201cprivatekey.pem\u201d:<\/p>\n\n\n\n
openssl genpkey -algorithm RSA -out privatekey.pem -pkeyopt rsa_keygen_bits:4096<\/code><\/pre>\n\n\n\n- \n
- openssl<\/strong>: This is the command line tool for the OpenSSL binary.<\/li>\n\n\n\n
- genpkey<\/strong>: This is the OpenSSL command for generating a private key.<\/li>\n\n\n\n
- -algorithm RSA:<\/strong> This switch determines the algorithm to use for the key generation. In this case, RSA is specified.<\/li>\n\n\n\n
- -out privatekey.pem<\/strong>: The -out switch specifies the output filename. Here, the output of the command (the newly generated private key) is saved to a file named privatekey.pem.<\/li>\n\n\n\n
- -pkeyopt rsa_keygen_bits:4096<\/strong>: The -pkeyopt option allows for setting public key parameters. In this example, rsa_keygen_bits:4096 specifies that the RSA key to be generated should have a length of 4096<\/strong> bits.<\/li>\n<\/ul>\n\n\n\n
To verify the consistency of a private key, use following command to check that the mathematical structure of the key is sound:<\/p>\n\n\n\n
openssl rsa -in privateKey.pem -check -noout<\/code><\/pre>\n\n\n\n- \n
- rsa<\/strong>: This OpenSSL command handles RSA keys. Operations include generation, examination, and in some cases, private key decryption.<\/li>\n\n\n\n
- -in privateKey.pem<\/strong>: The -in option specifies the input filename. Here, the private key used for the operation is read from a file named \u2018privateKey.pem\u2019.<\/li>\n\n\n\n
- -check<\/strong>: This option checks the consistency of an RSA private key.<\/li>\n\n\n\n
- -noout<\/strong>: This prevents the key from being printed to the console. As such, only the result of the check will be written to stdout.<\/li>\n<\/ul>\n\n\n\n
Use OpenSSL to generate CSR<\/strong><\/h3>\n\n\n\n
Use the following command to generate a CSR using the private key (privateKey.pem) created earlier. You\u2019ll be prompted to enter the details for the CSR, including your Common Name (domain name), organization name, and more. If you wish to automate this process, you can use -subj flag to provide the CSR information.<\/p>\n\n\n\n
openssl req -new -key privatekey.pem -out request.csr<\/code><\/pre>\n\n\n\n- \n
- req<\/strong>: This OpenSSL command is for handling CSR (PKCS#10 X.509 Certificate Signing Request (CSR) management).<\/li>\n\n\n\n
- -new<\/strong>: This option generates a new CSR.<\/li>\n\n\n\n
- -key privatekey.pem<\/strong>: This specifies the file to read the private key from, in this case \u201cprivatekey.pem\u201d.<\/li>\n\n\n\n
- -out request.csr<\/strong>: This specifies the output filename. Here, the CSR is written to a file named \u201crequest.csr\u201d.<\/li>\n<\/ul>\n\n\n\n
Example of the prompt, it\u2019s critical to enter the server FQDN to match your intended URL to access the servers, e.g., avxctrl.cloudlearning365.com<\/strong> in the following example:<\/p>\n\n\n\n
You are about to be asked to enter information that will be incorporated\n\ninto your certificate request.\n\nWhat you are about to enter is what is called a Distinguished Name or a DN.\n\nThere are quite a few fields but you can leave some blank\n\nFor some fields there will be a default value,\n\nIf you enter '.', the field will be left blank.\n\n-----\n\nCountry Name (2 letter code) [AU]:CA\n\nState or Province Name (full name) [Some-State]:Ontario\n\nLocality Name (eg, city) []:Toronto\n\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Aviatrix\n\nOrganizational Unit Name (eg, section) []:IT\n\nCommon Name (e.g. server FQDN or YOUR name) []:avxctrl.cloudlearning365.com\n\nEmail Address []:\n\nPlease enter the following 'extra' attributes\n\nto be sent with your certificate request\n\nA challenge password []:\n\nAn optional company name []:<\/code><\/pre>\n\n\n\nTo validate the CSR file, use the following command:<\/strong><\/p>\n\n\n\n
openssl req -text -noout -verify -in request.csr<\/code><\/pre>\n\n\n\n- \n
- req<\/strong>: This OpenSSL command deals with Certificate Signing Requests (CSRs).<\/li>\n\n\n\n
- -text<\/strong>: Outputs the CSR information in a text-based, human-readable format.<\/li>\n\n\n\n
- -noout<\/strong>: Prevents output of the encoded version of the CSR request.<\/li>\n\n\n\n
- -verify:<\/strong> Checks the signature on the CSR to verify its integrity.<\/li>\n\n\n\n
- -in request.csr<\/strong>: This specifies the filename to read the CSR from. Here, \u2018request.csr\u2019 is the input CSR file.<\/li>\n<\/ul>\n\n\n\n
Submit CSR to your Certificate Authority<\/strong><\/h3>\n\n\n\n
I\u2019ve summited the CSR to ZeroSSL and obtained a ZIP file containing: ca_bundle.crt and certificate.crt.<\/p>\n\n\n\n
Use following command to explore the certificate:<\/p>\n\n\n\n
openssl x509 -in certificate.crt -text -noout | grep -E '(Subject|Issuer):'\n\nIssuer: C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA\nSubject: CN = avxctrl.cloudlearning365.com<\/code><\/pre>\n\n\n\nNow use the similar command on ca_bundle.crt to explore the certificate:<\/p>\n\n\n\n
openssl x509 -in ca_bundle.crt -text -noout | grep -E '(Subject|Issuer):'\n\nIssuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority\nSubject: C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA<\/code><\/pre>\n\n\n\nNotice how the subject of ca_bundle.crt matches issuer of certificate.crt. This means ca_budle.crt is the intermediate CA that issued the certificate for avxctrl.cloudlearning365.com<\/p>\n\n\n\n
Install Aviatrix Controller Certificate<\/strong><\/h3>\n\n\n\n
Aviatrix Controller -> Settings -> Certificate<\/p>\n\n\n\n
When Aviatrix Controller is using self-signed certificate:<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/11\/image-1024x603.png\")
<\/figure>\n\n\n\nWhen Aviatrix already has a certificate installed, and you are renewing the certificate:<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/11\/image-1-1024x617.png\")
<\/figure>\n\n\n\nCoPilot SSL certificate installation<\/h3>\n\n\n\n
CoPilot -> Settings -> Configuration -> General -> CoPilot Certificates<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/11\/image-2-1024x416.png\")
<\/figure>\n\n\n\nReplace SSL Certificate with the server certificate, and SSL Certificate Key with the private key, then click on Save<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/11\/image-3-1024x527.png\")
<\/figure>\n\n\n\nRestart CoPilot Web Service -> Settings -> Resources -> System health -> Web -> Restart<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/11\/image-4-1024x669.png\")
<\/figure>\n\n\n\nDNS<\/strong><\/h2>\n\n\n\n
Make sure your DNS record is set correctly, e.g.:<\/p>\n\n\n\n
avxctrl.cloudlearning365.com<\/strong> would resolve to Aviatrix Controller IP<\/p>\n\n\n\n
avxcopilot.cloudlearning365.com<\/strong> would resolve to CoPilot IP<\/p>\n\n\n\n
Validation<\/strong><\/h2>\n\n\n\n
In the browser, try to open https:\/\/avxctrl.cloudlearning365.com<\/strong>, e.g. in Chrome, there\u2019s no warning, and then expand on the icon close to the URL, it shows Connection is secure<\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/11\/image-5.png\")
<\/figure>\n\n\n\nYou can further explore the installed certificate by pressing on Connection is secure<\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/11\/image-6.png\")
<\/figure>\n\n\n\nThen click on Certificate is valid, validate on Common Name which should match your URL FQDN (Fully Qualified Domain Name), and Expires on<\/strong> should be a future date.<\/p>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2023\/11\/image-7-969x1024.png\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"As of writing, on Aviatrix Controller version 7.1.2131 and CoPilot v4.3.1, the current process of installing a certificate: The processes above can be challenging for customers, especially when renewing existing certificates. This confusion is compounded by the variety of different … Continue reading
- -text<\/strong>: Outputs the CSR information in a text-based, human-readable format.<\/li>\n\n\n\n
- -new<\/strong>: This option generates a new CSR.<\/li>\n\n\n\n
- -in privateKey.pem<\/strong>: The -in option specifies the input filename. Here, the private key used for the operation is read from a file named \u2018privateKey.pem\u2019.<\/li>\n\n\n\n
- genpkey<\/strong>: This is the OpenSSL command for generating a private key.<\/li>\n\n\n\n
- openssl<\/strong>: This is the command line tool for the OpenSSL binary.<\/li>\n\n\n\n
- To standardize the process of requesting a certificate, we will use a utility called OpenSSL<\/strong><\/a><\/li>\n\n\n\n
- The Copilot does not support the generation of CSR\u2019s. Instead, an externally generated private key and corresponding CA-signed public key are required for importation. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n