avi-logo

AVI Controller Cluster Custom SSL/TLS Certificate

Since VMware vSphere 7.0 Update 2 it is possible to integrate NSX Advanced LoadBalancer (aka AVI) into vSphere with Tanzu. As part of the installation wizard, you need to provide the AVI Controller SSL/TLS certificate to vSphere. In a Lab environment this is pretty straight forward, because most of the time you only have one AVI Controller with a self-signed certificate.
But in production environments, you might want to have 3 Controllers (for redundancy of course) and also use a valid certificate, signed by your own Certificate Authority.
In this post, I want to demonstrate how to create a certificate, that can be used for the cluster address, but is also valid for each individual controller.

In contrast to NSX-T manager cluster, where you need a certificate for each individual manager, plus another one for the VIP, the AVI controller cluster has only one certificate.

Create the certificate

There are two different ways to create the Certificate Signing Request (CSR). You can either use the wizard within the AVI controller, or entirely create it yourself with a tools of your choice. I decided to use the openssl tool as my way to go.

Create the certificate config

I have three AVI Controller Nodes plus the VIP:

  • avi-ctrl.vraccoon.lab – 172.31.48.10
  • avi-ctrl-1.vraccoon.lab – 172.31.48.11
  • avi-ctrl-2.vraccoon.lab – 172.31.48.12
  • avi-ctrl-3.vraccoon.lab – 172.31.48.13

Thus, my openssl config looks like this:

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = DE
stateOrProvinceName = Germany
localityName = BER
organizationName = vRaccoon
organizationalUnitName = LAB
commonName = avi-ctrl.vraccoon.lab
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = avi-ctrl.vraccoon.lab
DNS.2 = avi-ctrl-1.vraccoon.lab
DNS.3 = avi-ctrl-2.vraccoon.lab
DNS.4 = avi-ctrl-3.vraccoon.lab

Note, that all three controller’s FQDN and the VIP is added as Subject Alternate Names (SAN).
In theory, it would also work if you only enter the VIP as SAN. But in case you navigate to any of the controller directly, the certificate would not match the FQND, hence throwing a certificate warning.

Create the certificate signing request and key

Next, I’ll create the CSR and the key:

vraccoon@ubu:~$ openssl req -nodes -newkey rsa:2048 -keyout avi-ctrl.key -config avi-ctrl.cnf -out avi-ctrl.csr
Generating a RSA private key
......................................................................+++++
........................+++++
writing new private key to 'avi-ctrl.key'
-----
vraccoon@ubu:~$ ll
total 24
drwxrwxr-x  2 vraccoon vraccoon 4096 May 29 13:35 ./
drwxr-xr-x 21 vraccoon vraccoon 4096 May 29 13:35 ../
-rw-rw-r--  1 vraccoon vraccoon  472 May 29 13:35 avi-ctrl.cnf
-rw-rw-r--  1 vraccoon vraccoon 1184 May 29 13:36 avi-ctrl.csr
-rw-------  1 vraccoon vraccoon 1704 May 29 13:36 avi-ctrl.key

Create the certificate

Now, we can get the CSR signed. I am using an Active Directory Certificate Services.

Let’s validate the certificate, just to be sure:

vraccoon@ubu:~$ openssl x509 -noout -text -in avi-ctrl.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5f:00:00:00:2d:ec:0d:27:29:2a:2d:d5:1a:00:00:00:00:00:2d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = lab, DC = vraccoon, CN = vraccoon-DC-CA
        Validity
            Not Before: May  8 21:50:34 2021 GMT
            Not After : May  8 21:50:34 2023 GMT
        Subject: C = DE, ST = Germany, L = BER, O = vRaccoon, OU = LAB, CN = avi-ctrl.vraccoon.lab
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bf:23:dc:1e:f2:0f:bb:ea:bc:40:7d:14:65:e7:
                    3d:e2:d0:2c:be:4f:16:d3:f4:e2:dc:88:a7:bd:b8:
                    69:da:0d:8a:30:9f:a6:ae:ca:89:4d:f5:28:03:80:
                    3b:e3:e6:eb:18:1d:63:e9:1e:c2:fa:b0:59:9d:07:
                    b5:a7:27:31:a9:e8:f8:17:e6:55:03:81:77:ae:58:
                    41:09:91:f8:89:fe:38:0e:f2:23:81:86:06:bd:f3:
                    45:fa:fc:af:8a:d4:55:02:f9:22:96:b8:50:80:f5:
                    4c:bd:78:3d:f1:6a:52:5e:55:6b:2b:04:2f:5b:8a:
                    b1:d5:66:8e:76:81:a5:42:d5:3c:5b:f5:8e:69:a0:
                    c9:e8:df:ee:aa:42:3a:53:58:e6:3a:2e:ea:d5:15:
                    de:2e:87:12:89:93:29:ea:2a:8c:2e:65:ec:31:73:
                    95:67:48:a8:79:db:4f:cd:f2:e7:f8:7f:42:5c:35:
                    23:c7:47:a2:be:6a:0b:a3:5c:e2:f1:d2:31:53:7d:
                    06:20:2f:55:a6:37:f7:ed:43:42:d1:00:89:e4:d8:
                    43:ba:15:82:08:4e:16:97:cf:8e:b1:f3:95:12:e6:
                    57:8b:15:1e:0b:24:53:7a:01:4d:86:e4:b6:10:98:
                    26:e6:fe:0a:1a:f6:ad:82:e2:0c:95:65:1f:6a:4c:
                    2c:ab
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:avi-ctrl.vraccoon.lab, DNS:avi-ctrl-1.vraccoon.lab, DNS:avi-ctrl-2.vraccoon.lab, DNS:avi-ctrl-3.vraccoon.lab
            X509v3 Subject Key Identifier:
                B5:9E:D1:F1:0B:C2:73:0C:84:92:DF:15:3D:32:B3:B0:91:3A:B8:4E
            X509v3 Authority Key Identifier:
                keyid:BC:3B:1B:FE:9D:6D:E0:32:5E:C6:33:ED:5C:CB:87:8A:BB:F7:D1:65

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:ldap:///CN=vraccoon-DC-CA,CN=dc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=vraccoon,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint

            Authority Information Access:
                CA Issuers - URI:ldap:///CN=vraccoon-DC-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=vraccoon,DC=lab?cACertificate?base?objectClass=certificationAuthority

            1.3.6.1.4.1.311.20.2:
                ...W.e.b.S.e.r.v.e.r
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
         51:54:9b:7d:69:dc:a4:e2:0c:5d:d6:9b:fd:31:6e:c9:b2:9d:
         b7:06:77:75:ac:51:e8:eb:bd:3c:a9:af:27:79:e2:fa:a8:3c:
         26:a3:e6:fb:61:37:48:4a:d9:22:3b:93:d4:b9:67:78:e3:2c:
         ce:af:da:6d:43:77:28:8b:b0:ac:18:d7:6e:e8:5a:96:1f:19:
         31:3d:09:8f:56:39:fd:6b:2f:73:71:ee:ad:b6:7c:c0:91:7d:
         f0:96:38:e0:0d:9a:d1:f4:09:ac:32:b8:ab:3e:bc:d3:c8:f4:
         b1:01:cf:6b:e6:5b:51:e4:1a:4a:92:67:21:1a:f4:ab:8a:40:
         2e:73:f7:8c:8e:18:07:9f:8c:56:a5:cc:be:e8:bf:c0:76:1b:
         54:38:1f:47:4c:47:60:9c:9a:de:25:2f:24:5a:a4:54:ef:22:
         c6:c8:b1:11:1f:6a:89:82:bb:a3:fb:68:52:4e:79:70:20:9b:
         70:36:91:66:63:fb:fa:ab:d6:11:0b:af:be:37:95:98:11:eb:
         ef:10:db:92:1e:07:e8:e6:c9:db:66:0c:5d:ff:2a:60:2e:f2:
         12:ef:af:a9:c0:fc:fb:af:4b:f3:2e:b4:0e:1d:8a:08:93:a7:
         a6:e1:96:22:55:2f:cf:3d:d0:74:30:c9:49:94:f5:b1:96:a7:
         31:69:2c:42

Assign the certificate

I’ve already formed the three controllers to a cluster. After log in, navigate to:
Administration (1) –> Settings (2) –> Access Settings (3) –> Edit (4)

Remove the selected default certificates under SSL/TLS Certificate

Click the drop down arrow –>Create Certificate

In the New Certificate Window, click Import and either upload or paste the certificate and key. You must also assign it a name. The name doesn’t need to match the fqdn, it’s just for reference.

Click, Validate –> Save
Note – If you click CSR just left to Import, you can create the CSR from within here, instead of using the openssl tool. If you do so, don’t forget to add multiple SAN entries.

Under SSL/TLS Certificate, you should now see your certificate selected. If so, click Save.

The certificate will now get applied. This can take 1-2 minutes. You might need to clear your browser cache to forget the old self-signed certificate.

Where to use it in vSphere with Tanzu

Having valid certificates is generally a good idea and not only if you are using Kubernetes. But if you happen to use your AVI instance for vSphere with Tanzu, you would need the certificate at step 5. Load Balancer of the Supervisor Cluster Wizard:

Btw – Tanzu Kubernetes Grid has a wizard with very similar requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *