How to:

Generate self-signed certificate on versa Director(s).

 

* Prerequisite: VD and Analytics should be on same VOS release

Tested VOS release 22.1.4

 

Step: 1 > Take a backup of current certificates and keystores present on VD (Best Practice)

cd /var/versa/vnms/data/

sudo tar -cvzf /var/tmp/vd-cert-bkup.tgz certs/        #To create an archive of certs directory

ls -la /var/tmp/                                  #To verify if the archive is created

 

Step: 2 > Remove all files present in certs directory

cd /var/versa/vnms/data/certs/

ls -la

sudo rm -rf *

ls -la                                          #To verify all files are removed

 

Step: 3 > Generate Certificate

su - versa

versa@vd-lab:~$ cd /opt/versa/vnms/scripts/

versa@vd-lab:.../vnms/scripts$ ./vnms-certgen.sh --cn <Director1 Host Name> --overwrite --storepass versa123 --san <Director1 Host Name>,DNS:<Director2 Host Name>

 

 => Generating certificate for domain: vd-lab

 => Generating ca_config.cnf

 => Generated CA key and CA cert files

 => Generating SSO certificates

 => Generating websockify certificates

 => Generating Kafka certificates

 => Saving storepass and keypass

 

ls -la /var/versa/vnms/data/certs/                   #To verify new cert files are added

 

Step: 4 > Verify Certificate (check Validity, Issuer and SAN)

versa@vd-lab:.../vnms/scripts$ openssl x509 -inform der -in /var/versa/vnms/data/certs/versa_director_client.cer -text

 

Example Certificate:

  Data:

    Version: 3 (0x2)

    Serial Number: 1 (0x1)

  Signature Algorithm: sha256WithRSAEncryption

     Issuer: CN=vd-lab, O=versa-networks, OU=VersaDirector, C=US, ST=California, L=Santa Clara

    Validity

      Not Before: Mar 12 09:12:34 2025 GMT

      Not After : Jun 15 09:12:34 2027 GMT

    Subject: C=US, ST=California, O=versa-networks, OU=VersaDirector, CN=vd-lab

    Subject Public Key Info:

      Public Key Algorithm: rsaEncryption

        Public-Key: (2048 bit)

        Modulus:

          00:89:4c:6a:28:61:ad:08:8a:99:81:fd:d2:c6:13:

          dc:0b:d8:a8:29:46:86:5a:46:f2:d3:46:9f:a4:1f:

          c3:24:e2:0f:17:cf:24:f1:25:83:4b:8c:b3:71:a7:

          ec:cb:c9:5c:37:90:4f:24:f4:66:22:c8:2a:d0:b4:

          0d:98:74:ab:1a:2d:03:2f:95:da:e8:e3:e9:66:ac:

          96:83:f4:b6:e6:3d:1f:2a:7a:4f:dc:48:49:99:42:

          fd:f3:5c:1a:ed:16:21:c3:a6:9d:9a:21:52:61:90

        Exponent: 65537 (0x10001)

    X509v3 extensions:

      X509v3 Subject Key Identifier:

        45:43:D9:E3:33:1D:59:20:70:E4:0B:19:56:BF:BF:FF:11:F8:02:F6

      X509v3 Basic Constraints:

        CA:FALSE

      X509v3 Subject Alternative Name:

        DNS:vd-lab, DNS:vd2-lab, DNS:vd-lab

  Signature Algorithm: sha256WithRSAEncryption

     07:e4:2d:59:be:3a:9d:51:38:af:c9:42:00:d8:3f:86:7f:d5:

     4c:8b:6d:66:f5:7c:74:ad:70:8b:58:05:50:99:27:74:e5:3d:

     8d:4f:9b:ff:c0:3a:c0:9c:e5:0b:78:b5:16:16:22:6f:99:b6:

     ed:fb:b9:52:73:a8:5c:b0:35:4e:21:3b:75:94:5c:0a:fd:c3:

     b7:57:4d:82:ff:92:3a:ec:cb:8c:04:0e:3b:b2:7e:48:1b:97:

     19:52:80:27:c6:5b:09:6a:1e:fd:92:d8:3a:ef:7d:ee:b3:ac:

     c7:54:66:07:86:89:fd:e8:9a:d7:00:6d:99:c2:d9:03:53:57:

     54:17:fd:e5:5f:5e:97:ee:a5:3e:b8:81:c8:e1:f1:6c:37:de:

-----BEGIN CERTIFICATE-----

MIIEqTCCApGgAwIBAgIBATANBgkqhkiG9w0BAQsFADB6MQ8wDQYDVQQDEwZ2ZC1s

YWIxFzAVBgNVBAoTDnZlcnNhLW5ldHdvcmtzMRYwFAYDVQQLEw1WZXJzYURpcmVj

dG9yMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxML

U2FudGEgQ2xhcmEwHhcNMjUwMzEyMDkxMjM0WhcNMjcwNjE1MDkxMjM0WjBkMQsw

CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEChMOdmVyc2Et

bmV0d29ya3MxFjAUBgNVBAsTDVZlcnNhRGlyZWN0b3IxDzANBgNVBAMTBnZkLWxh

YjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIlMaihhrQiKmYH90sYT

-----END CERTIFICATE-----

 

Step: 5 (optional) > Verify Certificate (check Validity, Issuer and SAN) on secondary director in case VD in HA

This is to confirm that Certs are sync between both Versa Directors

versa@vd2-lab:.../vnms/scripts$ openssl x509 -inform der -in /var/versa/vnms/data/certs/versa_director_client.cer -text

 

Step: 6 > Perform a restart on both Directors in HA (*Required)

vsh restart

 

Step: 7 > Certificate Synchronization

Last step is to synchronize certificates between VD and Analytics. 

Please follow steps for Certificate Synchronization from this KB > director-certificate-syncing-with-versa-analytics

 

Step: 8 (optional) > Generating Analytics Certificates

In case Analytics self-signed certificate is expired, you can also generate new Analytics certificates

 

su - versa

cd /opt/versa/var/van-app/

ls -lrth                                            #To list all files

 

sudo tar -cvzf /var/tmp/Analytics-cert-bkup.tgz certificates/  #To create an archive of certificates directory as backup

ls -la /var/tmp/                                     #To verify if the archive is created

 

rm -rf versa-analytics-client.crt                          #To remove Analytics old certificate

rm -rf versa-analytics-client.cer                        #To remove Analytics old certificate

 

cd /opt/versa/scripts/van-scripts/

sudo ./van-cert-install.sh                             #To generate analytics certificates

 

Step: 9 > Revoke/Register VD from Analytics GUI

Login to Analytics node GUI

Admin > Configuration > Authentication > Versa Directors > Revoke and Register

 

 

Analytics should be accessible from VD now

 

#####################################################################

* In case any issue arises after following the steps, please reach out to Versa TAC.