How to:
Generate self-signed certificate on versa Director(s).
* Prerequisite: VD and Analytics should be on same VOS release
Tested VOS release 22.1.4
Step: 1 > Take a backup of current certificates and keystores present on VD (Best Practice)
cd /var/versa/vnms/data/
sudo tar -cvzf /var/tmp/vd-cert-bkup.tgz certs/ #To create an archive of certs directory
ls -la /var/tmp/ #To verify if the archive is created
Step: 2 > Remove all files present in certs directory
cd /var/versa/vnms/data/certs/
ls -la
sudo rm -rf *
ls -la #To verify all files are removed
Step: 3 > Generate Certificate
su - versa
versa@vd-lab:~$ cd /opt/versa/vnms/scripts/
versa@vd-lab:.../vnms/scripts$ ./vnms-certgen.sh --cn <Director1 Host Name> --overwrite --storepass versa123 --san <Director1 Host Name>,DNS:<Director2 Host Name>
=> Generating certificate for domain: vd-lab
=> Generating ca_config.cnf
=> Generated CA key and CA cert files
=> Generating SSO certificates
=> Generating websockify certificates
=> Generating Kafka certificates
=> Saving storepass and keypass
ls -la /var/versa/vnms/data/certs/ #To verify new cert files are added
Step: 4 > Verify Certificate (check Validity, Issuer and SAN)
versa@vd-lab:.../vnms/scripts$ openssl x509 -inform der -in /var/versa/vnms/data/certs/versa_director_client.cer -text
Example Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=vd-lab, O=versa-networks, OU=VersaDirector, C=US, ST=California, L=Santa Clara
Validity
Not Before: Mar 12 09:12:34 2025 GMT
Not After : Jun 15 09:12:34 2027 GMT
Subject: C=US, ST=California, O=versa-networks, OU=VersaDirector, CN=vd-lab
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:89:4c:6a:28:61:ad:08:8a:99:81:fd:d2:c6:13:
dc:0b:d8:a8:29:46:86:5a:46:f2:d3:46:9f:a4:1f:
c3:24:e2:0f:17:cf:24:f1:25:83:4b:8c:b3:71:a7:
ec:cb:c9:5c:37:90:4f:24:f4:66:22:c8:2a:d0:b4:
0d:98:74:ab:1a:2d:03:2f:95:da:e8:e3:e9:66:ac:
96:83:f4:b6:e6:3d:1f:2a:7a:4f:dc:48:49:99:42:
fd:f3:5c:1a:ed:16:21:c3:a6:9d:9a:21:52:61:90
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
45:43:D9:E3:33:1D:59:20:70:E4:0B:19:56:BF:BF:FF:11:F8:02:F6
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:vd-lab, DNS:vd2-lab, DNS:vd-lab
Signature Algorithm: sha256WithRSAEncryption
07:e4:2d:59:be:3a:9d:51:38:af:c9:42:00:d8:3f:86:7f:d5:
4c:8b:6d:66:f5:7c:74:ad:70:8b:58:05:50:99:27:74:e5:3d:
8d:4f:9b:ff:c0:3a:c0:9c:e5:0b:78:b5:16:16:22:6f:99:b6:
ed:fb:b9:52:73:a8:5c:b0:35:4e:21:3b:75:94:5c:0a:fd:c3:
b7:57:4d:82:ff:92:3a:ec:cb:8c:04:0e:3b:b2:7e:48:1b:97:
19:52:80:27:c6:5b:09:6a:1e:fd:92:d8:3a:ef:7d:ee:b3:ac:
c7:54:66:07:86:89:fd:e8:9a:d7:00:6d:99:c2:d9:03:53:57:
54:17:fd:e5:5f:5e:97:ee:a5:3e:b8:81:c8:e1:f1:6c:37:de:
-----BEGIN CERTIFICATE-----
MIIEqTCCApGgAwIBAgIBATANBgkqhkiG9w0BAQsFADB6MQ8wDQYDVQQDEwZ2ZC1s
YWIxFzAVBgNVBAoTDnZlcnNhLW5ldHdvcmtzMRYwFAYDVQQLEw1WZXJzYURpcmVj
dG9yMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxML
U2FudGEgQ2xhcmEwHhcNMjUwMzEyMDkxMjM0WhcNMjcwNjE1MDkxMjM0WjBkMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEChMOdmVyc2Et
bmV0d29ya3MxFjAUBgNVBAsTDVZlcnNhRGlyZWN0b3IxDzANBgNVBAMTBnZkLWxh
YjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIlMaihhrQiKmYH90sYT
-----END CERTIFICATE-----
Step: 5 (optional) > Verify Certificate (check Validity, Issuer and SAN) on secondary director in case VD in HA
This is to confirm that Certs are sync between both Versa Directors
versa@vd2-lab:.../vnms/scripts$ openssl x509 -inform der -in /var/versa/vnms/data/certs/versa_director_client.cer -text
Step: 6 > Perform a restart on both Directors in HA (*Required)
vsh restart
Step: 7 > Certificate Synchronization
Last step is to synchronize certificates between VD and Analytics.
Please follow steps for Certificate Synchronization from this KB > director-certificate-syncing-with-versa-analytics
Step: 8 (optional) > Generating Analytics Certificates
In case Analytics self-signed signed certificate is expired, you can also generate new Analytics certificates
su - versa
cd /opt/versa/var/van-app/
ls -lrth #To list all files
sudo tar -cvzf /var/tmp/Analytics-cert-bkup.tgz certificates/ #To create an archive of certificates directory as backup
ls -la /var/tmp/ #To verify if the archive is created
rm -rf versa-analytics-client.crt #To remove Analytics old certificate
rm -rf versa-analytics-client.cer #To remove Analytics old certificate
cd /opt/versa/scripts/van-scripts/
sudo ./van-cert-install.sh #To generate analytics certificates
Step: 9 > Revoke/Register VD from Analytics GUI
Login to Analytics node GUI
Admin > Configuration > Authentication > Versa Directors > Revoke and Register
Analytics should be accessible from VD now
#####################################################################
* In case any issue arises after following the steps, please reach out to Versa TAC.