How to:

Generate self-signed certificate on versa Director(s).

* Prerequisite: VD and Analytics should be on same VOS release

Tested VOS release 22.1.4

Step: 1 > Take a backup of current certificates and keystores present on VD (Best Practice)

cd /var/versa/vnms/data/

sudo tar -cvzf /var/tmp/vd-cert-bkup.tgz certs/                 #To create an archive of certs directory

ls -la /var/tmp/                                                                    #To verify if the archive is created

Step: 2 > Remove all files present in certs directory

cd /var/versa/vnms/data/certs/

ls -la

sudo rm -rf *

ls -la                                                                                     #To verify all files are removed

Step: 3 > Generate Certificate

su - versa

versa@vd-lab:~$ cd /opt/versa/vnms/scripts/

versa@vd-lab:.../vnms/scripts$ ./vnms-certgen.sh --cn <Director1 Host Name> --overwrite --storepass versa123 --san <Director1 Host Name>,DNS:<Director2 Host Name>

 => Generating certificate for domain: vd-lab

 => Generating ca_config.cnf

 => Generated CA key and CA cert files

 => Generating SSO certificates

 => Generating websockify certificates

 => Generating Kafka certificates

 => Saving storepass and keypass

ls -la /var/versa/vnms/data/certs/                                     #To verify new cert files are added

Step: 4 > Verify Certificate (check Validity, Issuer and SAN)

versa@vd-lab:.../vnms/scripts$ openssl x509 -inform der -in /var/versa/vnms/data/certs/versa_director_client.cer -text

Example Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 1 (0x1)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: CN=vd-lab, O=versa-networks, OU=VersaDirector, C=US, ST=California, L=Santa Clara

        Validity

            Not Before: Mar 12 09:12:34 2025 GMT

            Not After : Jun 15 09:12:34 2027 GMT

        Subject: C=US, ST=California, O=versa-networks, OU=VersaDirector, CN=vd-lab

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:89:4c:6a:28:61:ad:08:8a:99:81:fd:d2:c6:13:

                    dc:0b:d8:a8:29:46:86:5a:46:f2:d3:46:9f:a4:1f:

                    c3:24:e2:0f:17:cf:24:f1:25:83:4b:8c:b3:71:a7:

                    ec:cb:c9:5c:37:90:4f:24:f4:66:22:c8:2a:d0:b4:

                    0d:98:74:ab:1a:2d:03:2f:95:da:e8:e3:e9:66:ac:

                    96:83:f4:b6:e6:3d:1f:2a:7a:4f:dc:48:49:99:42:

                    fd:f3:5c:1a:ed:16:21:c3:a6:9d:9a:21:52:61:90

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                45:43:D9:E3:33:1D:59:20:70:E4:0B:19:56:BF:BF:FF:11:F8:02:F6

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Subject Alternative Name:

                DNS:vd-lab, DNS:vd2-lab, DNS:vd-lab

    Signature Algorithm: sha256WithRSAEncryption

         07:e4:2d:59:be:3a:9d:51:38:af:c9:42:00:d8:3f:86:7f:d5:

         4c:8b:6d:66:f5:7c:74:ad:70:8b:58:05:50:99:27:74:e5:3d:

         8d:4f:9b:ff:c0:3a:c0:9c:e5:0b:78:b5:16:16:22:6f:99:b6:

         ed:fb:b9:52:73:a8:5c:b0:35:4e:21:3b:75:94:5c:0a:fd:c3:

         b7:57:4d:82:ff:92:3a:ec:cb:8c:04:0e:3b:b2:7e:48:1b:97:

         19:52:80:27:c6:5b:09:6a:1e:fd:92:d8:3a:ef:7d:ee:b3:ac:

         c7:54:66:07:86:89:fd:e8:9a:d7:00:6d:99:c2:d9:03:53:57:

         54:17:fd:e5:5f:5e:97:ee:a5:3e:b8:81:c8:e1:f1:6c:37:de:

-----BEGIN CERTIFICATE-----

MIIEqTCCApGgAwIBAgIBATANBgkqhkiG9w0BAQsFADB6MQ8wDQYDVQQDEwZ2ZC1s

YWIxFzAVBgNVBAoTDnZlcnNhLW5ldHdvcmtzMRYwFAYDVQQLEw1WZXJzYURpcmVj

dG9yMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxML

U2FudGEgQ2xhcmEwHhcNMjUwMzEyMDkxMjM0WhcNMjcwNjE1MDkxMjM0WjBkMQsw

CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEChMOdmVyc2Et

bmV0d29ya3MxFjAUBgNVBAsTDVZlcnNhRGlyZWN0b3IxDzANBgNVBAMTBnZkLWxh

YjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIlMaihhrQiKmYH90sYT

-----END CERTIFICATE-----

Step: 5 (optional) > Verify Certificate (check Validity, Issuer and SAN) on secondary director in case VD in HA

This is to confirm that Certs are sync between both Versa Directors

versa@vd2-lab:.../vnms/scripts$ openssl x509 -inform der -in /var/versa/vnms/data/certs/versa_director_client.cer -text

Step: 6 > Perform a restart on both Directors in HA (*Required)

vsh restart

Step: 7 > Certificate Synchronization

Last step is to synchronize certificates between VD and Analytics. 

Please follow steps for Certificate Synchronization from this KB > director-certificate-syncing-with-versa-analytics

Step: 8 (optional) > Generating Analytics Certificates

In case Analytics self-signed signed certificate is expired, you can also generate new Analytics certificates

su - versa

cd /opt/versa/var/van-app/

ls -lrth                                                                                        #To list all files

sudo tar -cvzf /var/tmp/Analytics-cert-bkup.tgz certificates/   #To create an archive of certificates directory as backup

ls -la /var/tmp/                                                                          #To verify if the archive is created

rm -rf versa-analytics-client.crt                                                  #To remove Analytics old certificate

rm -rf versa-analytics-client.cer                                                 #To remove Analytics old certificate

cd /opt/versa/scripts/van-scripts/

sudo ./van-cert-install.sh                                                           #To generate analytics certificates

Step: 9 > Revoke/Register VD from Analytics GUI

Login to Analytics node GUI

Admin > Configuration > Authentication > Versa Directors > Revoke and Register

Analytics should be accessible from VD now

#####################################################################

* In case any issue arises after following the steps, please reach out to Versa TAC.