Generating and Installing SSL certificates on Nutanix Cluster
A Secure Sockets Layer (SSL) certificate enables encrypted communication between a web server and clients through an HTTPS connection. Installing an SSL certificate on your Nutanix cluster allows you to secure communications to the Nutanix web console and Prism Central. An SSL certificate verifies the identity of the web server and encrypts all traffic to prevent eavesdropping and data theft.
By the end of this article, you will have in-depth knowledge on how to install, configure and manage SSL certificates on a Nutanix cluster for secure web communications.
Checking Certificate Requirements
Nutanix has the following requirements for installing and binding SSL certificates:
- Certificate file format must be X.509 PEM-encoded (Base64 ASCII format).
- The common name (CN) field must match the fully qualified domain name (FQDN) of your Nutanix cluster.
- Key length must be at least 2048 bits for the RSA algorithm.
- Signature algorithm must be SHA256 or above.
- Supported hash algorithms are SHA-256, SHA-384, and SHA-512.
The SSL certificate must include all required intermediate certificates from the issuing CA to complete the certificate chain.
You can check your existing certificate files by viewing them in a text editor to validate they meet these parameters. If you don’t have an SSL certificate yet, you’ll need to generate a Certificate Signing Request (CSR) to obtain one that’s compatible with Nutanix.
A Step-by-Step Guide to Install SSL Certificate on Nutanix Cluster
Generating a Certificate Signing Request (CSR)
Since the SSL certificate contains the public key used to secure HTTPS communication, you need to first generate an SSL certificate private and public key pair. This is done by creating a CSR.
Follow these steps to generate a CSR on Nutanix Prism Central:
- Login to your Nutanix cluster web UI and navigate to the Prism Central UI. Click on the gear icon ⚙️ to access the configuration settings.
- Select the “SSL Certificate” option from the left menu.
- Click the “+ Generate CSR” button.
- Enter the following details in the Generate Certificate Signing Request window:
- Name – Descriptive name for the request.
- Country Name (2 letters)
- State or Province
- Locality
- Organization Name
- Organization Unit
- Common Name – Cluster Prism Central FQDN
- Email Address
- Key Length – 2048 or higher
- Click “Generate” to create the CSR and private key pair.
- Once generated, click “Download” to download the text-encoded CSR file containing the public key.
You now have a CSR file to submit to a Certificate Authority (CA).
Submitting the CSR and Obtaining an SSL Certificate
Now that you’ve generated a CSR, it’s time to submit this to a CA to obtain your signed SSL certificate.
You’ll need to purchase an SSL certificate product like “Unified Communications” certificate for 1- or 2-years validity from one of these popular CAs:
- DigiCert
- GlobalSign
- Comodo
- GoDaddy
- Let’s Encrypt (free)
Typically, you upload the text-based CSR during the SSL certificate enrolment process on the CA’s website while placing your order.
As part of validating the domain ownership and company identity, the CA will require you to modify a DNS record or upload an authorization file to your server. Complete these domain validation steps to proceed with obtaining your signed certificate.
Within a few minutes to 2 days, the CA will email you a zip file with your validated SSL certificate. This zipped bundle contains a few certificate files:
- Your primary domain certificate (public key signed).
- Intermediate certificate 1
- Intermediate certificate 2
- Root certificate of the CA
You need to combine some of these certificate files before importing into Nutanix.
Importing the SSL Certificate to Nutanix
To add the new SSL certificate to your Nutanix cluster, follow these steps:
- Extract and open the SSL certificate zip file your CA provided. It contains the multiple certificates in text format.
- Copy the text contents of the Root certificate file, Intermediate certificate 1 file, and your Primary SSL certificate file into one text file in that specific order one below the other. Save this combined text file with a name like “mydomain_combo_cert.pem”.
- Login to your Nutanix Prism Central and navigate to the SSL Certificate management section. Click the “+ Import Certificate” button.
- Select the combined certificate text file you created and click Open.
- Enter your SSL certificate’s matching private key that was previously generated along with the CSR under the Nutanix cluster.
- Click the blue “Import Certificate” button to install the SSL certificate to your Nutanix cluster.
The certificate and chain should now be successfully imported to your Nutanix environment. But one last step remains — configuring Prism Central to use the SSL certificate for HTTPS traffic.
Configuring Prism Central for the SSL Certificate
To configure Nutanix’s management UI to leverage your trusted new SSL certificate:
- Within Prism Central, click on the gear icon ⚙️ > SSL Certificate
- Select your recently imported domain certificate from the list to open the Configure SSL window.
- Enable the option “Apply this certificate to Prism Central?”
- Select whether to redirect or not redirect HTTP traffic to HTTPS in the Connection Security section. Redirect is recommended for security best practices.
- Click the blue Apply button to save the SSL configuration.
Your Nutanix Prism Central web UI will now restart and establish an encrypted HTTPS connection using the trusted SSL certificate to all client web browsers accessing the interface. Any API calls will also leverage the certificate you bound for enhanced security.
The first line enables SSL for this virtual host. The next lines specify the paths to the certificate, private key and CA bundle you uploaded earlier.
Testing the SSL Certificate
It’s important to validate everything is working properly after installing an SSL certificate on Nutanix.
Follow these best practices to test your Nutanix SSL certificate:
- Open a web browser to https://your_prism_central_FQDN and check there are no certificate errors. Verify you see the green padlock icon indicating a trusted secured connection.
- Click the lock and inspect the certificate details like validity dates and common name to match your imported certificate.
- Test logging into Prism Central and accessing other secure pages to ensure no certificate issues.
- Run the openssl s_client command to validate certificate details:
openssl s_client -showcerts -connect your_prism_central_fqdn:9440
- Try an API call from Postman and check there are no SSL-related errors.
If any issues arise with certificate validation errors, you may need to import missing Intermediate certificates or verify the certificate chain configuration within the Nutanix UI.
Renewing an SSL Certificate
SSL certificates have an expiration date set by the Certificate Authority, typically valid for 1-2 years. You’ll need to renew and replace the certificate periodically.
The process involves:
- Generating a fresh CSR when your current certificate nears expiration.
- Obtaining an updated certificate from the CA using the new CSR.
- Importing the renewed certificate to Nutanix.
- Binding the new certificate to Prism Central to maintain continuous SSL protection.
Be sure to consult the CA’s documentation for details on renewing certificates they had previously issued.
Conclusion on Install SSL Certificate on Nutanix Cluster
Installing a valid SSL certificate on your Nutanix infrastructure allows you to encrypt communications to Prism Central and verify the identity of your web server. This prevents unauthorized access of data through a man-in-the-middle attack and secures browser sessions between users and your private cloud environment. By generating a certificate signing request, obtaining the SSL certificate from a trusted certificate authority, importing it properly to Nutanix, and correctly configuring Prism Central, you can deploy vital SSL protection across your Nutanix cluster. Just remember to renew the Nutanix certificates before they expire to stay secure.
FAQs on Install SSL Certificate on Nutanix Cluster
Here are some commonly asked questions about installing SSL certificates on Nutanix:
What is the difference between a public key, private key, and SSL certificate?
A public key can be openly shared and is used to encrypt data sent to the server. A private key is kept secret on the server-side to decrypt the data encrypted with the public key. An SSL certificate contains the public key along with organizational identity validated by a Certificate Authority that issues the certificate.
What CN name should be used when generating the CSR for Nutanix?
The Common Name (CN) entered in the Nutanix CSR generation form should match the fully qualified domain name (FQDN) used to access Prism Central. This ensures proper mapping between the certificate and your Nutanix domain name.
Can I use an intermediate certificate from another certificate vendor?
No, you cannot mix and match the root and intermediate certificates from different Certificate Authorities when combining certificates for Nutanix. You must use the intermediates provided by the CA that issued your primary SSL certificate for domain.
What is the process to renew Nutanix SSL certificates?
To renew Nutanix certificates nearing expiration, you need to generate a new certificate signing request (CSR), submit this to the issuing Certificate Authority (CA) to sign, obtain your updated SSL certificate files from the CA, import the new certificate chain into Nutanix, and bind the renewed certificates to Prism Central to maintain an active SSL connection without disruption.
How can I validate an SSL certificate is working on my Nutanix cluster?
Check for certificate errors in your browser when accessing Prism Central over HTTPS, inspect the green padlock certificate indicators, use the OpenSSL s_client command to validate certificate details on the command line interface, and attempt API calls that rely on the certificate for validation.
What should I do if Prism Central shows certificate validation problems after importing an SSL certificate?
If you receive certificate errors after importing SSL certificates to Nutanix, check that you combined the certificates properly in the correct order. Likely an intermediate CA certificate is missing in the chain. Re-export the full certificate bundle from the issuing Certificate Authority and re-import it.
Can I use self-signed certificates instead of CA signed ones on Nutanix?
Nutanix requires certificates signed by a Certificate Authority for enhanced trust and security standards. Browsers will show privacy errors for self-signed certificates. You need to use CSR signed certificates from CAs like DigiCert, Comodo etc. when deploying SSL certificates on Nutanix clusters.