Earlier this week i helped a client who asked me about applying certificates to NSX Managers, after helping out I realizing that for years I hated dealing with certificates and now i like i’m indifferent to replacing them when needed.
This blog post is for every person who hates certificate management 🙂
Tip #1 – Make sure the certificates are encoded in base 64 It’s almost 2025 and systems still seem to be picky as hell when it gets to certificate management, I honestly expected things to get better in this regard more than a decade ago when i spun up my first servers realizing that you get a insecure logo if you don’t apply certificates… well i was wrong – different certificate formats is still a thing…
Tip #2 – Make sure you have the whole certificate chain
Sometimes when requesting a certificate to be signed, you’ll get only the machine certificate, if this happens to you, just take a deep breath and ask for the full certificate chain.
If you’re feeling like tinkering you can get the full certificate chain from a generic web service that was signed by the same CA and Frankensteining a certificate using the machine certificate you got and the root+intermediary certificates…
Pros – you’re the one doing it.
Cons – you’re the one doing it.
Tip #3 – If possible, generate the CSR with the included request generator using GUI
not messing with the private key is nice – just do it the way the software engineers intended you to…
Tip #4 – enter all needed of the required data to the certificate request
Goes without saying…but it’s important to have all required data or else it won’t work as intended…
No need to be a saint – just plug in all of the IP addresses, FQDN’s and VIP to the same certificate… the best security practice is to have a single certificate for each service or server… I enjoy my life way too much to micro manage every damn certificate, doing just one for all of them is fine…
Tip #5 – use postman… it’s a lot better than doing it through curl
We all know you like the hackerman green terminal lifestyle…but dude…just use the goddamn tool… no one likes a showoff.
Tip #6 – delete cookies, site data and restart your browser after applying certs
For some reason clearing all data and restarting chrome after doing changes like these helps. just trust me on this one.
Tip #7 – if things fail more than twice in a row, go get a coffee before trying again.
I remember cases where i almost threw the monitor out the window. violence is (almost) never the answer, brute forcing is not going be faster then understanding what you’re doing wrong.
get a coffee, take a break, watch funny cat videos on YouTube, just don’t work while frustrated. It just makes the brain fog worse, when you get back to work, remember – you can do it, i believe in you!
No responses yet