Sharing Certificates Across Tenants

Overview

Starting with Avi Vantage 18.2.5, certificates from the admin tenant can be shared by non-admin tenants when the shared_ssl_certificates flag is set to True in the Controller.

Default Behavior

System default certificates can be used by objects in any tenant. For example, these include System-Default-Cert, System-Default-Cert-EC, System-Default-Portal-Cert, System-Default-Portal-Cert-EC256, System-Default-Root-CA, and System-Default-Secure-Channel-Cert, a set of objects that can be expected to expand over time. Objects created in a specific tenant (including the admin tenant) can only be viewed and used in their respective tenant. Certificates are automatically chained, and will only be chained to certificates in the respective tenant.

Shared SSL Certificates

With Avi Vantage release 18.2.5, the shared_ssl_certificates has been added to the ControllerProperties object. By default, this is set to False. If shared_ssl_certificates is set to True, the following behavior applies:

  • All certificates from the admin tenant are viewable from non-admin tenants.
  • Certificates from the admin tenant can be used in non-admin objects (i.e., virtual services, pools, etc.).
  • Application certificates in non-admin tenants will be chained to issuer certificates in the admin tenant.
  • Avi Vantage will not chain certificates from the admin tenant to issuer certificates in non-admin tenants. Consequently, if there is an intermediate certificate in the admin tenant, and the corresponding CA certificate is in the non-admin tenant, these objects will not be linked.
  • If there are any cross-tenant links (i.e., intermediate certificate in the admin tenant, and application certificate in the non-admin tenant), Avi Vantage will prevent changing the shared_ssl_certificates flag.
  • For unchained application certificate in a non-admin tenant, and the corresponding intermediate certificate is in the admin tenant, and the user toggles the shared_ssl_certificates flag from False to True, the intermediate and application certificates will not be chained. If you want these certificates to be chained, delete and recreate the application certificate.
  • You can configure this feature using Avi REST API or CLI. This is currently not supported on Avi UI.

Note:

  • When certificate sharing is enabled in NSX Advanced Load Balancer prior to version 21.1.4, the certificate with the most days to expiry is always selected.
  • When certificate sharing is enabled in NSX Advanced Load Balancer version 21.1.4, the Intermediate/CA certificate with the highest expiry in the current tenancy is always selected. If the current tenant has no Intermediate/CA, the corresponding Intermediate/CA from the admin tenant is selected (if any).

Usage Guidelines

The following guidelines are applicable as the certificates in the admin tenant can be chained to any certificate in the system:

  • Toggle the shared_ssl_certificates flag to True and create shared intermediate/root certificates in the admin tenant before creating application certificates.
  • Application certificates should be in the tenant with the corresponding application.
  • Although certificate additions or updates in the admin tenant are CPU-intensive, these should have minimal impact, as they are infrequent operations.

CLI Configuration


[admin:10-10-28-16]: > configure controller properties                                                                                                                                           
Updating an existing object. Currently, the object is:
+--------------------------------------------+--------------------+
| Field                                      | Value              |
+--------------------------------------------+--------------------+
| uuid                                       | global             |
| unresponsive_se_reboot                     | 300 sec            |
| crashed_se_reboot                          | 900 sec            |
| se_offline_del                             | 172000 sec         |
| vs_se_create_fail                          | 1500 sec           |
| vs_se_vnic_fail                            | 300 sec            |
| vs_se_bootup_fail                          | 480 sec            |
| se_vnic_cooldown                           | 120 sec            |
| vs_se_vnic_ip_fail                         | 120 sec            |
| fatal_error_lease_time                     | 120 sec            |
| upgrade_lease_time                         | 360 sec            |
| query_host_fail                            | 180 sec            |
| vnic_op_fail_time                          | 180 sec            |
| dns_refresh_period                         | 60 min             |
| se_create_timeout                          | 900 sec            |
| max_dead_se_in_grp                         | 1                  |
| dead_se_detection_timer                    | 360 sec            |
| api_idle_timeout                           | 15 min             |
| allow_unauthenticated_nodes                | False              |
| cluster_ip_gratuitous_arp_period           | 60 min             |
| vs_key_rotate_period                       | 360 min            |
| secure_channel_controller_token_timeout    | 60 min             |
| secure_channel_se_token_timeout            | 60 min             |
| max_seq_vnic_failures                      | 3                  |
| vs_awaiting_se_timeout                     | 60 sec             |
| vs_apic_scaleout_timeout                   | 360 sec            |
| secure_channel_cleanup_timeout             | 60 min             |
| attach_ip_retry_interval                   | 360 sec            |
| attach_ip_retry_limit                      | 4                  |
| persistence_key_rotate_period              | 0 min              |
| allow_unauthenticated_apis                 | False              |
| warmstart_se_reconnect_wait_time           | 480 sec            |
| vs_se_ping_fail                            | 60 sec             |
| se_failover_attempt_interval               | 300 sec            |
| max_pcap_per_tenant                        | 4                  |
| ssl_certificate_expiry_warning_days[1]     | 30 days days       |
| ssl_certificate_expiry_warning_days[2]     | 7 days days        |
| ssl_certificate_expiry_warning_days[3]     | 1 days days        |
| seupgrade_fabric_pool_size                 | 20                 |
| seupgrade_segroup_min_dead_timeout         | 360 sec            |
| allow_ip_forwarding                        | False              |
| appviewx_compat_mode                       | False              |
| upgrade_dns_ttl                            | 5 sec              |
| bm_use_ansible                             | True               |
| vs_se_attach_ip_fail                       | 600 sec            |
| max_seq_attach_ip_failures                 | 3                  |
| cleanup_expired_authtoken_timeout_period   | 60 min             |
| cleanup_sessions_timeout_period            | 60 min             |
| consistency_check_timeout_period           | 60 min             |
| process_locked_useraccounts_timeout_period | 1 min              |
| process_pki_profile_timeout_period         | 1440 min           |
| enable_memory_balancer                     | True               |
| warmstart_vs_resync_wait_time              | 300 sec            |
| api_perf_logging_threshold                 | 10000 milliseconds |
| se_from_marketplace                        | IMAGE              |
| cloud_reconcile                            | True               |
| enable_api_sharding                        | True               |
| vs_scaleout_ready_check_interval           | 60 sec             |
| shared_ssl_certificates                    | False              |
+--------------------------------------------+--------------------+
[admin:10-10-28-16]: controllerproperties> shared_ssl_certificates 
Overwriting the previously entered value for shared_ssl_certificates
[admin:10-10-28-16]: controllerproperties> save
+--------------------------------------------+--------------------+
| Field                                      | Value              |
+--------------------------------------------+--------------------+
| uuid                                       | global             |
| unresponsive_se_reboot                     | 300 sec            |
| crashed_se_reboot                          | 900 sec            |
| se_offline_del                             | 172000 sec         |
| vs_se_create_fail                          | 1500 sec           |
| vs_se_vnic_fail                            | 300 sec            |
| vs_se_bootup_fail                          | 480 sec            |
| se_vnic_cooldown                           | 120 sec            |
| vs_se_vnic_ip_fail                         | 120 sec            |
| fatal_error_lease_time                     | 120 sec            |
| upgrade_lease_time                         | 360 sec            |
| query_host_fail                            | 180 sec            |
| vnic_op_fail_time                          | 180 sec            |
| dns_refresh_period                         | 60 min             |
| se_create_timeout                          | 900 sec            |
| max_dead_se_in_grp                         | 1                  |
| dead_se_detection_timer                    | 360 sec            |
| api_idle_timeout                           | 15 min             |
| allow_unauthenticated_nodes                | False              |
| cluster_ip_gratuitous_arp_period           | 60 min             |
| vs_key_rotate_period                       | 360 min            |
| secure_channel_controller_token_timeout    | 60 min             |
| secure_channel_se_token_timeout            | 60 min             |
| max_seq_vnic_failures                      | 3                  |
| vs_awaiting_se_timeout                     | 60 sec             |
| vs_apic_scaleout_timeout                   | 360 sec            |
| secure_channel_cleanup_timeout             | 60 min             |
| attach_ip_retry_interval                   | 360 sec            |
| attach_ip_retry_limit                      | 4                  |
| persistence_key_rotate_period              | 0 min              |
| allow_unauthenticated_apis                 | False              |
| warmstart_se_reconnect_wait_time           | 480 sec            |
| vs_se_ping_fail                            | 60 sec             |
| se_failover_attempt_interval               | 300 sec            |
| max_pcap_per_tenant                        | 4                  |
| ssl_certificate_expiry_warning_days[1]     | 30 days days       |
| ssl_certificate_expiry_warning_days[2]     | 7 days days        |
| ssl_certificate_expiry_warning_days[3]     | 1 days days        |
| seupgrade_fabric_pool_size                 | 20                 |
| seupgrade_segroup_min_dead_timeout         | 360 sec            |
| allow_ip_forwarding                        | False              |
| appviewx_compat_mode                       | False              |
| upgrade_dns_ttl                            | 5 sec              |
| bm_use_ansible                             | True               |
| vs_se_attach_ip_fail                       | 600 sec            |
| max_seq_attach_ip_failures                 | 3                  |
| cleanup_expired_authtoken_timeout_period   | 60 min             |
| cleanup_sessions_timeout_period            | 60 min             |
| consistency_check_timeout_period           | 60 min             |
| process_locked_useraccounts_timeout_period | 1 min              |
| process_pki_profile_timeout_period         | 1440 min           |
| enable_memory_balancer                     | True               |
| warmstart_vs_resync_wait_time              | 300 sec            |
| api_perf_logging_threshold                 | 10000 milliseconds |
| se_from_marketplace                        | IMAGE              |
| cloud_reconcile                            | True               |
| enable_api_sharding                        | True               |
| vs_scaleout_ready_check_interval           | 60 sec             |
| shared_ssl_certificates                    | True               |
+--------------------------------------------+--------------------+
[admin:10-10-28-16]: > configure sslkeyandcertificate admin-intermediate

[admin:10-10-28-16]: sslkeyandcertificate> certificate
[admin:10-10-28-16]: sslkeyandcertificate:certificate> certificate --
-----BEGIN CERTIFICATE-----                                                                                                                                                                      [280/18075]
MIIFZzCCA0+gAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwPzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMQwwCgYDVQQKDANBdmkxFTATBgNVBAMMDEludGVybWVkaWF0
ZTAeFw0xNzEyMjAyMzM0MzVaFw0zNzEyMTUyMzM0MzVaMEkxCzAJBgNVBAYTAlVT
MQswCQYDVQQIDAJDQTEMMAoGA1UECgwDQXZpMR8wHQYDVQQDDBZTYW1lLU5hbWUt
SW50ZXJtZWRpYXRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy0kq
S48Ngxg1KJ1hmwMxbSEJnGuz0bfxf/FbcVK0OQZzOfl7K1nrg8CIjLyywEkgzBqf
/b1GwEwNRNvCxAgIP78kCw39chdGzW2jRcjiWPV6OrOizrkXHKlhCJ7LnONSeQH1
rGehFSzpLT8g6KY+DCkeVQBVscV4cFJFTL484EoOhgxMuqj0jij3T+GctqsK5p2Y
VCy71ZEbJvvET3x6/rDNIJU9njJxCvlJyk3T78sTSsW7+xjhCRVsvBAHyUhUGWuC
9ol6EcJdOBUVUKIJX8t+qT1iGtMEd2oV0rUv+2cvHJrhZW24BSVnebW05n32z9Je
oPcHgdrH0ZJN9O0DV46QP1HTdVe7GvY1Fd+UjUFh4oIjwQyYSpO/smBHUffCmtyX
wljCbmjYM2yKyQe04C/+s8ZO+AFFtqx6srvnElQTXtfxkTWYPSrodDKmxqY81aR9
TFd5wWtApMeFT9DK5dDlneBpqn0gDE+JixlEx+pEZM6SDdO1arAg3PKZotuzndo0
1c0mqG6Lp5r464xi5g4kbPHNe1PFe+2tDCEW9BuYADe0v8PvpHMbGJNxOt+w8CcV
R/muH/KoKYs8Y9Ej03MRob1r7Xpv4/NO/1KLHhggxlihiUib1GVDguRNJmMYloo+
8FfoSMixPRJxUg03yZA479e4QSNI+5AryxzohXUCAwEAAaNjMGEwHQYDVR0OBBYE
FEamhG8kGg3PCElsgH8XYIWO04BXMB8GA1UdIwQYMBaAFEqs0+NaumvRXZkP+sTw
NMNvbr61MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3
DQEBCwUAA4ICAQCVeQKhOIDK0z8XdohL/vkypGGayBtU17lFfwZEiWuIeeLnZDrB
vzz1T1j91tx6MBWFEbP2FoJYCwaU9YSuOP8mhtmJM4v1MgC3aOGdMa3nKo2PbS9M
ECMLFB6Jpo7zVjVxwEz7WXA7/YJgR0g5ft/turJnbbUis0K0FBO/aYzc9gyBvg8I
GTB6GX6DDNuwT5EOjkynT3SqnRrnD2piZ0oQ2IIDMaYm/r/DFaMLoU6GRLmj74N0
P3Lefks4JX5C2KKEuM3/6/udMlmNrObjkIACe34icImkdxSXjmKj8Mg4YG8PBRU1
/j1yizB6GokGq2//0BkRMzBLJfUifOVa9mH/C303kA/CvJ42nQyDPLU77nunng3f
T//+/dQYk+OuMTTuVul2WSef+wW+kEspE8uTo/GH1ZmMRV0T7aPxt8/ASDbhEcQM
Okhbo49AhxuTHlOWS3xKxVIbxJ4P/P0v8c5bb/4D5gdGgBCoXQptiBRtS2suBt1M
g0eCtusMuUqPkwB5o5IU2MPGbHiiPzB4up5ZJHYe97rtKduM1cD+0v+w7ZxDrqdD
ebfAJjqaZLKNWEmy5fYt0lWUgDsA8aWUSLN2j/R3BbtXHcClmsZap3CSFzJlhbPz
9tQBVsfx6UJYZR2eAXTpEtEMYous6tKHcRS04/mCPBq+WhoYG39aX85g2Q==
-----END CERTIFICATE-----
END
[admin:10-10-28-16]: sslkeyandcertificate:certificate> save
[admin:10-10-28-16]: sslkeyandcertificate> save
+------------------------+------------------------------------------------------------------------------+
| Field                  | Value                                                                        |
+------------------------+------------------------------------------------------------------------------+
| uuid                   | sslkeyandcertificate-2348ba24-1a56-4e9d-9833-c8c3c1158714                    |
| name                   | admin-intermediate                                                           |
| type                   | SSL_CERTIFICATE_TYPE_CA                                                      |
| certificate            |                                                                              |
|   version              | 2                                                                            |
|   serial_number        | 4098                                                                         |
|   self_signed          | False                                                                        |
|   issuer               |                                                                              |
|     common_name        | Intermediate                                                                 |
|     organization       | Avi                                                                          |
|     state              | CA                                                                           |
|     country            | US                                                                           |
|     distinguished_name | C=US, ST=CA, O=Avi, CN=Intermediate                                          |
|   subject              |                                                                              |
|     common_name        | Same-Name-Intermediate                                                       |
|     organization       | Avi                                                                          |
|     state              | CA                                                                           |
|     country            | US                                                                           |
|     distinguished_name | C=US, ST=CA, O=Avi, CN=Same-Name-Intermediate                                |
|   signature_algorithm  | sha256WithRSAEncryption                                                      |
|   not_before           | 2017-12-20 23:34:35                                                          |
|   not_after            | 2037-12-15 23:34:35                                                          |
|   fingerprint          | SHA1 Fingerprint=CD:96:22:87:B2:58:39:7C:7A:26:4B:3A:18:B2:99:CD:DB:73:B5:79 |
|                        |                                                                              |
|   expiry_status        | SSL_CERTIFICATE_GOOD                                                         |
|   days_until_expire    | 365                                                                          |
| key_params             |                                                                              |
|   algorithm            | SSL_KEY_ALGORITHM_RSA                                                        |
|   rsa_params           |                                                                              |
|     key_size           | SSL_KEY_4096_BITS                                                            |
|     exponent           | 65537                                                                        |
| status                 | SSL_CERTIFICATE_FINISHED                                                     |
| ca_certs[1]            |                                                                              |
|   name                 | Intermediate                                                                 |
| format                 | SSL_PEM                                                                      |
| certificate_base64     | False                                                                        |
| key_base64             | False                                                                        |
| tenant_ref             | admin                                                                        |
+------------------------+------------------------------------------------------------------------------+
[admin:10-10-28-16]: > switchto tenant t1
Switching to tenant t1
[t1:10-10-28-16]: > show sslkeyandcertificate
    +------------------------------------+------------------------+------------------------+------+-----------+
| Name                               | Issuer                 | Subject                | Self | Algorithm |
+------------------------------------+------------------------+------------------------+------+-----------+
| System-Default-Cert                | System Default Cert    | System Default Cert    | True | -         |
| System-Default-Cert-EC             | System Default EC Cert | System Default EC Cert | True | -         |
| System-Default-Portal-Cert         | Default Portal Cert    | Default Portal Cert    | True | -         |
| System-Default-Portal-Cert-EC256   | Default Portal EC Cert | Default Portal EC Cert | True | -         |
| System-Default-Root-CA             | ca.local               | ca.local               | True | -         |
| System-Default-Secure-Channel-Cert | ca.local               | node.controller.local  | -    | -         |
| admin-intermediate                 | Intermediate           | Same-Name-Intermediate | -    | -         |
+------------------------------------+------------------------+------------------------+------+-----------+
[t1:10-10-28-16]: > configure sslkeyandcertificate t1-app

[t1:10-10-28-16]: sslkeyandcertificate> key --
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC+CGpOcfqxuUvl
sCa1+iYUu7EyrvJObDSdorIbjbu5qXpqL7lScGQq6uhbKKMAGM/JIiI75hOAeHN9
hYa/0v8BndV/AJ1zGpK3K5ahuVfrtsNIHk6q0SSw3YtB63/8nhwUiz/ZBgthfCJ/
eroG7RBEh8uOpPhXLJf88o1UOF5FcbrFsW5qvXQHMRSKK2I9wFkSSgNMCoOGOB7W
X+6aDG0ZAZt9eoQkPQNOxw9dEavqOZFqkHTSkyfWyHuw605dmRs2Cz8IZMhhEZvq
LUpe6HMFopxwTzt/5NyW0FJJW1K81WS46ab/tOIOLbkgNV9wLWMNeKvAEWzYPONS
QDzBOhrlAgMBAAECggEAEwNKh5C10WRFqLRoGxrtBnQE9Zo1Wg1Pclod0c3rc1b2
jXs64nmmO/kGyGAXduIEoA4POMj7OIZUn8FlSvn0U5gUDUHlfuewuCzfRE0D8+x0
O1n06vhD4II59Z13T7IOAywvdio5p0ZBOVnxFNJRJ1oizqHIywgGKOOnqj59iBr9
pw/LTthM1mozfUxVYxftSwDr91C7PTaYDE9prmw8wH1TL6I4skxKRVmagFwY0rtr
ViNhNigPjUB3xlEtv6RuwFeEmfcZMzkLCAoXbg1yv6Av5tGJwdCVwDwrpP6I/FHz
PwQdFmZRGZJI8QqdEcWYI/ewXYevCfDrQIWH+gFVIQKBgQDrcCmclzSqQt4xczJ2
ajXAaxnxLSJC/WYOIsIp3L5b/gqs+SUAIJXoVZMinOcygtJs3J4f0Zuy9NkddNn9
JVeMXs7rr7quXKSzX0100acB1NR4Sfq1RWboOxoiSgrUSx8D/ooaJE0JSlj0DtHl
+FVlSECAK2wpM8dFEMf9cAEIeQKBgQDOoRlQzkdnoDVL+gyIXnsA3ArnXDcig1x1
tSj0VqCEaGHhjngYHsmissaIw9ABlwZkt9maylX9PrLaAceGXPzeBvlK0PcgImZ+
2hYVp00znj4//JOsFe9joruKfaXrTLPvY8N0jYAmip6FJJ1eq4x8rL8gU/NdlMQf
5diVimhizQKBgCGs82bAgfnwgpOUJJ2nZ3TUXOuQRxxJ3nUbJ6aROnEyDxjash4o
iwimZNtIkhE5gRutGrj2ZEzelMeP1TZORw1+6h3wDsWt3qkBcrTI4Bh09scV3dRb
zvJcscpByPbAn/kUSXCfzJ0Nk1elXwSD1sMb6I3sqBXkoBYS5mgrwxoRAoGAXJmB
uN7YzS3U9LmYiDyfLyFtmYWQB92KwA1xzx5LTUtiIi0w0M5rWoh3xK7MNwoxiU2D
LYVjx9wjVuPZQPPHNtE1Qzwmo7YG7O5bW1TgmjNeflp463PhFmvFVCk/BBYZxTyW
SVNojN0ucUiZZeXHTdA0zw4QUG3s/saIq2udoDkCgYBS9FJxYZV/3eWZTV7E8RHO
4ABpujonzZcrxB/pIlQJhehVABopbMAGE0aGc7gGacu0DKsLNYL8Wkdqgs6WN9Yo
erlGXlJelgs4CSlZulInntFgdqC9Rj0sHjx6gCVEgg1lGkB++YrCLj2YuYN7L9JW
wk/YYUmjGLjqcHvBNDl0Gw==
-----END PRIVATE KEY-----
END
[t1:10-10-28-16]: sslkeyandcertificate> certificate
[t1:10-10-28-16]: sslkeyandcertificate:certificate> certificate --
-----BEGIN CERTIFICATE-----
MIIFAzCCAuugAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMQwwCgYDVQQKDANBdmkxHzAdBgNVBAMMFlNhbWUtTmFtZS1J
bnRlcm1lZGlhdGUwHhcNMTcxMjIwMjMzNDU2WhcNMzcxMjE1MjMzNDU2WjA3MQsw
CQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDDAKBgNVBAoMA0F2aTENMAsGA1UEAwwE
QXBwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4Iak5x+rG5S+Ww
JrX6JhS7sTKu8k5sNJ2ishuNu7mpemovuVJwZCrq6FsoowAYz8kiIjvmE4B4c32F
hr/S/wGd1X8AnXMakrcrlqG5V+u2w0geTqrRJLDdi0Hrf/yeHBSLP9kGC2F8In96
ugbtEESHy46k+Fcsl/zyjVQ4XkVxusWxbmq9dAcxFIorYj3AWRJKA0wKg4Y4HtZf
7poMbRkBm316hCQ9A07HD10Rq+o5kWqQdNKTJ9bIe7DrTl2ZGzYLPwhkyGERm+ot
Sl7ocwWinHBPO3/k3JbQUklbUrzVZLjppv+04g4tuSA1X3AtYw14q8ARbNg841JA
PME6GuUCAwEAAaOCAQUwggEBMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZA
MDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlm
aWNhdGUwHQYDVR0OBBYEFBFU4BzZ35LC8gZlhXQG6pB9sDxNMGgGA1UdIwRhMF+A
FEamhG8kGg3PCElsgH8XYIWO04BXoUOkQTA/MQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExDDAKBgNVBAoMA0F2aTEVMBMGA1UEAwwMSW50ZXJtZWRpYXRlggIQAjAO
BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEL
BQADggIBAAfp7d3STNGOQvPxMb+w9b4MjxXAdcFLCLiowcnh6wRS5/ALIjr+7oAt
5T+SzFx1jiZltRf7wk5Ot48+lKwSJ93oaqow82QAZZFeNvkYecL/HHqW7squC7Su
lmdxQ0DT/fkpedKu3koWjUvf90zb/LotdKN9GN4R2KwKY+p/73w1cDMxyqyPiSOH
dCX1fkG1du4HEujG+zVTlEO5Wc94zer4+C9g/QwTVkBH11MOLd9RSlStadYzy8Qs
wu1pPEXZbePA7urZGqgiYUTYKbW+Ck/EKqt8NxvyqvmYBqmfuEnOW1W7XH7Zlzli
dAFEfZ5U9we1YlduDT7KUHizBn8Uex1O1TCjn2XMt+5KhJ8yfNjqbwTyg7G1pHcG
ifl+u/PYTyrLwnf0s09/iw27oacSczDxB/yRe5W6wmhsgL0Rry1tZvAcIHPR2c5t
xstiAJVZVp+WSqJRbCR+KZYZS7IX3J09gtZy8ZDaEhCGtiE/liin4yxLEP4cgbCd
ctIdYP+3pYFC7Ij4BvT+cHtKFAIQ8gD3pSx+NHjX/cWnhjQIo4ljt+ash9YQz+70
hbsp3zDB+Qbnc6j1MuITHQneKKxVPBkvYK7bcqKmKRfjOIpFgtClWd9+YRBriBKo
CayuZ7LuJYYgVqnU6waCJaA9eZC/BSNUqqHzBYV49oBUpyDIWOTW
-----END CERTIFICATE-----
END
[t1:10-10-28-16]: sslkeyandcertificate:certificate> save
[t1:10-10-28-16]: sslkeyandcertificate> save
+------------------------+------------------------------------------------------------------------------+
| Field                  | Value                                                                        |
+------------------------+------------------------------------------------------------------------------+
| uuid                   | sslkeyandcertificate-9ec6948b-f57c-49ac-b9da-28092a3fd72a                    |
| name                   | t1-app                                                                       |
| type                   | SSL_CERTIFICATE_TYPE_VIRTUALSERVICE                                          |
| certificate            |                                                                              |
|   version              | 2                                                                            |
|   serial_number        | 4097                                                                         |
|   self_signed          | False                                                                        |
|   issuer               |                                                                              |
|     common_name        | Same-Name-Intermediate                                                       |
|     organization       | Avi                                                                          |
|     state              | CA                                                                           |
|     country            | US                                                                           |
|     distinguished_name | C=US, ST=CA, O=Avi, CN=Same-Name-Intermediate                                |
|   subject              |                                                                              |
|     common_name        | App1                                                                         |
|     organization       | Avi                                                                          |
|     state              | CA                                                                           |
|     country            | US                                                                           |
|     distinguished_name | C=US, ST=CA, O=Avi, CN=App1                                                  |
|   signature_algorithm  | sha256WithRSAEncryption                                                      |
|   not_before           | 2017-12-20 23:34:56                                                          |
|   not_after            | 2037-12-15 23:34:56                                                          |
|   fingerprint          | SHA1 Fingerprint=18:B1:FD:DC:AF:F0:62:0C:73:E1:56:FC:75:AE:86:93:2E:56:1E:75 |
|                        |                                                                              |
|   expiry_status        | SSL_CERTIFICATE_GOOD                                                         |
|   days_until_expire    | 365                                                                          |
| key_params             |                                                                              |
|   algorithm            | SSL_KEY_ALGORITHM_RSA                                                        |
|   rsa_params           |                                                                              |
|     key_size           | SSL_KEY_2048_BITS                                                            |
|     exponent           | 65537                                                                        |
| status                 | SSL_CERTIFICATE_FINISHED                                                     |
| ca_certs[1]            |                                                                              |
|   name                 | Same-Name-Intermediate                                                       |
|   ca_ref               | admin-intermediate                                                           |
| ca_certs[2]            |                                                                              |
|   name                 | Intermediate                                                                 |
| format                 | SSL_PEM                                                                      |
| certificate_base64     | False                                                                        |
| key_base64             | False                                                                        |
| tenant_ref             | t1                                                                           |
+------------------------+------------------------------------------------------------------------------+
[t1:10-10-28-16]: >