How to install, renew and replace a custom (CA Signed) certificate on VMware Aria Operations for Networks
search cancel

How to install, renew and replace a custom (CA Signed) certificate on VMware Aria Operations for Networks

book

Article ID: 324471

calendar_today

Updated On:

Products

VCF Operations for Networks

Issue/Introduction

This article provides steps to install a new custom certificate in VMware Aria Operations for Networks (vRNI).
This procedure can be used when a certificate are going to expire and you need to replace the certificates.

You will be using the support user for Generating a Certificate Signing Request (CSR)
This KB was written for a Simple Deployment
For a Cluster deployment apply the steps to Platform node 1, then Platform 2,3,4 etc via CLI

Environment

  • Aria Operations for Networks 6.13.0
  • Aria Operations for Networks 6.14.0
  • Aria Operations for Networks 6.14.1

Resolution

Prerequisites

  • The certificate can be from a well known third party certificate vendor or from an internal Certificate Authority (CA).
  • Certificate will require that the DNS name, the appliance name, and the subject name of the certificate are the Fully Qualified Domain Name.

         Note: Exceptions to this requirement can be a wildcard certificate. However, the Subject Alternative Name (SAN) should also include the Fully Qualified Domain Name of the appliance.

  • Full certificate chain with private key, both base64 encoded PEM format.

 

Generating a Certificate Signing Request (CSR):

  1.  Generate a key pair by running this command:

    unalias openssl
openssl genrsa -out key_filename.key 2048

     

  2. Use the key to generate a certificate signing request by running this command:

    openssl req -new -key key_filename.key -out certificate_request.csr

     

  3. Submit the CSR file to your Certificate Authority (CA) to obtain a signed certificate.
  4. From your Certificate Authority, download the certificate and the complete issuing chain (one or more certificates). Download them in Base64 format as a PEM, and make sure the full certificate chain is present in customcert.crt

 

Validating the custom certificate files:

  1. To verify file signature for correctness, execute the two below commands:

    file customcert.crt
file customcert_privatekey.key


    Note: replace customcert and customcert_privatekey with the actual .crt and .key names. 

    The below example command and the associated output means the signature is correct:

    #file customcert.crt
customcert.crt: PEM certificate
    #file customcert_privatekey.key
customcert_privatekey.key: PEM RSA private key - Correct

    The below example command and the associated output means the signature is incorrect:

    #file custcert.crt
custcert.crt: ASCII text - Incorrect
    #file custcert_privatekey.key
custcert_privatekey.key: ASCII text

    Note: For PFX/PB7 key, you may need to run some additional commands to get to the expected format.

  2. When the file is opened using any text editor, it should only have content similar to:

    ----- BEGIN RSA PRIVATE KEY-----
<payload>
-----END RSA PRIVIATE KEY-----


    Note: In addition, it could contain Header and Footer with some digest in between because some conversion and  or exporting tools also write so called BAG ATTRIBUTES to output file. It is required or safe to remove these from the above files.

 

Installing a custom certificate:

To install a new custom certificate follow the steps below. 
  1. Log in to VMware Aria Operations for Networks command line interface (CLI) via SSH as the user consoleuser.
  2. Remove the existing certificate using custom-cert remove command:

    custom-cert remove

    You see this message:

    Removed all custom certificates.
     
  3. Copy the new certificate from the host where it is located using custom-cert copy command:
    custom-cert copy --host <IP_of_SFTP_host> --user <user_of_SFTP_host> --port 22 --path </path/to/file>.crt
custom-cert copy --host <IP_of_SFTP_host> --user <user_of_SFTP_host> --port 22 --path </path/to/file>.key
 
When you are prompted to enter the password, enter <user_of_SFTP_host> password.

When copying is successful, you see this message:

copying...
successfully copied
  1. Alternatively you can move the new certificate files (.crt and .key) to the folder custom_certs under /home/ubuntu/ directory and then manually delete the older Certificates as well.

  2. List the available certificates using custom-cert list command:

    custom-cert list
file.crt
file.key

    Above should show you the New Certificate which needs to be applied.

     
  3. To Apply the new certificate using custom-cert apply command:

    custom-cert apply


    After the certificate is applied, you see this message:

     Successfully applied new certificate. All active UI sessions have to be restarted.

Note: Certificates with passphrase protected keypair is not supported.
 



Additional Information

While replacing the certs, getting below error

 "Failed to find the Key file"

  1. The error occurred because vRNI cannot recognize normal key file and it has to convert the normal key file to RSA pem format using Openssl

    openssl rsa -in file.key -out newfile.key

     

  2. Alternatively, fix the headers in the key file by running the following commands:

    sed -i 's/-----BEGIN PRIVATE KEY-----/-----BEGIN RSA PRIVATE KEY-----/g' vrni_key.key

sed -i 's/-----END PRIVATE KEY-----/-----END RSA PRIVATE KEY-----/g' vrni_key.key
 



Powered by Wolken Software