How to install, renew and replace a custom (CA Signed) certificate on VCF Operations for Networks
search cancel

How to install, renew and replace a custom (CA Signed) certificate on VCF Operations for Networks

book

Article ID: 324471

calendar_today

Updated On:

Products

VCF Operations for Networks

Issue/Introduction

This article provides steps to install a new custom certificate in VCF Operations for Networks (formerly known as vRealize Operations for Networks, vRNI, or VMware Aria Operations for Networks, AON).
This procedure can be used when a CA certificate is nearing expiration. 

Environment

  • VCF Operations for Networks 6.13.0
  • VCF Operations for Networks 6.14.0
  • VCF Operations for Networks 6.14.1

Resolution

Prerequisites:

  • The certificate can be from a well known third party certificate vendor or from an internal Certificate Authority (CA).
  • Certificate will require that the DNS name, the appliance name, and the subject name of the certificate are the Fully Qualified Domain Name.

         Note: Exceptions to this requirement can be a wildcard certificate. However, the Subject Alternative Name (SAN) should also include the Fully Qualified Domain Name of the appliance.

  • Full certificate chain with private key, both base64 encoded PEM format.
  • Certificates with passphrase protected keypair are not supported.

Notes:

  • The support user is used for generating a Certificate Signing Request (CSR)
  • These steps are for a simple deployment. For a cluster deployment, apply the steps to platform node 1, then platform 2,3,4 etc via CLI

Generating a Certificate Signing Request (CSR):

  1.  Generate a key pair by running this command:

    unalias openssl
openssl genrsa -out key_filename.key 2048

     

  2. Use the key to generate a certificate signing request by running this command:

    openssl req -new -key key_filename.key -out certificate_request.csr

     

  3. Submit the CSR file to a Certificate Authority (CA) to obtain a signed certificate.
  4. From your Certificate Authority, download the certificate and the complete issuing chain (one or more certificates). Download them in Base64 format as a PEM, and make sure the full certificate chain is present.

 

Validating the custom certificate files:

  1. To verify file signature for correctness, execute the two below commands:

    file <cert_file>.crt
file <cert_key>.key


    Replace <cert_file> and <cert_key> with the actual .crt and .key names. 

    The below example command and the associated output means the signature is correct:

    #file customcert.crt
customcert.crt: PEM certificate
    #file customcert_privatekey.key
customcert_privatekey.key: PEM RSA private key - Correct

    The below example command and the associated output means the signature is incorrect:

    #file custcert.crt
custcert.crt: ASCII text - Incorrect
    #file custcert_privatekey.key
custcert_privatekey.key: ASCII text

    Note: For PFX/PB7 key, it may be necessary to run some additional commands to get to the expected format.

  2. When the file is opened using any text editor, it should only have content similar to:

    ----- BEGIN RSA PRIVATE KEY-----
<payload>
-----END RSA PRIVIATE KEY-----


    Note: It could also contain Header and Footer with some digest in between because some conversion and or exporting tools also write so called BAG ATTRIBUTES to output file. It is required and safe to remove these from the above files.

 

Installing a custom certificate:

To install a new custom certificate, follow the steps below. 
  1. Log in to VMware Aria Operations for Networks command line interface (CLI) via SSH as the user consoleuser.
  2. Remove the existing certificate using custom-cert remove command:

    custom-cert remove

    The following message is displayed:

    Removed all custom certificates.
     
  3. Copy the new certificate from the host where it is located using custom-cert copy command:
    custom-cert copy --host <IP_of_SFTP_host> --user <user_of_SFTP_host> --port 22 --path </path/to/file>.crt
custom-cert copy --host <IP_of_SFTP_host> --user <user_of_SFTP_host> --port 22 --path </path/to/file>.key
 
When prompted to enter the password, enter <user_of_SFTP_host> password.

When copying is successful, the following message is displayed:

copying...
successfully copied
  1. Alternatively, the new certificate files (.crt and .key) can be moved to the folder custom_certs under /home/ubuntu/ directory and then the older certificates can be manually deleted.

  2. List the available certificates using custom-cert list command:

    custom-cert list
file.crt
file.key

    Above should show the new certificate which needs to be applied.

     
  3. To Apply the new certificate using custom-cert apply command:

    custom-cert apply


    After the certificate is applied, the following message is displayed:

     Successfully applied new certificate. All active UI sessions have to be restarted.

 

Additional Information

While replacing the certs, getting below error

 "Failed to find the Key file"

  1. The error occurred because vRNI cannot recognize normal key file and it has to convert the normal key file to RSA pem format using Openssl

    openssl rsa -in file.key -out newfile.key

     

  2. Alternatively, fix the headers in the key file by running the following commands:

    sed -i 's/-----BEGIN PRIVATE KEY-----/-----BEGIN RSA PRIVATE KEY-----/g' vrni_key.key

sed -i 's/-----END PRIVATE KEY-----/-----END RSA PRIVATE KEY-----/g' vrni_key.key
 



Powered by Wolken Software