Replacing VMware Cloud Gateway Machine SSL certificate with a Custom Certificate Authority Signed Certificate
search cancel

Replacing VMware Cloud Gateway Machine SSL certificate with a Custom Certificate Authority Signed Certificate

book

Article ID: 326374

calendar_today

Updated On:

Products

VMware Cloud on AWS VMware Cloud on Dell EMC

Issue/Introduction

 

This article explains how to replace a VMware Cloud Gateway Machine SSL certificate with a Custom Certificate Authority (CA) Signed Certificate.

You can replace the certificate for vCenter Cloud Gateway when the certificate expires or when you want to use a certificate from another certificate provider.

Important: If you have configured Hybrid Linked Mode on the vCenter Cloud Gateway, do not use this procedure to replace the certificate. Use the process in Replace the Certificate for the Cloud Gateway Appliance with Hybrid Linked Mode Enabled instead.


Environment

VMware vSphere+ Cloud Services

Resolution

Generate certificate signing requests (CSRs) for each certificate you want to replace. Provide the CSR to your Certificate Authority. When the Certificate Authority returns the certificate, place it in a location that you can access from the vCenter Cloud Gateway.

 

  1. Connect to vCenter Cloud Gateway using SSH.
  2. If you are using vSphere+, use a CA-signed certificate. If it is not a well-known CA, ensure that the following parameters for the root CA are set as follows:

 

X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign

 

 Note: The ‘Key Encipherment’ needs to be set on the endpoint/Machine SSL certificate.

 

  1. Append the cert.pem file that you generated or received from your CA to the server.pem file by typing cat cert.pem >> server.pem.

Note: Make sure to append the private key as well to this file.

server.pem should contain (in the same order):

 

---BEGIN CERTIFICATE---

<CERT>

---END CERTIFICATE---
---BEGIN PRIVATE KEY---

<KEY>

---END PRIVATE KEY---
 

        4. Append the rootCA.pem file that you received from your CA to the rootCA.pem file by typing cat certCA.pem >> rootCA.pemNote: If you have intermediary CA/s, ensure that the rootCA contains the chain.

         5. Back up the old certificate by typing cp /etc/applmgmt/appliance/server.pem /etc/applmgmt/appliance/server.pem.bk.

          6. Replace the old certificate with the server.pem file that you created in Step 5 by typing mv server.pem /etc/applmgmt/appliance/

          7. Backup the rootCA by typing /etc/applmgmt/appliance/rootCA.pem /etc/applmgmt/appliance/rootCA.pem.bk

           8. Replace the old certificate with the rootCA.pem file that you created by typing mv RootCA.pem /etc/applmgmt/appliance/

           9. Type systemctl restart gps_envoy.service to restart the envoy service (port 5480).

           10. Type systemctl restart aap_envoy.service to restart the Atlas Agent Platform envoy service (Port 5484).

Additional Information

In case of a failure, ensure that the certificate/key pair & the RootCA cert has no issues:

[ /etc/applmgmt/appliance ]# openssl verify -verbose -CAfile rootCA.pem server.pem


Review the logs to understand the cause of the issue:

/var/log/vmware/messages