Configure a Certificate For Use With Aria Operations Cloud Proxy
search cancel

Configure a Certificate For Use With Aria Operations Cloud Proxy

book

Article ID: 342838

calendar_today

Updated On: 01-15-2025

Products

VMware Aria Suite

Issue/Introduction

This article provides instructions for using OpenSSL to configure a certificate for use with Aria Operations Cloud Proxy for Aria Operations (formerly known as vRealize Operations)

Note: The certificates applied will be used only for inbound traffic from Telegraf agent endpoints.

Environment

VMware Aria Operations 8.x

Resolution

Generate a new Certificate PEM file

  1. Log into the Cloud Proxy as root via SSH or Console.

  2. Create a key file for the certificate with the following command:

    openssl genrsa -out cp.key 2048

  3. Create .cnf file:

    vi cp.cnf

  4. The following is an example of the contents of the cp.cnf file for a single Cloud Proxy:

    [req]
    prompt = no
    distinguished_name = dn
    req_extensions = ext
    default_bits = 2048
    default_md = sha256
    encrypt_key = no

    [dn]
    CN = <Cloud_Proxy_FQDN>

    [ext]
    subjectAltName = @alt_names

    [alt_names]
    DNS.1 = <Cloud_Proxy_FQDN>
    DNS.2 = <Cloud_Proxy_Shortname>
    IP.1 = <Cloud_Proxy_IP_address>


    Note:
    Replace <Cloud_Proxy_FQDN>, <Cloud_Proxy_Shortname> and <Cloud_Proxy_IP_address> with relevant values.
    The CN is required to be listed in the subjectAltName section for web browser compatibility.
    The certificate will be valid for any FQDN/IP that is added to subjectAltName section. Follow your company's security policy for the SAN field, but it is advised to include the IP addresses and DNS short names.

  5. Save and close the file:

    :wq

  6. Create the CSR:

    openssl req -new -config cp.cnf -key cp.key -out cp.csr

  7. Run the following to verify the information in the CSR is correct:

    openssl req -in cp.csr -noout -text

  8. If all information is correct, send the CSR to your Certificate Authority for signing.

  9. Once the Certificate Authority signs your CSR, they will return to you the signed cert based on this CSR and also their own root cert (along with any intermediate certs). Ensure that you download them in Base64 format if given an option.

  10. Transfer the files downloaded from your CA to the Aria Operations Cloud Proxy using a SCP utility.

  11. Log in to the Cloud Proxy as root via SSH.

  12. To combine these files, run the cat command as follows (Replacing the filenames as necessary, paying close attention to the order of the files.):

    cat signed_cert.crt cp.key root_CA.crt > multi_part.pem

    Note: If your CA also provided you with intermediate certs the command would look similar to the following instead:

    cat signed_cert.crt cp.key intermediate.crt root_CA.crt > multi_part.pem

Install a New Certificate in VMware Aria Operations Cloud Proxy

  1. Log into the Cloud Proxy as root via SSH or Console.

  2. Run the following command to import the certificate:

    cprc-cli -rc multi_part.pem

    Note: If the imported certificates already exist, dialog will appear asking to overwrite the existing one.


The cprc-cli -rc command  workflow will automatically:

  • Check if the imported certificate has a valid format and contains all necessary components in the chain.

  • Get the certificate and private key from the full chain and create separate .pem files which are needed by httpd config.

  • Back up existing httpd.conf and update httpd.conf SSL configuration with new certificates paths.

  • Restart the httpd-south service.



Additional Information

Disclaimer: Broadcom Support does not assist in creating custom certificates for use in Aria Operations. For additional support in creating a custom certificate for use in Aria Operations, contact Professional Services.

For steps on how to configure a certificate for use with VMware Aria Operations on-premises, see Configure a Certificate For Use With VMware Aria Operations.


Troubleshooting PEM file issues:

  • If issues are encountered applying the new certificate, the Aria Operations Custom Certificate Tool can be utilized to help determine the issue: How to use the VMware Aria Operations Custom Certificate Tool

  • If an invalid certificate has been applied and functionality of Aria Operations has been impacted, you can revert to the default certificate to keep the cluster functional while troubleshooting of the new certificate is ongoing by running the following command on affected Cloud Proxies:

    cprc-cli -rc reset

  • The finished PEM file should look similar to the following example, where the number of CERTIFICATE sections depends on the length of the issuing chain:

    -----BEGIN CERTIFICATE-----
    (Your Primary SSL certificate: your_domain_name.crt)
    -----END CERTIFICATE-----
    -----BEGIN RSA PRIVATE KEY-----
    (Your Private Key: your_domain_name.key)
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    (Your Intermediate certificate: DigiCertCA.crt)
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    (Your Root certificate: TrustedRoot.crt)
    -----END CERTIFICATE-----