This article provides instructions for using OpenSSL to configure a certificate for use with VMware Aria Operations Cloud Proxy for VMware Aria Operations (formerly known as vRealize Operations) or VMware Aria Operations (SaaS) (formerly known as vRealize Operations Cloud).

VMware Aria Operations 8.12.x
VMware vRealize Operations 8.10.x

To configure a certificate PEM file with VMware Aria Operations:

1. Generate a new Certificate PEM for VMware Aria Operations Cloud Proxy.
2. Install the Certificate PEM in the VMware Aria Operations Cloud Proxy.

Note: The certificates applied will be used only for inward traffic from endpoints.  We do not allow custom updates of the certificates for specific components of VMware Aria Operations such as Java or Gemfire.

Generate a new Certificate PEM file  

1. Log into the Cloud Proxy as root via SSH or Console.
2. Run the following command to make the /cert directory, then change to that directory:

3. In the /cert directory, create a new file called vrops.cnf:

4. The contents of the file should be as follows for a 3 node cluster:

• The CN is required to be listed in the subjectAltName section for web browser compatibility.
• If using a load balancer, the CN should be the IP/FQDN of the load balancer. 
• The certificate will be valid for any FQDN/IP that is added to subjectAltName section.  Follow your company's security policy for the SAN field, but it is advised to include the IP addresses or FQDN's for each node in the cluster.
• For VMware Aria Operations (SaaS), only include the details for each Cloud Proxy.

5. In the examples above, replace the following with values relevant to your environment.  Remove or add nodes relevant to your environment:

• Primary_Node_FQDN
• Node_2_FQDN
• Node_3_FQDN
• Cloud_Proxy_1_FQDN
• Cloud_Proxy_2_FQDN
• Cloud_Proxy_3_FQDN
• Primary_Node_Shortname
• Node_2_Shortname
• Node_3_Shortname
• Cloud_Proxy_1_Shortname
• Cloud_Proxy_2_Shortname
• Cloud_Proxy_3_Shortname
• Primary_Node_IP
• Node_2_IP
• Node_3_IP
• Cloud_Proxy_1_IP
• Cloud_Proxy_1_IP
• Cloud_Proxy_1_IP

6. Save and close the file:

7. Using the vrops.cnf file, run the following command to create the CSR to send to your Certificate Authority:

8. Run the following to verify the information in the CSR is correct:

If all information is correct, send the CSR (vrops.csr) to your Certificate Authority and inform them of the details you have configured in the subjectAltName line of vrops.cnf.

Once the Certificate Authority signs your CSR, they will return to you the signed cert based on this CSR and also their own root cert (along with any intermediate certs). Ensure that you download them in Base64 format if given an option.

9. To construct the PEM file to upload to VMware Aria Operations, you need to combine these files in a specific order:

• The signed cert returned to you by the CA, based on the CSR you created.
• The private key you generated earlier (vrops.key in above example).
• Intermediate certs returned by CA (only if applicable)
• The CA's root cert

10. Add the files downloaded from your CA to the VMware Aria Operations Cloud Proxy's /cert directory using an SCP utility.
11. Log into the Cloud Proxy as root via SSH or Console, pressing ALT+F1 in a Console to log in.
12. To combine these files, run the cat command as follows (Replacing the filenames as necessary):

 

Install a New Certificate in VMware Aria Operations Cloud Proxy   

1. Log into the Cloud Proxy as root via SSH or Console.
2. Run the following command to import the certificate:

• Check if the imported certificate has a valid format and contains all necessary components in the chain.
• Get the certificate and private key from the full chain and create separate .pem files which are needed by httpd config.
• Back up existing httpd.conf and update httpd.conf SSL configuration with new certificates paths.
• Restart the httpd-south service.

Disclaimer: VMware Global Support does not assist in creating custom certificates for use in VMware Aria Operations.  For additional support in creating a custom certificate for use in VMware Aria Operations, contact VMware Professional Services.

For steps on how to configure a certificate for use with VMware Aria Operations on-premises, see Configure a Certificate For Use With VMware Aria Operations (2046591).

Troubleshooting PEM file issues:

• If issues are encountered applying the new certificate, the VMware Aria Operations Custom Certificate Tool can be utilized to help determine the issue: How to use the VMware Aria Operations Custom Certificate Tool (2135521)
• If an invalid certificate has been applied and functionality of VMware Aria Operations has been impacted, you can revert to the default certificate to keep the cluster functional while troubleshooting of the new certificate is ongoing by running the following command on affect Cloud Proxies:

• To decode each entry of the PEM file, using one of the following links:
  • https://certlogik.com/decoder/
  • https://www.sslshopper.com/certificate-decoder.html
  • https://redkestrel.co.uk/products/decoder/

Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.

Impact/Risks:
The finished PEM file should look similar to the following example, where the number of CERTIFICATE sections depends on the length of the issuing chain:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

Failure to comply with the above format may result in Cloud Proxy collections being affected.