Using the Custom Certificate Tool in VMware Aria Operations
search cancel

Using the Custom Certificate Tool in VMware Aria Operations


Article ID: 333948


Updated On:


VMware Aria Suite


For customers who do not use the default certificate, VMware Aria Operations supports the uploading and use of custom security certificates. In some cases, users find it difficult to create a custom certificate PEM file that is compatible with VMware Aria Operations. The certificate file format requirements are very specific, and VMware Aria Operations does not provide extensive diagnostics for uploaded custom certificates.


VMware vRealize Operations 8.10.x
VMware vRealize Operations 8.2.x
VMware Aria Operations 8.12.x
VMware vRealize Operations Manager 7.5.x
VMware vRealize Operations Manager 7.0.x
VMware vRealize Operations 8.4.x
VMware vRealize Operations 8.6.x
VMware vRealize Operations 8.0.x
VMware vRealize Operations 8.1.x
VMware vRealize Operations 8.3.x
VMware vRealize Operations 8.5.x
VMware vRealize Operations 8.x


For improved diagnostics or to correct common errors, you can  run the custom certificate tool.  This tool is a Python script that runs on any VMware AriaOperations node.
Note: For version 6.x or 7.x, the script is attached to the article and will need to be downloaded and placed into the /usr/lib/vmware-casa/bin/ folder on the vRealize Operations node you wish to run the script on.  The script is already included in vRealize Operations 8.x and later.

Using the Script
  1. Log into the VMware Aria Operations node as root via SSH or Console, pressing ALT+F1 in a Console to log in.
  2. Run the following command:
$VMWARE_PYTHON_BIN /usr/lib/vmware-casa/bin/ -i custom-certificate-pem-file

Note: Replace custom-certificate-pem-file with the path and name of your custom certificate file.

Example$VMWARE_PYTHON_BIN /usr/lib/vmware-casa/bin/ -i /tmp/custom_cert.pem

The tool supports the following options:
(-i or --infile) filename (repeat)Specify the custom certificate input file.

When used with --fix, multiple input files are supported. See the Examples section below.
(-p or --password) passwordSpecify the password for an encrypted key section, if the input file includes one.
(-d or --describe) or --no_describeDisplay or hide the contents of the input file.

If you omit this setting, the tool displays the contents by default.
-f or --fixAttempt to repair the input file and save the repaired file as a multiple-part PEM. An output filename is required. The --fix option makes the following changes when repairing an input file:
  • Rearranges the certificates into an order supported by the earliest VMware Aria Operations version.
  • Removes any duplicate or extra certificates.
  • Extracts certificates from embedded PKCS7 sections and adds them to the output file.
  • Normalizes line endings.
  • Removes any extra private key sections.
  • Combines multiple input files.
  • Adds "bag attribute" style information to the output file to make it readable to the user.
(-o or --outfile) filenameUsed only with the --fix option, the filename of the repaired, multiple-part PEM.
(-b or --bag_attributes) or --no_bag_attributesUsed with the --fix option to include or exclude descriptive text in the output file.

If you omit this setting, the --fix option includes the text by default.
(-v or --validate) or --no_validateValidate the input file and display a status message, or skip validation. The no_validate option is only useful with the --fix option.

If you omit this setting, the tool validates the input file by default.
--logging_conf filenameFile that contains logging confuration settings. If you omit this option, the default configuration file is logging.conf.

By default, basic output goes to the console, and detailed logging goes to vropsCertificateTool.log. When working with Technical Support, provide copies of your certificates and vropsCertificateTool.log.
--level (DEBUG | INFO | WARN | WARNING | ERROR | CRITICAL | NONE)Specify the message types that you want to appear in the log.

If you omit this setting, the default is INFO.
--openssl pathLocation of the OpenSSL binary, for use with PKCS7 files. Only needed if the OpenSSL binary location is not part of the system path.
-h or --helpDisplay instructions for the tool.




  • Validate a PEM file:
$VMWARE_PYTHON_BIN -i uploaded_cert.pem
  • Assemble a multiple-part PEM file from separate parts:
$VMWARE_PYTHON_BIN -i ca.pem -i cert1.pem -i key.pem --fix --outfile uploaded_cert.pem
  • Repair a multiple-part PEM file:
$VMWARE_PYTHON_BIN --infile broken.pem --fix --outfile fixed.pem
  • Add a missing certificate to a multiple-part PEM file:
$VMWARE_PYTHON_BIN --fix --infile partial.pem --infile ca.pem --outfile uploaded_cert.pem
  • Discover what is in a PEM file:
$VMWARE_PYTHON_BIN --describe --infile uploaded_cert.pem
  • Add readable descriptions (bag attributes) to a PEM file:
$VMWARE_PYTHON_BIN --fix --bag_attributes --infile uploaded_cert.pem --outfile bags.pem

Additional Information

Knowledge Base article 2046591 contains additional information about certificates.

For translated versions of this article, see:


vropsCertificateTool get_app