How to install a custom certificate on VMware Aria Operations for Networks
search cancel

How to install a custom certificate on VMware Aria Operations for Networks


Article ID: 324471


Updated On:


VMware Aria Operations for Networks


This article provides steps to install a new custom certificate in VMware Aria Operations for Networks (formerly VMware vRealize Network Insight).
You will be using the consoleuser account for the steps listed below
This KB was written for a Simple Deployment
For a Cluster deployment apply the steps to Platform node 1, then Platform 2,3,4 etc via CLI


VMware vRealize Network Insight 5.x
VMware vRealize Network Insight 3.x
VMware vRealize Network Insight 4.x
VMware vRealize Network Insight 6.x
VMware Aria Operations for Networks 6.x



  • The certificate can be from a well known third party certificate vendor or from an internal Certificate Authority (CA).

  • Certificate will require that the DNS name, the appliance name, and the subject name of the certificate are the Fully Qualified Domain Name.
    Note: Exceptions to this requirement can be a wildcard certificate. However, the Subject Alternative Name (SAN) should also include the Fully Qualified Domain Name of the appliance.

  • Full certificate chain with private key, both base64 encoded PEM format.

Generating a Certificate Signing Request (CSR)

  1. Generate a key pair by running this command:
unalias openssl
openssl genrsa -out key_filename.key 2048
  1. Use the key to generate a certificate signing request by running this command:
openssl req -new -key key_filename.key -out certificate_request.csr
  1. Submit the CSR file to your Certificate Authority (CA) to obtain a signed certificate.
  2. From your Certificate Authority, download the certificate and the complete issuing chain (one or more certificates). Download them in Base64 format as a PEM, and make sure the full certificate chain is present in customcert.crt

Validating the custom certificate files

  1. To verify file signature for correctness, execute the two below commands on any Linux host:
file customcert.crt
file customcert_privatekey.key
Note: replace customcert and customcert_privatekey with the actual .crt and .key names. 

The below example command and the associated output means the signature is correct:
#file customcert.crt
customcert.crt: PEM certificate
#file customcert_privatekey.key
customcert_privatekey.key: PEM RSA private key - Correct

The below example command and the associated output means the signature is incorrect:
#file custcert.crt
custcert.crt: ASCII text - Incorrect
#file custcert_privatekey.key
custcert_privatekey.key: ASCII text
Note: For PFX/PB7 key, you may need to run some additional commands to get to the expected format.
  1. When the file is opened using any text editor, it should only have content similar to:

In addition, it could contain Header and Footer with some digest in between because some conversion and  or exporting tools also write so called BAG ATTRIBUTES to output file. It is required or safe to remove these from the above files.

Installing a custom certificate

To install a new custom certificate follow the steps below. 
  1. Log in to VMware Aria Operations for Networks command line interface (CLI) via SSH as the user consoleuser.
  2. Remove the existing certificate using custom-cert remove command:

    custom-cert remove

    You see this message:

    Removed all custom certificates
  3. Copy the new certificate from the host where it is located using custom-cert copy command:
    custom-cert copy --host <IP_of_SFTP_host> --user <user_of_SFTP_host> --port 22 --path </path/to/file>.crt
    custom-cert copy --host <IP_of_SFTP_host> --user <user_of_SFTP_host> --port 22 --path </path/to/file>.key
Note: replace <IP_of_SFTP_host>, <user_of_SFTP_host>, and </path/to/file> with the real values. An example this command would be as below:
custom-cert copy --host --user adminxyz --port 22 --path /tmp/file.crt
custom-cert copy --host --user adminxyz --port 22 --path /tmp/file.key

When you are prompted to enter the password, enter <user_of_SFTP_host> password.

When copying is successful, you see this message:

successfully copied
  1. List the available certificates using custom-cert list command:

    custom-cert list

  2. Apply the new certificate using custom-cert apply command:

    custom-cert apply

    After the certificate is applied, you see this message:

    Successfully applied new certificate. All active UI sessions have to be restarted.

Note: Passphrase protected keypair is not supported.


Additional Information