This article explains how to replace a VMware Cloud Gateway Machine SSL certificate with a Custom Certificate Authority (CA) Signed Certificate.
You can replace the certificate for vCenter Cloud Gateway when the certificate expires or when you want to use a certificate from another certificate provider.
Important: If you have configured Hybrid Linked Mode on the vCenter Cloud Gateway, do not use this procedure to replace the certificate. Use the process in Replace the Certificate for the Cloud Gateway Appliance with Hybrid Linked Mode Enabled instead.
Generate certificate signing requests (CSRs) for each certificate you want to replace. Provide the CSR to your Certificate Authority. When the Certificate Authority returns the certificate, place it in a location that you can access from the vCenter Cloud Gateway.
X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
Note: The ‘Key Encipherment’ needs to be set on the endpoint/Machine SSL certificate.
Note: Make sure to append the private key as well to this file.
server.pem should contain (in the same order):
---BEGIN CERTIFICATE---
<CERT>
---END CERTIFICATE---
---BEGIN PRIVATE KEY---
<KEY>
---END PRIVATE KEY---
In case of a failure, ensure that the certificate/key pair & the RootCA cert has no issues:
[ /etc/applmgmt/appliance ]# openssl verify -verbose -CAfile rootCA.pem server.pem
Review the logs to understand the cause of the issue:
/var/log/vmware/messages