This article shares the steps performed to replace/configure custom (CA signed) SSL certificate for vRealize Operations Manager. The replaced certificates are only for the web UI component of the solution and will be used to secure the communication with clients over the user interface.
I have vRealize 6.6.1 build 6163035 in my lab.
Below are the requirements for setting up custom SSL certificates for vRealize Operations manager.
The requirements along with the certificate replacement link can be found in the vRealize Operations Manager admin console.
There are 2 steps in the procedure
- Getting the SSL certs created from openSSL and CA.
- Installing the generated pem file.
OpenSSL version Win32OpenSSL_Light-1_1_0g used.
- Create a folder to place all your Certificate related files.
- Create the config file as below(Change the req_distinguished_name and v3_req as per your appliance.
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vsom.mylab.local, DNS:192.168.1.111, DNS:vsom
[ req_distinguished_name ]
countryName = AE
stateOrProvinceName = DXB
localityName = DUBAI
0.organizationName = mylab.local
organizationalUnitName = IT
openssl req -new -nodes -out C:\Users\hussain\Desktop\vsom\vsom.csr -keyout C:\Users\hussain\Desktop\vsom\vsom-orig.key -config C:\Users\hussain\Desktop\vsom\openssl.cfg
openssl rsa -in C:\Users\hussain\Desktop\vsom\vsom-orig.key -out C:\Users\hussain\Desktop\vsom\vsom.key
- Submit the generated csr to the CA and download the certificate in Base-64 format.
- Download the root certificate of the CA.
- Generate the .pem file containing the .cer, the root certificate and private key.
type C:\Users\hussain\Desktop\vsom\vsom.cer C:\Users\hussain\Desktop\vsom\vsom.key C:\Users\hussain\Desktop\vsom\root.cer > vsom.pem
- The generated .pem file looks something like this
2) Install the generated pem file using the admin UI.
Although the process is pretty straightforward I encountered an error due to incorrect time configuration of the vROPS appliance. once the date and time of the appliance were correctly set, the certificate could be replaced.
error: Certificate is not yet valid