Replace vRealize Operations Manager SSL certificates.

This article shares the steps performed to replace/configure custom (CA signed) SSL certificate for vRealize Operations Manager. The replaced certificates are only for the web UI component of the solution and will be used to secure the communication with clients over the user interface.

I have vRealize 6.6.1 build 6163035 in my lab.

Below are the requirements for setting up custom SSL certificates for vRealize Operations manager.

The requirements along with the certificate replacement link can be found in the vRealize Operations Manager admin console.

https://<vRealizeOperationsManagerIO>/admin

installpage

There are 2 steps in the procedure

  1. Getting the SSL certs created from openSSL and CA.
  2. Installing the generated pem file.

OpenSSL version Win32OpenSSL_Light-1_1_0g used.

  • Create a folder to place all your Certificate related files.

“C:\Users\hussain\Desktop\vsom”

  • Create the config file as below(Change the req_distinguished_name and  v3_req as per your appliance.

Openssl.cfg file:

 

 [ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vsom.mylab.local, DNS:192.168.1.111, DNS:vsom
[ req_distinguished_name ]
countryName = AE
stateOrProvinceName = DXB
localityName = DUBAI
0.organizationName = mylab.local
organizationalUnitName = IT
commonName =vsom.mylab.local
  • openssl req -new -nodes -out  C:\Users\hussain\Desktop\vsom\vsom.csr -keyout C:\Users\hussain\Desktop\vsom\vsom-orig.key -config C:\Users\hussain\Desktop\vsom\openssl.cfg
  • openssl rsa -in C:\Users\hussain\Desktop\vsom\vsom-orig.key -out C:\Users\hussain\Desktop\vsom\vsom.key
  • Submit the generated csr to the CA and download the certificate in Base-64 format.
  • Download the root certificate of the CA.
  • Generate the .pem file containing the .cer, the root certificate and private key.
    type C:\Users\hussain\Desktop\vsom\vsom.cer C:\Users\hussain\Desktop\vsom\vsom.key C:\Users\hussain\Desktop\vsom\root.cer > vsom.pem
  • The generated .pem file looks something like this

pem

2) Install the generated pem file using the admin UI.

cert

Although the process is pretty straightforward I encountered an error due to incorrect time configuration of the vROPS appliance. once the date and time of the appliance were correctly set, the certificate could be replaced.

error: Certificate is not yet valid

error

helpful links:

https://kb.vmware.com/s/article/2046591 

https://kb.vmware.com/s/article/2108686 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s