Replacing self-signed certificate with custom certificates for Aria products
Do you have difficulties changing the custom certificates used by your Aria appliances? It is always recommended not to use the self-signed certificate for security reasons. Often you will have request to change the self-signed certificate to custom certificates which are signed by internal CA or external ones. You can find the steps below on how you can create the custom certificate request and complete the certificate changing process.
Please take note that we will be using Aria Lifecycle Manager in the demo. You can use the same steps to create the custom certificate. Only thing that is different is importing the certificate back to the appliance. Meaning to say, Lifecycle manager and vROps might have different steps importing the certificate. But you can find those steps online or official documentation.
1. Preparing CSR (Certificate signing request)
Use can use a notepad to create a .CFG file with the info below. Be sure to change those wordings in italic to your own. For subjectAltName, you can add more DNS names. Just to remember to add comma for the next value.
[ req ]
default_md = sha512
default_bits = 2048
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment
subjectAltName = DNS:myVM.lab.local, DNS:myVM,IP:10.1.1.6
[ req_distinguished_name ]
countryName = SG
stateOrProvinceName = SG
localityName = SG
0.organizationName = ORG_Name
organizationalUnitName = UNIT_NAME
commonName = myVM.lab.local
Upload the CFG file to the appliance. (Example WINSCP). You can create a temp folder on the root directory before you copy the file.
Prepare the command to generate the CSR file using the CFG file that you uploaded. You may change the RSA to 4096 if you want. Change the italic wordings to your own values.
openssl req -new -nodes -out myVM.csr -newkey rsa:2048 -keyout myVM.key -config myVM.cfg
Execute the command from the appliance’s root console. Once the command ran successfully, it will create a .key file and .csr file.
Copy the key and CSR file back to your workstation.
2. Generate certificate using Microsoft Certificate Authority
Generate the certificate using the CSR. I will be using Microsoft CA in this demo.
Copy the content from the .csr file to the textbox. Select the certificate template and click Submit.
Please take note that the Certificate Template need to create beforehand. Follow this article to create. https://kb.vmware.com/s/article/2062108
Select Base64 and click “Download Certificate”. (We do not need to download the certificate chain)
Download your root certificate if you do not have one yet. You can download from any domain joined machine or AD server. Locate your root certificate and export it. Remember to select Base64. I named the exported root file to root.cer.
3. Creating the PEM file
The complicated part starts here. Now duplicate the .cer file which you just downloaded and rename to .pem
Copy the content from the .key file to the top of the .pem file.
Open the root certificate (root.cer) using a notepad. Copy the content and copy to the bottom of the .pem file. Remember to save the file once you complete the copying.
Check your end product. It should be similar to the ones below. Please take note that your content should be longer than the ones in the screenshot. I’ve purposely reduced the content.
4. Importing the certificate to the appliance (Aria Lifecycle Manager)
Now, we are ready to import the certificate back to the appliance. Login to the Aria Lifecycle Manager portal and click on Locker. Click on the Import button.
Give it any name and leave the Pass Phrase empty. Browse for the .pem file and it should auto load the information of the Private Key and Certificate chain. Click Import to Proceed.
Verify that the new certificate had been loaded. Click on the 3 dots on the right side and select Replace to use the new certificate. Before you proceed, remember to create a backup or snapshot in case of any unforseen circumstances.
That’s it. We had successfully replaced the certificate for the appliance. You can verify that the appliance is now using the new certificate from the browser. Please remove your browser cache and reload if it doesn’t show the new value. Once again, do take note that different VMware Aria appliances have different certificate import method. Aria Lifecycle Manager also allow you to import the new certificate to your vRA via the portal. Be sure to check prior to importing to the Aria appliances. But the same steps are applicable to generate the CSR and create your custom certificate.
Replace certificate for vRA using vRLCM (Aria Lifecycle Manager)
Replace certificate for Aria Operations Manager