The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
Configure vRealize Operations Manager (vApp) for SSL using a chain of certificates (2079782)
When configuring vRealize Operations Manager (formerly known as vCenter Operations Manager) 5.x for secure communication, if you import a certificate that is correctly signed by another certificate, the import succeeds but SSL errors appear.
vRealize Operations Manager does not serve the complete chain of certificates to the browser due to an issue with the way that certificates are configured in vRealize Operations Manager. As a result, the browser does not trust the certificate that vRealize Operations Manager provides.
The issue involves three certificates: a root certificate, an intermediate certificate and a certificate to be used by vRealize Operations Manger (formerly known as vCenter Operations Manager) for SSL communication. In this example, the three certificates are: root.crt, intermediate.crt and vcops.pem. These certificates form a chain of trust where vcops.pem is signed by intermediate.crt which is signed by root.crt.
To fix this problem, perform these steps from a command line window on the UI virtual machine:
- Put the root.crt, intermediate.crt, and vcops.pem in /opt/vmware/etc/lighttpd. Modify file permissions with the commands:
chmod ugo+r /opt/vmware/etc/lighttpd/root.crt
chmod ugo+r /opt/vmware/etc/lighttpd/intermediate.crt
- Edit /usr/lib/vmware-vcops/user/conf/install/vcops-apache.conf near line 144 to appear as:
# Enable SSL for apache, use lighttpd cert (for now)
- Type these commands:
add_pem_to_truststore "/opt/vmware/etc/lighttpd/root.crt" "root"
add_pem_to_truststore "/opt/vmware/etc/lighttpd/intermediate.crt" "intermediate"The final three commands apply to vRealize Operations Manager (formerly known as vCenter Operations Manager) 5.7 or later.
After performing these steps, the browser may still show the certificate as not trusted, but the chain of certificates appears. If the root certificate (for example, root.crt) is already trusted in the browser you use, the browser will show that the certificate is trusted.
Note: All the certificates and the private key that are included in the certificate file must be PEM-encoded.
vRealize Operations Manager does not support DER-encoded certificates and private keys.
Note: All the certificates and the private key that are included in the certificate file must be in the PEM format.
vRealize Operations Manager does not support certificates in the PFX, PKCS12, PKCS7, or other
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.