Search the VMware Knowledge Base (KB)
View by Article ID

Configure a certificate for use with vRealize Operations Manager (2046591)

  • 61 Ratings

Purpose

This article provides instructions for using OpenSSL to configure an authentication certificate for use with vRealize Operations Manager (formerly known as vCenter Operations Manager).

Resolution


Note: The certificates applied through vRealize Operations Manager Admin UI will be used only for securely connecting and serving the user interfaces to (external) clients.

vCenter Operations Manager 5.x

Configure a certificate for use with vCenter Operations Manager (vApp) 5.x.
  1. Log in to the server where OpenSSL is installed and run this command:

    openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

    Note: The myserver.key and server.csr file names can be changed to something more appropriate.

  2. Answer the prompts as appropriate for the vRealize Operations Manager UI virtual machine.
  3. Send the server.csr file to a CA to have a certificate generated.
  4. After you receive a certificate from the CA, run these commands on the same system where the previous openssl command was run:

    openssl pkcs12 -export -in server.crt -inkey myserver.key -out myserver.p12
    openssl pkcs12 -in myserver.p12 -nodes -out myserver.pem


    Notes:

    • Replace server.crt with the name of the certificate file delivered by the CA.
    • The myserver.p12 and myserver.pem filenames can be changed to something more appropriate.
    • Do not enter a password if prompted for one.

  5. Use the myserver.pem file on the SSL page in the vRealize Operations Manager admin UI.
  6. After the certificate is loaded, open the admin UI in a new browser to ensure that the CA certificate is being used.

vRealize Operations Manager 6.x

Configure a certificate for use with vRealize Operations Manager 6.x.

  1. In a Web browser, navigate to the vRealize Operations Manager administration interface.

    https://vrops-node-FQDN-or-ip-address/admin

  2. Log in with the admin username and password.
  3. At the upper right, click the yellow SSL Certificate icon.
  4. In the SSL Certificate window, click Install New Certificate.
  5. Click Browse for certificate.
  6. Locate the certificate .pem file, and click Open to load the file in the Certificate Information text box.

    The certificate file must contain a valid private key and a valid certificate chain.

  7. Click Install.

Generate a certificate PEM file for use with vRealize Operations Manager 6.x

This example is from a Linux machine, but similar steps should work on Windows or Mac machines where OpenSSL is installed.

  1. Generate a key pair by running this command:

    openssl genrsa -out key_filename.key 2048

  2. Use the key to generate a certificate signing request by running this command:

    openssl req -new -key key_filename.key -out certificate_request.csr

  3. Submit the CSR file to your Certificate Authority (CA) to obtain a signed certificate.
  4. From your Certificate Authority, download the certificate and the complete issuing chain (one or more certificates). Download them in Base64 format.
  5. Enter the command to create a single PEM file containing all certificates and the private key. In this step, the example certificate is server_cert.cer and the issuing chain is cacerts.cer.

    Note: The order of CA's certs in the .PEM file: Cert. Private Key, Intermediate Cert and then Root Cert.

    cat server_cert.cer key_filename.key cacerts.cer > multi_part.pem

    Note: In Windows replace cat with type.
The finished PEM file should look similar to the following example, where the number of CERTIFICATE sections depends on the length of the issuing chain:
   -----BEGIN CERTIFICATE-----
MIIF1DCCBLygAwIBAgIKFYXYUwAAAAAAGTANBgkqhkiG9w0BAQ0FADBhMRMwEQYK
CZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFdm13Y3MxGDAWBgoJkiaJ
<snip>
vKStQJNr7z2+pTy92M6FgJz3y+daL+9ddbaMNp9fVXjHBoDLGGaLOvyD+KJ8+xba
aGJfGf9ELXM=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4l5ffX694riI1RmdRLJwL6sOWa+Wf70HRoLtx21kZzbXbUQN
mQhTRiidJ3Ro2gRbj/btSsI+OMUzotz5VRT/yeyoTC5l2uJEapld45RroUDHQwWJ
<snip>
DAN9hQus3832xMkAuVP/jt76dHDYyviyIYbmxzMalX7LZy1MCQVg4hCH0vLsHtLh
M1rOAsz62Eht/iB61AsVCCiN3gLrX7MKsYdxZcRVruGXSIh33ynA
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDnTCCAoWgAwIBAgIQY+j29InmdYNCs2cK1H4kPzANBgkqhkiG9w0BAQ0FADBh
MRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFdm13Y3MxGDAW
<snip>
ukzUuqX7wEhc+QgJWgl41mWZBZ09gfsA9XuXBL0k17IpVHpEgwwrjQz8X68m4I99
dD5Pflf/nLRJvR9jwXl62yk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ABCDnTCCAoWgAwIBAgIQY+j29InmdYNCs2cK1H4kPzANBgkqhkiG9w0BAQ0FADBh
MRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFdm13Y3MxGDAW
<snip>
ukzUuqX7wEhc+QgJWgl41mWZBZ09gfsA9XuXBL0k17IpVHpEgwwrjQz8X68m4I99
dD5Pflf/nLRJvR9jwXl62yk=
-----END CERTIFICATE-----
Note: Alternatively, the finished file might look similar to the following example. Microsoft tools add the Bag Attributes sections, which might cause an error when configuring a certificate in the administration interface:

Unable to find any certificates in the uploaded certificate file. Verify that the certificate is valid and try again.

To correct the error, open the PEM file using a text editor, and delete all Bag Attributes content.
Keep only the content from all -BEGIN- to -END- markers, inclusive.
   Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
friendlyName: le-WebServer-8dea65d4-c331-40f4-aa0b-205c3c323f62
Key Attributes
X509v3 Key Usage: 10
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAKHqyfc+qcQK4yxJ
om3PuB8dYZm34Qlt81GAAnBPYe3B4Q/0ba6PV8GtWG2svIpcl/eflwGHgTU3zJxR
<snip>
tz86wySJNeOiUkQm36iXVF8AckPKT9TrbC3Ho7nC8OzL7gEllETa4Zc86Z3wpcGF
BHhEDMHaihyuVgI=
-----END PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
1.3.6.1.4.1.311.17.3.92: 00 04 00 00
1.3.6.1.4.1.311.17.3.20: 7F 95 38 07 CB 0C 99 DD 41 23 26 15 8B
E8 D8 4B 0A C8 7D 93
friendlyName: cos-oc-vcops
1.3.6.1.4.1.311.17.3.71: 43 00 4F 00 53 00 2D 00 4F 00 43 00 2D
00 56 00 43 00 4D 00 35 00 37 00 31 00 2E 00 76 00 6D 00 77 00
61 00 72 00 65 00 2E 00 63 00 6F 00 6D 00 00 00
1.3.6.1.4.1.311.17.3.87: 00 00 00 00 00 00 00 00 02 00 00 00 20
00 00 00 02 00 00 00 6C 00 64 00 61 00 70 00 3A 00 00 00 7B 00
41 00 45 00 35 00 44 00 44 00 33 00 44 00 30 00 2D 00 36 00 45
00 37 00 30 00 2D 00 34 00 42 00 44 00 42 00 2D 00 39 00 43 00
34 00 31 00 2D 00 31 00 43 00 34 00 41 00 38 00 44 00 43 00 42
00 30 00 38 00 42 00 46 00 7D 00 00 00 70 00 61 00 2D 00 61 00
64 00 63 00 33 00 2E 00 76 00 6D 00 77 00 61 00 72 00 65 00 2E
00 63 00 6F 00 6D 00 5C 00 56 00 4D 00 77 00 61 00 72 00 65 00
20 00 43 00 41 00 00 00 31 00 32 00 33 00 33 00 30 00 00 00
subject=/CN=cos-oc-vcops.eng.vmware.com
issuer=/DC=com/DC=vmware/CN=VMware CA
-----BEGIN CERTIFICATE-----
MIIFWTCCBEGgAwIBAgIKSJGT5gACAAAwKjANBgkqhkiG9w0BAQUFADBBMRMwEQYK
CZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGdm13YXJlMRIwEAYDVQQD
<snip>
Mc35YerWU8hQNZTsvhTURyoIL03+yxQijRWKU6BcO0eq8wfeT1i1ihrNEI+MhJYf
ht8tiVNpuhvoxdlEq5o9OFImo+TJFvwT6vV4YAA=
-----END CERTIFICATE-----
Bag Attributes
1.3.6.1.4.1.311.17.3.92: 00 08 00 00
1.3.6.1.4.1.311.17.3.20: 12 08 34 FC 8C DF C8 82 A4 EA 43 66 C6
4F 5B 03 D1 23 78 9A
subject=/DC=com/DC=vmware/CN=VMware CA
issuer=/DC=com/DC=vmware/CN=VMware CA
-----BEGIN CERTIFICATE-----

Fore more information see:

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 61 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 61 Ratings
Actions
KB: