How to change the certs for VAMI on VMware vCAC Appliance

I have been working with several customers & after changing the certs for things like vRealize Auotmation using VAMI, they notice that when they access VAMI at port 5480 (ex: https://vra.vt.com:5480), they noticed they still get the self signed cert instead of the signed cert they have installed. The reason for that is the cert that you install through VAMI is not used for VAMI, but to secure connection to the application where in the vRA/vCAC example it’s used to secure connections to the vRA/vCAC portal that is being served at 443.

vRA 62 VAMI invalid security Certificate

For those who want to have a secure signed certs for VAMI, you will have to do it through the command line for now. Below is the instructions provided to me by GSS on how to do so for both the vCAC/vRA identity appliance as well the vCAC/vRA appliance. Please note you can use very similar steps for most of the other VMware appliances that uses VAMI.

Logon to the appliance console (EXVMware Identity Appliance console and execute the following commands:

  1. Copy the rui.pem file (certificate pem file) to the /tmp folder
  2. ls -l /opt/vmware/etc/lighttpd/server.pem and make a note of the server.pem timestamp
  3. cp /opt/vmware/etc/lighttpd/server.pem /opt/vmware/etc/lighttpd/server.pem.bak
  4. cp /tmp/rui.pem /opt/vmware/etc/lighttpd/server.pem
  5. ls -l /opt/vmware/etc/lighttpd/server.pem and verify the server.pem has been updated
  6. service vami-lighttp restart

Logon to the vCAC Appliance console

  1. ls -l /opt/vmware/etc/lighttpd/server.pem and make a note of the server.pem timestamp
  2. cp /opt/vmware/etc/lighttpd/server.pem /opt/vmware/etc/lighttpd/server.pem.bck
  3. cp /etc/apache2/server.pem /opt/vmware/etc/lighttpd/server.pem
  4. ls -l /opt/vmware/etc/lighttpd/server.pem and verify the server.pem has been updated
  5. service vami-lighttp restart

Hope this help!… Read More

Generating Certificates for vCAC 6 IaaS Web Server & Manager Service

This post will take you through the steps you will need to generate, request, and apply the certificates for both vCloud Automation Center 6 IaaS Web Server as well the Manager Service. Please note this is the third part of a three post vCAC 6 Certificates tutorial, where the first two posts can be found at:

Note: for vRealize Automation 7, please check out following blogpost before continuing with this one: Replacing Certificates in vRealize Automation 7

Note: This article assume you are doing the large setup, where you will have to generate two different certs one for Web and one for Manager Service. If you are running the medium setup then you will need to include all the names of the Web and Manager Service machines into the same cert as vRA will only allow you to use one cert for the combined services. 

Step 1: Generating the Certificate Requests

To generate the appropriate configuration files:

1. Open a text editor on the system where OpenSSL is installed.

2. Paste the following text into a file, replacing the information in red with that specific to your environment.… Read More

Generating Certificates for the identity Appliance/vCAC Appliance

At this post, I will go through how you Generate and import the certificates in a step by step fashion for both the Identity and vCAC Appliance. Please note this post is the second part of a three post tutorial where you can find the other two posts at:

Note: for vRealize Automation 7, please check out following blogpost: Replacing Certificates in vRealize Automation 7

Step 1: Generate the appropriate configuration files:

  1. Open a text editor on the system where OpenSSL is installed.
  2. Paste the following text into a file, replacing the information in red with that specific to your environment.

This one I used for Identity server:

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vtid01, IP:192.168.2.101, DNS:vtid01.vt.com
[ req_distinguished_name ]
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
0.organizationName = Lab
organizationalUnitName = vCACSSO
commonName = vtid01.vt.com


This one I used for my vCAC Appliance:

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vtvcac01, IP:192.168.2.102, DNS:vtvcac01.vt.com, DNS:vtvcac01a, IP:192.168.2.103, DNS:vtvcac01a.vt.com, DNS:vtvcac01b, IP:192.168.2.104, DNS:vtvcac01b.vt.com  
[ req_distinguished_name ]
countryName = CA
stateOrProvinceName = ON
localityName = Toronto
0.organizationName = Lab
organizationalUnitName = vCACAppliance
commonName = vtvcac01.vt.com

3.… Read More

vCloud Automation Center 6 Certificates A to Z

While working on delivering vCAC 6 engagements, I have noticed that getting all the certificates required in place has always required me to jump across different information sources between VMware documentation, blogs, & other consultants work. For that I have decided to put this guide together which cover the certificates process for a new vCAC 6.x installation from A-Z to easy the process for myself and others. I start all the way from how to install your own CA and continue all the way till you assign the certificates to each component. Before I start going through the details, I have to give credits where due. This document has incorporated information from all of the below sources:

While I have used a lot of material and knowledge that I have gained from the above sources, I have incorporated these steps at different customers, and carried out the full work again in my lab to get all the screenshots being consistent across the full procedure. Hope you will find it useful.

Note: for vRealize Automation 7, please check out following blogpost: Replacing Certificates in vRealize Automation 7

Good to know

This section gives you some important vCloud Automation 6 certificates faqs and recommendations, that you will need to know before getting started.… Read More