Posted in Aria

Step-by-Step: Configuring a Custom Certificate for VMware Aria Operations

   16 April 2025

📁 Step 1: Generate a Certificate Signing Request (CSR)

  1. Access the Primary Node: Log into the Primary node of your Aria Operations cluster via SSH or console as the root user.
  2. Create a Directory for Certificates:

mkdir /cert && cd /cert

  1. Create the OpenSSL Configuration File: Use a text editor to create aops.cnf:

vi /cert/aops.cnf

For a 3-node cluster, the file should contain:

[req]
prompt = no
distinguished_name = dn
req_extensions = ext
default_bits = 2048
default_md = sha256
encrypt_key = no

[dn]
CN = Primary_Node_FQDN

[ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = Primary_Node_FQDN
DNS.2 = Node_2_FQDN
DNS.3 = Node_3_FQDN
DNS.4 = Primary_Node_Shortname
DNS.5 = Node_2_Shortname
DNS.6 = Node_3_Shortname
IP.1 = Primary_Node_IP
IP.2 = Node_2_IP
IP.3 = Node_3_IP

Replace placeholders with your actual node details. If using a load balancer, set the CN to its FQDN or IP.

  1. Generate the CSR and Private Key:
openssl req -new -config /cert/aops.cnf -keyout /cert/aops.key -out /cert/aops.csr
  1. Verify the CSR:
openssl req -in /cert/aops.csr -noout -text
  1. Submit the CSR to a Certificate Authority (CA): Send the aops.csr file to your CA for signing. Ensure the CA returns the signed certificate along with any intermediate and root certificates in Base64 format.

📦 Step 2: Assemble the PEM File

  1. Transfer Certificates to the Primary Node: Use an SCP utility to place the following files into the /cert directory on the Primary node:
    • Signed certificate (e.g., signed_cert.crt)
    • Intermediate certificates (e.g., intermediate.crt)
    • Root certificate (e.g., cacerts.crt)​
  2. Combine Certificates into a Single PEM File: If you have intermediate certificates:
cat /cert/signed_cert.crt /cert/aops.key /cert/intermediate.crt /cert/cacerts.crt > /cert/multi_part.pem

If no intermediate certificates:

cat /cert/signed_cert.crt /cert/aops.key /cert/cacerts.crt > /cert/multi_part.pem

Ensure the order: signed certificate, private key, intermediate certificates (if any), then root certificate.

🛠️ Step 3: Install the Certificate via the Admin UI

  1. Access the Admin UI: Navigate to the VMware Aria Operations Admin UI using a web browser.
  2. If you are on Aria Operations 8.10 or later, click Take Offline under Cluster Status.
    Note: Wait for Cluster Status to show as Offline.
  3. Initiate Certificate Installation: Click on the certificate icon located in the top-right corner and select “INSTALL A NEW CERTIFICATE.”
  4. Upload the PEM File: Browse to /cert/multi_part.pem and upload it.
  5. If you are on Aria Operations 8.10 or later, once the certificate is installed, click Bring Online under Cluster Status.Note: Wait for Cluster Status to show as Online.

🧪 Troubleshooting Tips

  • PEM File Issues: If you encounter problems applying the PEM file, consider using the VMware Aria Operations Custom Certificate Tool for diagnostics.
  • Certificate Mismatch Errors: If Aria Suite Lifecycle reports errors like LCMVROPSYSTEM25000, it may indicate a certificate mismatch. Ensure that the Aria Operations certificate aligns with what’s stored in Aria Suite Lifecycle.​
  • Expired Certificates: For expired internal certificates preventing the cluster from coming online, refer to Broadcom’s guidance on replacing expired internal certificates.​

🔥Subscribe to the channel: youtube.be/@AngryAdmin 🔥

🚨Dive into my blog: angrysysops.com

🚨Snapshots 101: a.co/d/fJVHo5v

🌐Connect with us:

💻Website: angrysysops.com

🔥vExpert info: vExpert Portal

Please leave the comment