To store a trusted CA-signed TLS/SSL server certificate on the Access Point appliance, you must convert the certificate to the correct format and use PowerShell scripts or the Access Point REST API to configure the certificate.

About this task

For production environments, VMware strongly recommends that you replace the default certificate as soon as possible. The default TLS/SSL server certificate that is generated when you deploy an Access Point appliance is not signed by a trusted Certificate Authority.

Important:

Also use this procedure for periodically replacing a certificate that has been signed by a trusted CA before the certificate expires, which might be every two years.

This procedure describes how to use the REST API to replace the certificate. An easier alternative might be to use the PowerShell scripts attached to the blog post "Using PowerShell to Deploy VMware Access Point," available at https://communities.vmware.com/docs/DOC-30835. If you have already deployed the named Access Point appliance, then running the script again will power off the appliance, delete it, and redeploy it with the current settings you specify.

Prerequisites

  • Unless you already have a valid TLS/SSL server certificate and its private key, obtain a new signed certificate from a Certificate Authority. When you generate a certificate signing request (CSR) to obtain a certificate, make sure that a private key is generated also. Do not generate certificates for servers using a KeyLength value under 1024.

    To generate the CSR, you must know the fully qualified domain name (FQDN) that client devices will use to connect to the Access Point appliance and the organizational unit, organization, city, state, and country to complete the Subject name.

  • Convert the certificate to PEM-format files and convert the .pem files to one-line format. See Convert Certificate Files to One-Line PEM Format.

  • Familiarize yourself with the Access Point REST API. The specification for this API is available at the following URL on the virtual machine where Access Point is installed: https://access-point-appliance.example.com:9443/rest/swagger.yaml.

Procedure

  1. Create a JSON request for submitting the certificate to the Access Point appliance.
    {
      "privateKeyPem": "string",
      "certChainPem": "string"
    }

    In this example, the string values are the JSON one-line PEM values that you created as described in the prerequisites.

  2. Use a REST client, such as curl or postman, to use the JSON request to invoke the Access Point REST API and store the certificate and key on the Access Point appliance.

    The following example uses a curl command. In the example, access-point-appliance.example.com is the fully qualified domain name of the Access Point appliance, and cert.json is the JSON request you created in the previous step.

    curl -k -d @- -u 'admin' -H "Content-Type: application/json" -X PUT https://access-point-appliance.example.com:9443/rest/v1/config/certs/ssl < ~/cert.json

What to do next

If the CA that signed the certificate is not well known, configure clients to trust the root and intermediate certificates.