To store a trusted CA-signed TLS/SSL server certificate on the Unified Access Gateway appliance, you must convert the certificate to the correct format and use the admin UI or the PowerShell scripts to configure the certificate.

About this task

For production environments, VMware strongly recommends that you replace the default certificate as soon as possible. The default TLS/SSL server certificate that is generated when you deploy an Unified Access Gateway appliance is not signed by a trusted Certificate Authority.

Important:

Also use this procedure for periodically replacing a certificate that has been signed by a trusted CA before the certificate expires, which might be every two years.

This procedure describes how to use the REST API to replace the certificate.

Prerequisites

  • Unless you already have a valid TLS/SSL server certificate and its private key, obtain a new signed certificate from a Certificate Authority. When you generate a certificate signing request (CSR) to obtain a certificate, make sure that a private key is generated also. Do not generate certificates for servers using a KeyLength value under 1024.

    To generate the CSR, you must know the fully qualified domain name (FQDN) that client devices will use to connect to the Unified Access Gateway appliance and the organizational unit, organization, city, state, and country to complete the Subject name.

  • Convert the certificate to PEM-format files and convert the .pem files to one-line format. See Convert Certificate Files to One-Line PEM Format.

Procedure

  1. In the admin UI Configure Manually Section, click Select.
  2. In the Advanced Settings > TLS Server Certificate Settings, click the gearbox icon.
  3. Click Select for the Private Key and browse to the private key file. Click Open to upload the file.
  4. Click Select for the Certificate Chain and browse to the certificate file. Click Open to upload the file.
  5. Click Save.

    If the certificate is accepted, a success message displays.

What to do next

If the CA that signed the certificate is not well known, configure clients to trust the root and intermediate certificates.