To use the Unified Access Gateway REST API to configure certificate settings, or to use the PowerShell scripts, you must convert the certificate into PEM-format files for the certificate chain and the private key, and you must then convert the .pem files to a one-line format that includes embedded newline characters.
When configuring Unified Access Gateway, there are three possible types of certificates you might need to convert.
- You should always install and configure a TLS/SSL server certificate for the Unified Access Gateway appliance.
- If you plan to use smart card authentication, you must install and configure the trusted CA issuer certificate for the certificate that will be put on the smart card.
- If you plan to use smart card authentication, VMware recommends that you install and configure a root certificate for the signing CA for the SAML server certificate that is installed on the Unified Access Gateway appliance.
For all of these types of certificates, you perform the same procedure to convert the certificate into a PEM-format file that contains the certificate chain. For TLS/SSL server certificates and root certificates, you also convert each file to a PEM file that contains the private key. You must then convert each .pem file to a one-line format that can be passed in a JSON string to the Unified Access Gateway REST API.
Prerequisites
- Verify that you have the certificate file. The file can be in PKCS#12 (.p12 or .pfx) format or in Java JKS or JCEKS format.
- Familiarize yourself with the openssl command-line tool that you will use to convert the certificate. To see the cipher list format, you can search for "openssl cipher string" in a web browser.
- If the certificate is in Java JKS or JCEKS format, familiarize yourself with the Java keytool command-line tool to first convert the certificate to .p12 or .pks format before converting to .pem files.
Procedure
Results
You can now configure certificates for Unified Access Gateway by using these .pem files with the PowerShell scripts attached to the blog post "Using PowerShell to Deploy VMware Unified Access Gateway," available at https://communities.vmware.com/docs/DOC-30835. Alternatively, you can create and use a JSON request to configure the certificate.
What to do next
You can update the default self-signed certificate with a CA-signed certificate. See Update TLS Server Signed Certificates. For smart card certificates, see Configuring Certificate or Smart Card Authentication on the Unified Access Gateway Appliance.