Use this command to generate a new private key and a Certificate Signing Request (CSR) within Unified Access Gateway. You can use this CSR to get a CA signed certificate and configure the certificate and private key for admin and/or internet facing TLS interfaces.


  1. Log in to Unified Access Gateway console as root or sudo privileged user.
  2. Open the default configuration file. Alternatively, you can specify a different file location.
    vi /opt/vmware/certutil/uagcertutil.conf
    vi /opt/vmware/certutil/example1.conf
    Note: A backup configuration file is available at /opt/vmware/certutil/uagcertutil.example.conf.
  3. Update the file to specify the configurations to be used by Unified Access Gateway certificate utility. For example, you can specify the size of the key, signature algorithm to be used for signing the CSR, private key filename, and so on.
  4. Run the following command to generate a private key and a CSR.
    Default configuration file
    uagcertutil --newcsr
    Different configuration file
    uagcertutil --newcsr --config /opt/vmware/certutil/example1.conf
    A new private key is generated in the default path and a CSR is successfully generated in the file path specified in the config file.
  5. Copy the generated CSR to external CA and get a signed certificate chain.
  6. Copy the signed certificate back to Unified Access Gateway. Update the configuration file with the new CA signed certificate path. Ensure that you are pointing to the same private key file name generated in step 4.
  7. Update the target (with admin and/or esmanager) in the config file and run the following command to configure the admin and/or esmanager TLS servers with the generated certificate.
    uagcertutil --bind


The new TLS certificate is successfully updated for admin and/or internet interface.