TLS/SSL is required for client connections to Unified Access Gateway appliances. Client-facing Unified Access Gateway appliances and intermediate servers that terminate TLS/SSL connections require TLS/SSL server certificates.

TLS/SSL server certificates are signed by a Certificate Authority (CA). A CA is a trusted entity that guarantees the identity of the certificate and its creator. When a certificate is signed by a trusted CA, users no longer receive messages asking them to verify the certificate, and thin client devices can connect without requiring additional configuration.

A default TLS/SSL server certificate is generated when you deploy a Unified Access Gateway appliance. For production environments, VMware recommends that you replace the default certificate as soon as possible. The default certificate is not signed by a trusted CA. Use the default certificate only in a non-production environment.

VMware recommends to use an RSA key based certificate for TLS server. Certificate and the private key can be provided as PKCS12/PFX keystore or as a separate private key and certificate chain files in PEM format.

To convert a PKCS12/PFX to certificate chain file in PEM format, run the following openssl command:
openssl pkcs12 -in mycaservercert.pfx -nokeys -out mycaservercert.pem
To convert a PKCS12/PFX to private key file in PEM format, run the following openssl command:
openssl pkcs12 -in mycaservercert.pfx -nodes -nocerts -out mycaservercertkey.pem
When providing the certificate and key in PEM format, the private key must be in PKCS1 format. To convert the private key from PKCS8 to PKCS1 (from BEGIN PRIVATE KEY format to BEGIN RSA PRIVATE KEY format), run the following openssl command:
openssl rsa -in mycaservercertkey.pem -check -out mycaservercertkeyrsa.pem