You can replace your signed certificates when they expire or substitute the default certificates with CA-signed certificates.

For production environments, VMware strongly recommends that you replace the default certificate as soon as possible. The default TLS/SSL server certificate that is generated when you deploy an Unified Access Gateway appliance is not signed by a trusted Certificate Authority.

Note the following considerations when you upload a certificate:

  • You can replace the default certificate with a CA-signed PEM certificate for both the administrator and the user.

  • When you upload a CA-signed certificate on the admin interface, the SSL connector on the admin interface is updated and restarted to ensure the uploaded certificate takes effect. If the connector fails to restart with the uploaded CA-signed certificate, a self-signed certificate is generated and applied on the admin interface and the user is notified that the previous attempt to upload a certificate was unsuccessful.

Prerequisites

Procedure

  1. In the administration console, click Select.
  2. In the Advanced Settings section, click the SSL Server Certificate Settings gearbox icon.
  3. Select either Admin Interface or Internet Interface to apply the certificate to either of the interfaces. You can also select both to apply the certificate to both the interfaces.
  4. Select a Certificate Type of PEM or PFX.
  5. If the Certificate Type is PEM:
    1. In the Private Key row, click Select and browse to the private key file.
    2. Click Open to upload the file.
    3. In the Certificate Chain row, click Select and browse to the certificate chain file.
    4. Click Open to upload the file.
  6. If the Certificate Type is PFX:
    1. In the Upload PFX row, click Select and browse to the pfx file.
    2. Click Open to upload the file.
    3. Enter the password of the PFX certificate.
    4. Enter an alias for the PFX certificate.

      You can use the alias to distinguish when multiple certificates are present.

  7. Click Save.

Results

A confirmation message is displayed when the certificate is updated successfully.

What to do next

  • If you updated the certificate with a CA-signed certificate and the CA that signed the certificate is not well known, configure clients to trust the root and intermediate certificates.

  • If you uploaded a CA-signed certificate for the Admin Interface, close the browser and reopen the Admin UI in a new browser window.

  • If a CA-signed certificate is in effect on the admin interface and you upload a self-signed certificate, the Admin UI may not behave as expected. Clear the browser cache and open the Admin UI in a new window.