By default, VMware Cloud Gateway uses the self-signed certificate that gets generated during the installation. You can replace the certificate when the certificate expires or when you want to use a certificate from another certificate provider.

Procedure

  1. Connect to VMware Cloud Gateway using SSH.
  2. For a CA-signed certificate, generate the certificate by performing the following steps:
    1. Generate a Certificate Signing Request (CSR) by typing the following command at the command line:
      openssl req -new -newkey rsa:4096 -nodes -out server.csr -keyout server.key
    2. Provide the CSR to your CA according to their request process.
    3. When you receive the certificate from your CA, place it in a location you can access from the VMware Cloud Gateway.
    4. If it is not a well-known CA, ensure that the following parameters for the root CA are set as follows: 
       X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
      Note: Set Key Encipherment on the endpoint/machine SSL certificate.
    5. Obtain the following files from the CA:
      • server.key: VMware Cloud Gateway private key.
      • server.crt: CA signed VMware Cloud Gateway leaf certificate. If server.crt contains any intermediate CAs, move them to a new file, intermediateCA.pem.
      • rootCA.pem: the root CA certificate in the certificate chain.
  3. Generate the server.pem file, which is the full certificate chain including server.crt, all intermediate CAs (if any), and the private key (server.key) by typing the following command:
    If there are intermediate CAs, type: cat server.crt intermediateCA.pem server.key > server.pem
    If there are no intermediate CAs, type: cat server.crt server.key > server.pem
    The server.pem must include the details in the following order: 
    ---BEGIN CERTIFICATE---
<CERT>
---END CERTIFICATE---
---BEGIN PRIVATE KEY---
<KEY>
---END PRIVATE KEY---
  4. Back up the existing server.key, server.pem, server.crt, and rootCA.pem in the /etc/applmgmt/appliance directory by typing the following commands:
    cp -p /etc/applmgmt/appliance/server.key /etc/applmgmt/appliance/server.key.bak
    cp -p /etc/applmgmt/appliance/server.pem /etc/applmgmt/appliance/server.pem.bak
    cp -p /etc/applmgmt/appliance/server.crt /etc/applmgmt/appliance/server.crt.bak
    cp -p /etc/applmgmt/appliance/rootCA.pem /etc/applmgmt/appliance/rootCA.pem.bak
  5. Replace server.key, server.pem, server.crt, and rootCA.pem using the new files by typing the following command:
    cp -p server.key server.pem server.crt rootCA.pem /etc/applmgmt/applicance/
  6. Restart the following services:
    systemctl restart gps_envoy.service
    systemctl restart aap_envoy.service
    systemctl restart rsyslog.service
  7. Restart the aca_watchdog service to restart all the VAP agents that are running.
    systemctl restart aca_watchdog.service