You can acquire the server certificate from their own organization, instead of being generated automatically by the TCA Airgap Appliance. This section provides the steps to update the TCA Airgap Appliance with the user provided certificate. The server certificate can be a trusted one acquired from some public CA, or untrusted one signed by some private CA.

Prerequisites

  • Prepare the server certificate with the TCA Airgap Appliance FQDN set as common name, and present in the SAN extension.

  • Provide the full chain of the server certificate, including all the intermediate CA certificates content if exist, and the Root CA certificate content.

  • It is recommended the Root CA is generated with a long expiration time, to avoid updating it to the TCA System frequently.

Procedure

  1. Login to the TCA Airgap appliance using SSH admin account then switch to root with su to use agctl command.
  2. Upload server certificate chain to the TCA Airgap appliance.

    1. Compose the server certificate file with the following content, for example, named and saved as /usr/local/airgap/mycerts/server.crt.

    2. Upload server certificate key file, for example, named and saved as /usr/local/airgap/mycerts/server.key.

    3. Upload Root CA certificate file, this step is optional if the Root CA is public and known, for example, named and saved as /usr/local/airgap/mycerts/root.crt.

  3. Edit /usr/local/airgap/scripts/vars/user-inputs.yml using the following command: 
    vi /usr/local/airgap/scripts/vars/user-inputs.yml

    Update following settings on demand. For more information on the parameter details, Agctl CLI Command Reference.

    Set auto_generate parameter with false, and configure following parameters:

    server_cert_path

    Server certificate file absolute path. The certificate could be self-signed private CA signed or public CA signed.

    The file must contain the full chain of CA certificates.

    server_cert_key_path

    Server certificate key file absolute path.

    ca_cert_path

    Trusted root CA or self-signed certificate absolute path. It is required only when the provided server certificate is not verified with known root CAs, otherwise configure it with "".

    For example:

    auto_generate: False
server_cert_path: /usr/local/airgap/mycerts/server.crt
server_cert_key_path: /usr/local/airgap/mycerts/server.key
ca_cert_path: /usr/local/airgap/mycerts/root.crt
  4. Save and run agctl deploy command to apply the settings.
  5. Verify the certificate by using the following command: 
    curl https://<TCA Airgap Appliance FQDN> -v

    It is expected the output message contains SSL certificate verify ok and HTTP/1.1 200 OK. The Server certificate details in the output message are consistent with the provided certificate.

    You can add the Airgap Repository to VMware Telco Cloud Automation as mentioned in Add an Air Gap Repository.

    If the Airgap Appliance is already added to the VMware Telco Cloud Automation, and the Root CA certificate is changed, or the new certificate is self-signed, follow the instructions to update as mentioned in Importing new Airgap Appliance CA certificate to the TCA system.