Using the VMCA to sign vRealize Log Insight 3.x

April 10, 2016

To add some catharsis behind why you just went the process of turned your VMCA into a subordinate of your PKI, we're going to use the VMCA to sign the certificate used by Log Insight 3.0, greatly simplifying the certificate replacement process in just a few lines. Here are the requirements from the vRealize Log Insight Tech Pubs documentation which we'll ensure we conform to. It should be noted that vLI has near-identical requirements to vROPs - I wonder what that means?


Note: I want to preface the following workflow as Not Supported by VMware at the moment, and should only be performed in a lab setting.




Connect to the PSC you configured as your subordinate in my previous article and run through the following.


Make a new directory to store all our files in:


mkdir /vli


Copy the template certool.cfg that VMCA stores out of the box into the /vli directory


cp /usr/lib/vmware-vmca/share/config/certool.cfg /vli/certool.cfg


Edit the template certool file, filling in the appropriate fields 


vi /vli/certool.cfg



Next, using the certool (see VMware's Command Reference for an explanation of all of the CLI commands), we'll go through and generate the public key, private key, certificate, convert the supplied key into RSA, and then wrap that all into an importable PEM file.


Generate the key pairs via the following certool command:


/usr/lib/vmware-vmca/bin/certool --genkey --privkey=/vli/vli.key --pubkey=/vli/


Generate the certificate via the following certool command: 


/usr/lib/vmware-vmca/bin/certool --gencert --cert=/vli/vli.cer --privkey=/vli/vli.key --config=/vli/certool.cfg


Convert the private key into a RSA private key via the follow OpenSSL command:


openssl rsa -in /vli/vli.key -out /vli/vli_rsa.key


Concatenate the files into a single *.pem file for uploading to vLI using the following. This will append the RSA key on top of the certificate, outputting the final *.pem file.


cat /vli/vli_rsa.key /vli/vli.cer >> /vli/vli_final.pem


This should look like the following:


Download the vli_final.pem file from the PSC using your favorite SCP client, and then head over to the vRealize Log Insight server.


Log into your vRealize Log Insight server with an administrative user, head to Administration via the burger menu (), then the SSL section in the left-hand menu. In the middle pane, select Choose and then find your freshly created vli_final.pem file.



Once loaded, click Save, and then wait while the certificate is updated with vLI. From there, restart vLI.



After vLI is up and running again, log in and validate that your certificate was imported successfully. Then revel in a job well done.





Closing Ramblings-and-Remarks: I want this to give everyone an idea of how simplified certificate management well become when all of VMware's products become fully integrated with the Platform Services Controller's vDomain and all of its feature sets. This is just one facet (more simplified certificate management) of how deeper PSC integration would improve a vAdministrator's day to day working life.

Please reload

  • Grey Google+ Icon
  • Grey Twitter Icon
  • Grey LinkedIn Icon

© 2018 by vmBlair