Using the VMCA to sign vRealize Log Insight 3.x

To add some catharsis behind why you just went the process of turned your VMCA into a subordinate of your PKI, we're going to use the VMCA to sign the certificate used by Log Insight 3.0, greatly simplifying the certificate replacement process in just a few lines. Here are the requirements from the vRealize Log Insight Tech Pubs documentation which we'll ensure we conform to. It should be noted that vLI has near-identical requirements to vROPs - I wonder what that means?

Note: I want to preface the following workflow as Not Supported by VMware at the moment, and should only be performed in a lab setting.


Connect to the PSC you configured as your subordinate in my previous article and run through the following.

Make a new directory to store all our files in:

mkdir /vli

Copy the template certool.cfg that VMCA stores out of the box into the /vli directory

cp /usr/lib/vmware-vmca/share/config/certool.cfg /vli/certool.cfg

Edit the template certool file, filling in the appropriate fields

vi /vli/certool.cfg

Next, using the certool (see VMware's Command Reference for an explanation of all of the CLI commands), we'll go through and generate the public key, private key, certificate, convert the supplied key into RSA, and then wrap that all into an importable PEM file.

Generate the key pairs via the following certool command:

/usr/lib/vmware-vmca/bin/certool --genkey --privkey=/vli/vli.key --pubkey=/vli/

Generate the certificate via the following certool command:

/usr/lib/vmware-vmca/bin/certool --gencert --cert=/vli/vli.cer --privkey=/vli/vli.key --config=/vli/certool.cfg

Convert the private key into a RSA private key via the follow OpenSSL command:

openssl rsa -in /vli/vli.key -out /vli/vli_rsa.key

Concatenate the files into a single *.pem file for uploading to vLI using the following. This will append the RSA key on top of the certificate, outputting the final *.pem file.

cat /vli/vli_rsa.key /vli/vli.cer >> /vli/vli_final.pem

This should look like the following:

Download the vli_final.pem file from the PSC using your favorite SCP client, and then head over to the vRealize Log Insight server.

Log into your vRealize Log Insight server with an administrative user, head to Administration via the burger menu (), then the SSL section in the left-hand menu. In the middle pane, select Choose and then find your freshly created vli_final.pem file.

Once loaded, click Save, and then wait while the certificate is updated with vLI. From there, restart vLI.

After vLI is up and running again, log in and validate that your certificate was imported successfully. Then revel in a job well done.


Closing Ramblings-and-Remarks: I want this to give everyone an idea of how simplified certificate management well become when all of VMware's products become fully integrated with the Platform Services Controller's vDomain and all of its feature sets. This is just one facet (more simplified certificate management) of how deeper PSC integration would improve a vAdministrator's day to day working life.

  • Grey Google+ Icon
  • Grey Twitter Icon
  • Grey LinkedIn Icon