Using the VMCA to sign vRealize Operations Manager 6.2.x

The next article to add some additional merit behind why we you just went through and turned your VMCA into a subordinate of your PKI, we're going to use the VMCA to sign the certificate used by vRealize Operation Manager (vROps) 6.2.1a, greatly simplifying the certificate replacement process in just a few lines. Due to security limitations on certool, this workflow will only allow for a single-node vROps instance as VMware does not yet allow for the VMCA to provision certificates with multiple DNS entries. Hopefully this will be fixed in a later version!

Note: I want to preface the following workflow as Not Supported by VMware at the moment, and should only be performed in a lab setting.

Lets start off by accessing the PSC via SSH, and making a directory to store all our vROps related materials in. For the sake of this article, we'll just make a /vrops at the root of the system.

mkdir /vrops

We'll then copy over the template certool.cfg file to the /vrops directory:

cp /usr/lib/vmware-vmca/share/config/certool.cfg /vrops/certool.cfg

Using VI or any other text editor, edit the raw template to match the proper Host OS information of the vRealize Operations Manager system. If you followed my previous article for vRealize Log Insight, you can just copy the certool.cfg you edited as you will only need to change the Name, IPAddress and Hostname fields to reflect your vROps system.

vi /vrops/certool.cfg

Once completed, using the certool (see VMware's Command Reference for an explanation of all of the CLI commands), we'll go through and generate the public key, private key, certificate, convert the supplied key into RSA, and then wrap that all into an importable PEM file.

Generate the key pairs via the following certool command:

/usr/lib/vmware-vmca/bin/certool --genkey --privkey=/vrops/vrops.key --pubkey=/vrops/vrops.pub

Generate the certificate via the following certool command:

/usr/lib/vmware-vmca/bin/certool --gencert --cert=/vrops/vrops.cer --privkey=/vrops/vrops.key --config=/vrops/certool.cfg

Convert the private key into a RSA private key via the follow OpenSSL command:

openssl rsa -in /vrops/vrops.key -out /vrops/vrops_rsa.key


Concatenate the files into a single *.pem file for uploading to vROps using the following. This will append the RSA key on top of the certificate, outputting the final *.pem file.


cat /vrops/vrops_rsa.key /vrops/vrops.cer >> /vrops/vrops_final.pem

This should look like the following:


Download the vrops_final.pem file from the PSC using your favorite SCP client, and then head over to the vRealize Operations Manager server.


Log into your vRealize Operation Manager server with an administrative user. In the upper right-hand corner, click on the SSL Certificate button in between your user and the Refresh button. In the SSL Certificate windows, click on Install New Certificate.


In the Install New Certificate window, click on Browse and locate your vrops_final.pem we created earlier and click Open.

Once loaded and all of the pre-flight checks passed, you'll be ready to click Install. Once clicked, wait while the certificate is updated with vROps.

After vROps is up and running again, log in and validate that your certificate was imported successfully. Then revel in a job well done.

  • Grey Google+ Icon
  • Grey Twitter Icon
  • Grey LinkedIn Icon