Skip to content

How to Install Microsoft CA Signed Certificate In vRealize Operations Manager

SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. An organization needs to install the SSL Certificate onto its web server to initiate a secure session with browsers. Once a secure connection is established, all web traffic between the web server and the web browser will be secure.

By default, all vRealize Operations Manager Appliance has a Self-Signed certificate and it is not recommended to keep same certificate in your Production Infrastructure. In this blog I will explain how to Create, Sign and Replace the certificate of an vRealize Operations Manager with you Organization Certificate Authority Server.


  • To Start with we need a Microsoft Certificate Server and The Certificate Template which supports vCSA, This link will help to Install and Configure a MSCA server and to create a certificate Template.
  • Download and Install OpenSSL on any Windows machine, OpenSSL to be able to create custom certificates for vSphere environments.
  • First, to manage certificates in the vRealize Operations Manager, you must go admin URL

Generating Certificate Request

To configure OpenSSL, follow these steps:

Take a backup of the openssl.cfg file. By default, this file is located at the c:\OpenSSL-Win32\bin directory and delete the contents of the file and replace with below content. Replace the FQDN and IP with the details of the server that you are configuring.

Save and close the file.

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vxpertvrops01, IP:,

[ req_distinguished_name ]
countryName = AE
stateOrProvinceName = Dubai
localityName = Al Nahdha
0.organizationName = Vxpert
organizationalUnitName = vCenterInventoryService
commonName =
  • If you are using an alias to access vRealize Log Insight, you must add the alias name;
  • If you are planning to use the same certificate in all vRealize Log Insight nodes, you must add all hostnames and IP addresses;

Open a command prompt and navigate to the OpenSSL directory as previously configured in the Configuring OpenSSL article. By default, this is C:\OpenSSL-Win32\bin. Run the below command

openssl.exe req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg

There are no prompts because all information was provided in the openssl.cfg file as configured before and this creates the certificate request rui.csr and rui.orig.key files in same directory.

Convert the Key to be in RSA format by running these command

openssl.exe rsa -in rui-orig.key -out rui.key

Sign the Certificate with CA

After the certificate request is created, the certificate must be given to the certificate authority for generation of the actual certificate. The authority presents a certificate back, as well as a copy of their root certificate, if necessary. For the certificate chain to be trusted, the root certificate must be installed on the server.

Log in to the Microsoft CA certificate authority web interface. By default, it is https://servername/CertSrv/ 

Click Request a certificate

Click Advanced certificate request

Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file

Open the certificate request(rui.csr) using a text editor, Copy the content from —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– into the Saved Request box. Please, be sure to select “Web Server” in the “Certificate Template”. Click Submit.

Click Yes to confirm

Once you administrator approves the request you can download the Base 64 encoded certificate chain on the Certificate issued screen, this will have new certificate as well as all ll the certificate of the issuing authority chain 

Save the certificate as vxpertvrops.p7b filename, Open the certificate and check the parameters you have provided is correct or on not.

Installing Certificate on vRealize Operations Manager

vRealize Operations Manager only accept PEM certificates, so we must create my vxpertvrops.pem file. Before we can use the certificate it first needs to be processed and manipulated.  This involves changing the format of the file from “p7b” to “PEM”.  We use openssl to do this as follows.

openssl.exe pkcs7 -print_certs -in vxpertvrops.p7b -out vxpertvrops.pem

Now combine the vxpertvrops.pem and rui.key. Open both files in notepad copy paste the contents from rui.key to the end of vxpertvrops.pem and Save

Please, login to vRealize Operations Manager admin URL(https://FQDN/admin) and the upper right, click the yellow certificate icon

In the certificate window, click Install New Certificate

Click Browse for new certificate and select the new vxpertvrops.pem file

Click Install

Opening a new browser session to Log Insight should now allow you to verify that the CA issued certificate is in operation.

Thanks, 😊

If you have any comments, please drop me a line

Published inVirtualizationVMwareVMware Aria Suite

Be First to Comment