Cplcm Certificate Management 2 | VMware Cloud Provider Architecture Toolkit

Manage VMware Cloud provider Lifecycle Manager Certificates #

Configure VMware Cloud provider API and UI certificates.

VMware Cloud Provider Lifecycle Manager API Certificate Management

After deploying the VMware Cloud Provider Lifecycle Manager appliance, VMware Cloud Provider Lifecycle Manager generates a self-signed certificates for the API and the internally used vault.

You can configure VMware Cloud Provider Lifecycle Manager to either use the self-signed certificate or your own custom certificate by providing a PKCS12 keystore containing the certificate.

VMware Cloud Provider Lifecycle Manager stores the properties for the alias, keystore name, type and password in the /opt/vmware/cplcm/config/application.properties file. To change these settings, you must update the application.properties file.

In /etc/environment, you can set the keystore password for the custom certificate by configuring the CPLCM_KEYSTORE_PW environment variable. Alternatively, you can configure it in the application.properties file for the server.ssl.key-store-password property.

VMware Cloud Provider Lifecycle Manager UI Certificate Management

After deploying the VMware Cloud Provider Lifecycle Manager appliance, VMware Cloud Provider Lifecycle Manager generates a self-signed certificates for the UI.

You can configure VMware Cloud Provider Lifecycle Manager to either use the self-signed certificate or your own custom certificate by providing the custom certificate and key files in PEM format.

VMware Cloud Provider Lifecycle Manager stores the files with the certificate and key under the /opt/vmware/cplcm/security/certs/ directory. To change the certificate, you must replace the vcplcm-gui.pem and vcplcm-gui.key files, and restart the nginx service.

Configure custom certificate on VMware Cloud Provider Lifecycle Manager

You can configure VMware Cloud Provider Lifecycle Manager to use a custom certificate.

To configure a custom certificate on VMware Cloud Provider Lifecycle Manager, you must provide a PKCS12 keystore containing the certificate.

Procedure

Generate the custom certificate and create the keystore.

CPLCM_CERT_DIR=/opt/vmware/cplcm/security/certs

mkdir -p $CPLCM_CERT_DIR

key_alias=vcplcm

keystore_password=$CPLCM_KEYSTORE_PW

subj="/CN=VCPLCM, O=VMware\, Inc, c=US"

openssl req -x509 -newkey rsa:4096 -subj “$subj” -keyout $CPLCM_CERT_DIR/tmpKey.pem -out $CPLCM_CERT_DIR/tmpCert.pem -days 365 -nodes

openssl pkcs12 -export -out $CPLCM_CERT_DIR/vcplcm.p12 -name $key_alias -passout “pass:$keystore_password” -inkey $CPLCM_CERT_DIR/tmpKey.pem -in $CPLCM_CERT_DIR/tmpCert.pem

After importing the keystore, remove the tmp key and certificate.

rm $CPLCM_CERT_DIR/tmpKey.pem

rm $CPLCM_CERT_DIR/tmpCert.pem