Replace SSL certificates on VMware vRealize Log Insight (vRLI) and vRealize Operations (vROps)


After the initial install of a couple of the vRealize products, Log Insight, and Operations, I wanted to remove the annoying warning about the default self-signed certificates not being trusted. I am running a Windows PKI, so will use this to issue replacement certificates. Both Log Insight and Operations follow the same process for generating a certificate, just the applying the certificate is slightly different.

The Solution

I started working with this guide from VMware to replace the certificates on Log Insight, but it did not cover all aspects such as including the certificate chain which is partly why I am writing my own guide.

Step 1 – Create a config file to feed into OpenSSL for CSR creation

Create a new file with the name ConfigName.cfg with the following contents

Make sure you update the highlighted items below to reflect your organisation and server details

Step 2 – Install OpenSSL

Head over to and grab a copy of Win OpenSSL suitable to your operating system.


run through the install wizard and head onto Step 3

Step 3 – Create a Certificate Signing Request and an RSA key

To make things easier, copy the ConfigName.cfg file you created earlier into the BIN folder. Fire up a command prompt window and navigate to the OpenSSL Install Directory/Bin. Run the following command to generate a new RSA key.


Then run the following to create the Certificate Signing Request.


You will end up with 2 new files in the directory


Step 4 – Submit CSR to Microsoft Certificate Authority

Open the config.csr file in your favorite text editor and copy the contents.


Now head over to your internal CA at http://internalCA/certsrv and select Request a Certificate


Then choose Advanced Certificate Request


Paste the CSR into the request box and choose the appropriate Certificate Template. For more information on creating certificate template for vSphere 6 take a look here


Once you have clicked submit, download the certificate in Base 64 encoded format and save it to the BIN folder in the OpenSSL directory you used earlier.


Step 5 – Download the Certificate Authority certificate chain.

I include the chain in the certificate before importing it to Log Insight or Operations. First, we need to download the certificate chain though. Return to the home page of the certificate server and choose to Download a CA certificate, certificate chain or CRL.


Then download the CA certificate.


Save the file in the BIN directory for OpenSSL and rename it to root.cer

You should now have something that looks like this in the directory.


Step 6 – Create a PEM certificate for use with the vRealize products.

The vRealize products accept a new certificate in the PEM format. To create one is pretty simple, all we need to down is combine the KEY, the issued certificate, and the root certificate.

Open the configname.key file in a text editor. Do the same with configname.cer and root.cer

Create a new file so the contents are arranged as below. Save it as configname.pem


Step 7 – Import the certificate

For vRealize Operations, browse to https://applianceurl/admin and login.

Click the SSL Certificate option.


Then click to install new certificate.


Select the PEM certificate and click install.


Reload the page and the certificate should now show as valid.


To do this for vRelaize Log Insight, browse to the following URL and login; https://applianceurl and browse to the following location.



Click choose and browse to the PEM file generated for the Log Insight server.


Refresh the page and you should be done!


Hopefully, you found this post useful.



You may also like...

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.