vRealize Network Insight – Replace self-signed certificate

How to replace the self-signed certificate from vRealize Network Insight by a custom-cert from your own internal CA.


First thing we need to do is create an CSR with OpenSSL for the vRNI custom certificate. Let’s start with creating the config file. I will name it vrni.cfg, and i place it in the “C:\OpenSSL-Win64\bin” where currently OpenSSL is installed. The config file looks like this:

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req


[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS:vrni.wesleygeelhoed.local


[ req_distinguished_name ]

countryName = NL

stateOrProvinceName = Zuid-Holland

localityName = Alphen aan den Rijn

organizationName = WesleyGeelhoed

organizationalUnitName = IT

commonName = vrni.wesleygeelhoed.local

*When you want to use multiple Subject ALternative Names just create more ‘DNS:’ entries in the subjectAltName section. Like this: DNS:dns1.local, DNS:dns2.local, DNS:dns3.local and so on…

Open command prompt and change your working directory to the directory where openssl is installed. In my case this is again this path: “C:\OpenSSL-Win64\bin”. Use the following command to create the key file.

openssl genrsa -out vrni.key 2048

Let’s create the CSR based on this key file and the previously created config file.

openssl req -new -key vrni.key -out vrni.csr -config vrni.cfg

Now we are ready to request the certificate from the PKI. Open the *.csr file with Notepad++ (you can also use wordpad or text editor instead). Copy the content of the *.csr file and use this to request the certificate. In my case i’m using my own internal Microsoft CA which has been deployed with an very useful web enrollment service 🙂
Use the default ‘Web Server’ template from the Microsoft CA to request the Certificate.

After the certificate has been issued we need to download it in 64-based encoded form.

Currently we both have the vrni.key and the vrni.cer in place. Additionally we need the Root CA certificate and if it is in the chain, the intermediate certificate. For vRealize Network Insight we need to have two files; the *.key and a *.crt file. First download the Root CA certificate from your CA. I can use again my Certificate Web Enrollment Service to download the Root CA *.cer file.

Open the vrni.cer, rootca.cer in Notepad++ and copy the 64base encoded content from the root CA and place it vrni.cer after the content that is already in place. In case you have an intermediate CA you first need to copy the content of the intermediate CA and subsequently the content of the Root CA. In my case it looked like this:

—–BEGIN CERTIFICATE—– (Machine Cert)

Rename the *.cer file to *.crt and your certificate and key pair is now ready to be imported to vRealize Network Insight.

I used an ESXi host as SSH server to copy the certificate and key file to the vRealize Network Insight platform VM. Filezilla is the client which I used to upload the file to the ESXi host. Start filezilla client, connect to the ESXi host with the root account and password on port 22 and upload the vrni.crt and vrni.key to /tmp folder on ESXi host.

Next thing we need to do is SSH into the vRealize Network Insight Platform VM. By default the credentials you need to use are consoleuser/ark1nc0ns0l3. When you are logged in use the following commands to upload the certificate and key file and to apply it to the vRealize Network Insight platform VM.

(cli) custom-cert remove
Removed all custom certificates
(cli) custom-cert copy –host –user root –port 22 –path /tmp/vrni.crt
Enter root password:
successfully copied
(cli) custom-cert copy –host –user root –port 22 –path /tmp/vrni.key
Enter root password:
successfully copied
(cli) custom-cert apply
Successfully applied new certificate. All active UI sessions have to be restarted.

*–host is the IP of the ESXi host where you uploaded the files to 

As a best practice, reboot the vRNI Platform VM and you are all set!

Many thanks to my colleague Viresh Oedayrajsingh Varma who helped me out with the openssl config file.

source: vmware.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s