sjesse,

Thank you for replying. Since this is the first time that we've needed to request a cert for a linux appliance, we couldn't find a similar method used to request the CA cert as you there is for a requesting a cert from a windows server. What is the process creating the PEM for the UAG appliance to request the cert? Also the UAG documentation states that you can update the self-signed certs by converting the cert to a PEM format and then request the CA cert.

Thanks,

Wes

I assum your referring to this

Convert Certificate Files to One-Line PEM Format

This is referring to convertiing from  a cert type that has the private key build in to one that doesn't. You can't convert self signed certificates to one that is ca signed, thats not how it works, a certificate authority is a globaly trusted . Your self signed certificate is signed by vmware and created by vmware, The UAG powershell commands require a certain type of certificate and this is instructing to how do convert these. Going through the commands

openssl pkcs12 -in mycaservercert.pfx -nokeys -out mycaservercert.pem

This takes the certificate out of the pkcs12 certificate in a pem formate

openssl pkcs12 -in mycaservercert.pfx -nodes -nocerts -out mycaservercertkey.pem.

This takes the private key out of the pkcs12 certificate in a pem formate

openssl rsa -in mycaservercertkey.pem -check -out mycaservercertkeyrsa.pem

This checks that the key works with the certificate

Honestly the UAG documenation is lacking in this, it assumes you understand the process. I suggest opening a support case, as they can walk your through the procedure.

A key part from the documentation is

Replace the Default TLS/SSL Server Certificate for Unified Access Gateway

Prerequisites

• Unless you already have a valid TLS/SSL server certificate and its private key, obtain a new signed certificate from a Certificate Authority. When you generate a certificate signing request (CSR) to obtain a certificate, make sure that a private key is generated also. Do not generate certificates for servers using a KeyLength value under 1024.To generate the CSR, you must know the fully qualified domain name (FQDN) that client devices will use to connect to the Unified Access Gateway appliance and the organizational unit, organization, city, state, and country to complete the Subject name.
• Convert the certificate to PEM-format files and convert the .pem files to one-line format. See Convert Certificate Files to One-Line PEM Format.

Its the first bullet point.

Yes, that is what I was looking in the document and you are correct, the document is a bit lacking for someone not familiar with this process. What I specifically referring to in the documentation was the section that states that you can update the default self-signed certificate with a CA-signed certificate. See Update SSL Server Singed Certificates. When I click on See Update SSL Server Signed Certs the instructions are below. I think my best option as you suggested is to contact support and have them walk me through this process. Thanks again for responding and assisting.

You can update the default self-signed certificate with a CA-signed certificate. See Update SSL Server

Signed Certificates. For smart card certificates, see Configuring Certificate or Smart Card Authentication

on the Unified Access Gateway Appliance.

Update SSL Server Signed Certificates

You can replace your signed certificates when they expire or substitute the default certificates with CAsigned

certificates.

For production environments, VMware strongly recommends that you replace the default certificate as

soon as possible. The default TLS/SSL server certificate that is generated when you deploy an Unified

Access Gateway appliance is not signed by a trusted Certificate Authority.

Note the following considerations when you upload a certificate:

n You can replace the default certificate with a CA-signed PEM certificate for both the administrator and

the user.

n When you upload a CA-signed certificate on the admin interface, the SSL connector on the admin

interface is updated and restarted to ensure the uploaded certificate takes effect. If the connector fails

to restart with the uploaded CA-signed certificate, a self-signed certificate is generated and applied on

the admin interface and the user is notified that the previous attempt to upload a certificate was

unsuccessful.

Prerequisites

• New signed certificate and private key saved to a computer that you can access.
• Convert the certificate to PEM-format files and convert the .pem to one-line format. See Convert

Certificate Files to One-Line PEM Format.

Procedure

1 In the administration console, click Select.

2 In the Advanced Settings section, click the SSL Server Certificate Settings gearbox icon.

3 Select either Admin Interface or Internet Interface to apply the certificate to either of the interfaces.

You can also select both to apply the certificate to both the interfaces.

4 Select a Certificate Type of PEM or PFX.

5 If the Certificate Type is PEM:

a In the Private Key row, click Select and browse to the private key file.

b Click Open to upload the file.

c In the Certificate Chain row, click Select and browse to the certificate chain file.

d Click Open to upload the file.

6 If the Certificate Type is PFX:

a In the Upload PFX row, click Select and browse to the pfx file.

b Click Open to upload the file.

c Enter the password of the PFX certificate.

d Enter an alias for the PFX certificate.

You can use the alias to distinguish when multiple certificates are present.

7 Click Save.

Regards,

Wes