vRealize Log Insight – cert issues getting to 8.12

So this problem started back a few weeks ago.
vRLI (vRealize Log Insight) had a certificate issue that was about to come to light, highlighted here in VMware KB91441, internal certificates will expire on April 30, 2023. This KB solves the problem, but doesn’t tell you how to restore your CA signed certificate back to vRLI….so I started digging.

So I planned on upgrading as soon as was possible from 8.10 to 8.12 (when 8.12 was released).

So VMware Aria Operations for Logs (the new name for vRealize Log Insight) gets released. I try to upgrade to it, and it fails.
Fun….Never had an issue upgrading vRLI, so I revert to snapshot, and try again.

Discovered that my “root” user password expired.
Addressed that.
Discovered I needed to upgrade to 8.10.2 in order to upgrade to 8.12.
Upgrade to 8.10.2 no problem.
Still had issues with the upgrade to 8.12.

Now, the issues was because I had used a certificate from my Windows CA for my vRealize lab deployment.
The KB linked above stated to remove the certificate (revert back to self signed) then upgrade….made no mention of reapplying the cert.
I tried that, and found out it worked.
So I reverted back to snapshot to figure it out.

Tried to upgrade again from 8.10.2 to 8.12, and it failed again (because I did not revert back to self signed).
Led me to believe it was a certificate issue, which I had to figure out.
I had 3 weeks, should be no problem….
Well, found my answer with just 2 days to go before April 30, 2023….

Rudi Martinsen had helped me out (unknowingly) via his blog post on April 27 about upgrading to vRLI 8.12.
A follow on blog post the following day from Rudi covered the Certificate portion!
Between the two posts, I was able to greatly simplify the vRLI 8.10.2 to VMware Aria Operations for Logs 8.12 upgrade.

I had to create the steps below, to cover the Certificate Authority, Certificate Template Management, creating the CSR, getting a CER, and creating the PEM.
I used the same CFG file as before (for creating Loginsight.cer) to call OpenSSL….I am assuming you know how to use OpenSSL (at least a bit), and that you already have your RootCA certificate file (root64.cer as the example below).

Log into the CA Windows system.
Open the Certificate Authority (Start –> Windows Administrative Tools –> Certificate Authority).
Right click on Certificate Template –> Manage
Now…in the Certificate Template Management Console….
Find Web Server –> Right Click –> Duplicate Template
Select the General Tab
Change the name, Web Server AND ClientAuth
Select Extensions
Click Edit
Click Add
Select Client Authentication, click OK
Click OK
Click OK
Close the Certificate Template Management Console.

Back in the Certificate Authority consoleā€¦
Right Click “Certificate Templates”, –> New –> Certificate Template to issue
Choose Web Server AND ClientAuth
Click OK

Now ready to issue updated certs with the new requirements!!!

Run the commands to create new KEY and CSR
openssl req -new -nodes -out c:\certs\loginsight.csr -newkey rsa:2048 -keyout c:\certs\loginsight.key -config c:\certs\loginsight.cfg

Now go certificates from the CA.
Be sure to use the new template, Web Server AND ClientAuth.
That downloaded newcert.cer, which I renamed to loginsight.cer

now create the PEM files
Run these from CMD.EXE as PowerShell 7 keeps throwing errors!
type c:\certs\loginsight.key c:\certs\loginsight.cer c:\certs\root64.cer > c:\certs\loginsight.pem

Now apply the SSL to Log Insight 8.10.2.
THEN you can upgrade, with your CA’s certificate in place, to
VMware Aria Operations for Logs.

I was 3 months before I needed to update all the lab certificates anyway, so I tested this workflow making new certificates with ClientAuth, with and applied this to all the following:
vRLCM -now VMware Aria Lifecycle Manager
vIDM – VMware Identity Manager (deployed via vRLCM)
vROPs – now VMware Aria Operations (deployed via vRLCM)
vRLI – now VMware Operations for Logs (deployed via vRLCM)