Replace your
Workspace ONE Access
certificate by using
VMware Aria Suite Lifecycle

Use this procedure to replace the VMware Identity Manager certificate or the globalenvironment setting in your
VMware Aria Suite Lifecycle
environment.
The VMware Identity Manager and
Workspace ONE Access
terms are used interchangeably in
VMware Aria Suite Lifecycle
product documentation.
For related information about replacing certificates for
VMware Aria Suite Lifecycle
, see Replace certificate for VMware Aria Suite Lifecycle products.
To replace a certificate on a clustered deployment, you must manually replace the certificate on the load balancer. If you encounter an error while replacing the certificate and you are running
Workspace ONE Access
version 3.3.7, see https://kb.vmware.com/s/article/94095.

Generate a self-signed certificate

Use the Locker service to generate a Certificate Signing Request (CSR) and create a .pem file. With information from the .pem file, you import the cerficiate into the
VMware Aria Suite Lifecycle
locker .
  1. From the My Services dashboard, click
    Locker
    .
  2. Click
    Generate CSR
    and enter the name
    globalenvironment
    .
  3. Enter customer-specific values for all required fields on he Generate CSR form and click
    Generate
    to generate the .pem file.
    A sample form is shown below.
    Sample generate CSR page as described in the text.
    To replace your certificate in a clustered environment, enter multiple domain names and IP addresses, separated by commas.
    A .pem file contains a certificate signing request and a private key as in the example below with certificate and key details removed.
    -----BEGIN CERTIFICATE REQUEST----- ... -----END CERTIFICATE REQUEST----- -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----
  4. Submit the .pem file to a signing authority to request that it be signed. If you do not have a configured signing authority, perform the following steps.
    In this example, the signing authority is the Microsoft Active Directory Certificate Service and it is configured for http://localhost/certsrv/.
    1. Click
      Request a Certificate
      Advance Certificate Request
      .
    2. For this example, click
      Request a certificate
      .
      Screen shows the request a certificate option as described
                                        in the text.
    3. Click
      Advanced certificate request
      .
      Screen shows the Advanced certificate request as described
                                        in the text.
    4. Click the
      Submit a certificate request using base64 encoded …
      option.
      Screen shows the Submit a certificate request ... option as
                                        described in the text.
    5. Paste the certificate .pem file content from your certificate request and click Submit.
      Screen shows the .pem content pasted into the form and the
                                        Submit key as described in the text.
  5. After the .pem is submitted. you are prompted to download a certificate. Select the
    Base64 encoded
    certificate format and select both the
    Download certificate
    and the
    Download certificate chain
    options.
    Screen shows all three options described in the text.
    This actions downloads
    certnew.cer
    for the certificate and
    certnew.p76
    for the certificate chain. In this example, they are downloaded to a user downloads folder of
    C:\USERS\ARUN|DOWNLOADS
    . An example of both are provided below:
    • certnew.cer - certificate
      Reference: certnew.cer -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
    • certnew.p7b - certificate chain
      Reference: certnew.p7b -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
  6. The root certificate is needed. In this example, an existing server certificate named
    cap-AD-CA
    exists and an existing root certificate of
    vidm.cap.org
    exists and both were issued by a signing authority of cap-AD-CA.
    Screen shows the two existing certificates described in the
                                text.
  7. Split this into the globalenvironment certificate and the root certificate by using the
    Copy To File
    function. The certificates involved are
    certnew.cert
    ,
    globalenvironmentcert.cert
    ,
    rootcert.cert
    and the
    certnew.p7b
    certificate chain.
    The 4 files to use in the Copy To File function are shown.
  8. Import the globalenvironment certificate into the
    VMware Aria Suite Lifecycle
    Locker service:
    1. Click
      Locker
      from the
      VMware Aria Suite Lifecycle
      My Services page
    2. Click
      Certificates
      Import
      .
    3. The Import Certificate page appears. In the
      Name
      field, enter
      globalenvironment
      .
  9. Using the extracted globalenvironment and root certificate as source, open Notepad ++ or any other text editor and create a certificate chain with two certificate sections: the server certificate content at the top followed by the root certificate content . The example below shows the two sections with details removed.
    -----BEGIN CERTIFICATE----- ... ###server certificate content### ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... ###root certificate content### ... -----END CERTIFICATE-----
    • Copy and paste the private key content from the .pem file created by the generated CSR into the
      Private Key
      section of the Import Certificate form.
    • Copy and paste the content with the two certificate sections into the
      Certificate Chain
      section of the Import Certificate form.
  10. Verify the certificate chain by using a verification tool such https://tools.keycdn.com/ssl.
  11. Click
    Import
    to import the new globalenvironment certificate into
    VMware Aria Suite Lifecycle
    .
    A sample populated Import Certificate form is shown below.
    Sample populated Import Certificate form is shown as described in
                                the text.
    When the import is successful, the
    Certificate successfully added.
    statement appears, as shown below.
    Certificate successfully added statement appears as
                                described.
  12. You can display details about the successfully imported new certificate. A sample is shown below.
    Details page for newly imported globalenvironment certificate as
                                described.

Create a snapshot of the environment

Before replacing your existing globalenvironment certificate with the new certificate, take a snapshot in the Lifecycle Operations service.
  1. From the
    VMware Aria Suite Lifecycle
    dashboard, click
    Lifecycle Operations
    .
  2. Click
    Environments
    and then click
    View Details
    on the globalenvironment tile.
  3. Click the 3 dot ellipse (
    ) following the Change Admin Password option and select
    Snapshot
    Create Snapshot
    from the drop-down menu.
    Create a snapshot of the Lifecycle Operations service
                                environment
  4. For this example, enter
    Snapshot Before Cert Replacement
    in the
    Snapshot Prefix
    field
    Description
    fields.
  5. Switch the
    Shutdown before taking snapshot option
    to the on position and click
    Next
    .
    Image of the Create Snapshot screen as described in the text.
  6. When prompted, click
    Run Precheck
    .
  7. When the precheck result is returned, click
    Finish
    .
    The completed Precheck result is returned and the Finish option is
                                available as described in the text.
  8. After you click
    Finish
    , the
    Request Details
    page automatically appears and displays the progression of each stage of the pre-check process.
  9. When the snapshot request is complete, you can proceed to make the certificate replacement request.

Create the certificate replacement request

After you create the snapshot, you're ready to initiate the certificate replacement request and replace the existing standalone globalenvironment certificate with the new self-signed certificate.
  1. On the
    VMware Aria Suite Lifecycle
    My Services page, click
    Lifecycle Operations
    and then click
    Environments
    .
  2. Click
    View Details
    on the globalenvironment tile.
  3. Click the three dot icon (
    ...
    ) in the VMware Identity Manager row and click
    Replace Certificate
    from the drop-down menu.
    Displays selection of Replace Certificate as described in the
                                text.
    The
    Current Certificate
    details page appears. If you've never replaced the certificate, then this is the default certificate that was used during installation of the product.
  4. On the resultant
    Current Certificate
    details page, click
    Next
    .
    The
    Select Certificate
    page appears.
  5. On the
    Select Certificate
    page, select
    globalenvironment
    from the drop-down menu.
    Select the globalenvironment option from the drop-down menu.
    The
    Select Certificate
    details page appears.
  6. On the resultant
    Select Certificate
    details page, click
    Next
    .
    The
    Retrust Product Certificate
    page appears.
  7. On the
    Retrust Product Certificate
    page, select all the products to be impacted by the retrust certificate action and then click
    Next
    .
    Select all the products and then click Next.
    The
    Opt-in for Snapshot
    page appears.
  8. Click the
    Opt-in for Snapshot
    check box to enable the option and then click
    Next
    .
    The
    Precheck
    page appears.
  9. On the
    Precheck
    page, click
    Run Precheck
    .
  10. If you are prompted to consent to a validation request, click
    Re-run Precheck
    .
    Review the pre-check results and take any further actions that are needed as prompted on-screen.
    Respond as needed to on-screen prompts.
  11. When all pre-check validations are complete, click
    Finish
    to submit the request.
    Click Finish.
  12. You can monitor the request details status by selecting
    Requests
    in the Lifecycle Operations left pane menu. The stages of the replace certificate action are detailed below.
    Stage-1 Gracefully Shut Down VMware Identity Manager Start Validate VMware Identity Manager Certificate Start graceful shutdown of VMware Identity Manager Prepare graceful shutdown of VMware Identity Manager nodes Check power states of VMware Identity Manager nodes Validate SSH credentials of VMware Identity Manager nodes Update VMware Identity Manager node types Extract vMoid of VMware Identity Manager nodes Verify Identity Manager Appliance Health Check Verify Identity Manager Postgres Health Check Validate VMware Identity Manager node types VMware Identity Manager stop horizon service VMware Identity Manager stop Elasticsearch / Opensearch service VMware Identity Manager stop pgpool service VMware Identity Manager stop postgres service Shutdown VMware Identity Manager nodes Final Stage-2 Create Node Snapshot Start Get vMoid using Virtual Machine Virtual Machine Snapshot using vMoid Final Stage-3 Power on VMware Identity Manager Node(s) Start Validate VMware Identity Manager Certificate Start Power On of VMware Identity Manager nodes Prepare required inputs to power on VMware Identity Manager Node(s) Extract vMoid Power On VMware Identity Manager Node Check Hostname/IP status of VMware Identity Manager Get node endpoint of VMware Identity Manager Final Stage-4 Remediate VMware Identity Manager Start Start remediation of VMware Identity Manager Prepare required inputs to remediate VMware Identity Manager Validate ssh credentials of VMware Identity Manager VMware Identity Manager start pgpool service Update VMware Identity Manager node types Check primary node status of VMware Identity Manager VMware Identity Manager Appliance Health Check Update VMware Identity Manager node details with VMware Aria Suite Lifecycle's inventory Final Stage-5 Product Health Check Start Product Health Check prepare vIDM health pre-Check Final Stage-6 Update Certificate on VMware Identity Manager Start Validate VMware Identity Manager Certificate Start update of Certificate on VMware Identity Manager nodes Update Certificate on VMware Identity Manager nodes Final Stage-7 Trust vIDM Certificate in LCM Start Add vIDM certificate to VMware Aria Suite Lifecycle trust store Final Stage-8 Revert to Node Snapshot Start Get vMoid Final Stage-9 Power On VMware Identity Manager Nodes Start Validate VMware Identity Manager Certificate Final Stage-10 Remediate VMware Identity Manager Nodes Start Start remediation of VMware Identity Manager Prepare required inputs to remediate VMware Identity Manager Validate ssh credentials of VMware Identity Manager VMware Identity Manager start pgpool service Update VMware Identity Manager node types Check primary node status of VMware Identity Manager VMware Identity Manager Appliance Health Check Update VMware Identity Manager node details with VMware Aria Suite Lifecycle's inventory Final Stage-11 Product Health Check Start Product Health Check prepare Final Stage-12 Delete Node Snapshot Start Get vMoid Delete Snapshot Delete Node Snapshot Final Stage-13 Locker Reference Update Start Locker reference update init Locker reference inventory update Final Stage-14 Product Replace Update Notification Start Start replace update notification Replace certificate notification Final Stage-15 Validate if VMware Identity Manager re-trust is required on products Start Start Validate if VMware Identity Manager re-trust is required on products Validate if VMware Identity Manager re-trust is required on products Final Stage-16 Update VMware Identity Manager Auth provider hostname Start Start update auth provider hostname Trust VMware Identity Manager Certificate in VMware Aria Suite Lifecycle Update VMware Identity Manager Auth provider hostname Final Stage-17 Retrust VMware Identity Manager on VMware Aria Automation Start Start VMware Identity Manager flow Check if vIDM root certificate is present on VMware Aria Automation Check for VMware Identity Manager availability Check for VMware Identity Manager Login Token Check for VMware Identity Manager Default Configuration User availability Configure VMware Identity Manager for VMware Aria Automation Configure Load Balancer for VMware Aria Automation Initialize VMware Aria Automation Update VMware Identity Manager allowed redirects Final VMware Aria Operations reconfigure vidm Start Start VMware Aria Operations - VMware Identity Manager reconfigure Reconfigure VMware Identity Manager Prepare Identity Manager catalog task Final VMware Aria Operations for Logs retrust vidm Start Start VMware Aria Operations for logs retrust vIDM Prepare Nodes Final VMware Aria Operations for Networks Reconfigure vidm Start Start VMware Aria Operations for Networks generic Validate and fetch VMware Aria Operations for Networks vidm client details vIDM get O Auth client details Reconfigure vIDM hostname Final Stage-18 Re-trust VMware Identity Manager on VMware Aria Automation Start Start VMware Identity Manager flow Check if vIDM root certificate is present on VMware Aria Automation Check for VMware Identity Manager availability Check for VMware Identity Manager Login Token Check for VMware Identity Manager Default Configuration User availability Configure VMware Identity Manager for VMware Aria Automation Configure Load Balancer for VMware Aria Automation Initialize VMware Aria Automation Update VMware Identity Manager allowed redirects Final VMware Aria Operations reconfigure vidm Start Start VMware Aria Operations - VMware Identity Manager reconfigure Reconfigure VMware Identity Manager Prepare Identity Manager catalog task Final
  13. When complete, confirm that the certificate is in use by clicking
    Locker
    from the
    My Services
    page of
    VMware Aria Suite Lifecycle
    and then select
    Certificates
    globalenvironment
    .
    Confirm the globalenvironment certificate in the Locker.
    You can also view
    VMware Aria Suite Lifecycle
    and VMware Identity Manager logs. The log statement
    Applied certificate to vIDM..
    indicates that the VMware Identity Manager services are being restarted.