7.0
Table Of Contents
- Deploying and Configuring Access Point
- Contents
- Deploying and Configuring Access Point
- Introduction to Access Point
- System Requirements and Deployment
- Configuring Access Point
- Collecting Logs from the Access Point Appliance
- Setting Up Smart Card Authentication
- Setting Up Two-Factor Authentication
- Index
Certificates that you import into the Access Point appliance must be trusted by client machines and must
also be applicable to all instances of Access Point and any load balancer, either by using wildcards or by
using Subject Alternative Name (SAN) certificates.
Convert Certificate Files to One-Line PEM Format
To use the Access Point REST API to configure certificate settings, or to use the PowerShell scripts, you must
convert the certificate into PEM-format files for the certificate chain and the private key, and you must then
convert the .pem files to a one-line format that includes embedded newline characters.
When configuring Access Point, there are three possible types of certificates you might need to convert.
n
You should always install and configure a TLS/SSL server certificate for the Access Point appliance.
n
If you plan to use smart card authentication, you must install and configure the trusted CA issuer
certificate for the certificate that will be put on the smart card.
n
If you plan to use smart card authentication, VMware recommends that you install and configure a root
certificate for the signing CA for the SAML server certificate that is installed on the Access Point
appliance.
For all of these types of certificates, you perform the same procedure to convert the certificate into a PEM-
format file that contains the certificate chain. For TLS/SSL server certificates and root certificates, you also
convert each file to a PEM file that contains the private key. You must then convert each .pem file to a one-
line format that can be passed in a JSON string to the Access Point REST API.
Prerequisites
n
Verify that you have the certificate file. The file can be in PKCS#12 (.p12 or .pfx) format or in Java JKS
or JCEKS format.
n
Familiarize yourself with the openssl command-line tool that you will use to convert the certificate. See
https://www.openssl.org/docs/apps/openssl.html.
n
If the certificate is in Java JKS or JCEKS format, familiarize yourself with the Java keytool command-
line tool to first convert the certificate to .p12 or .pks format before converting to .pem files.
Procedure
1 If your certificate is in Java JKS or JCEKS format, use keytool to convert the certificate to .p12 or .pks
format.
IMPORTANT Use the same source and destination password during this conversion.
2 If your certificate is in PKCS#12 (.p12 or .pfx) format, or after the certificate is converted to PKCS#12
format, use openssl to convert the certificate to .pem files.
For example, if the name of the certificate is mycaservercert.pfx, use the following commands to
convert the certificate:
openssl pkcs12 -in mycaservercert.pfx -nokeys -out mycaservercert.pem
openssl pkcs12 -in mycaservercert.pfx -nodes -nocerts -out mycaservercert.pem
openssl rsa -in mycaservercertkey.pem -check -out mycaservercertkeyrsa.pem
3 Edit mycaservercert.pem and remove any unnecessary certificate entries. It should contain the one SSL
server certificate followed by any necessary intermediate CA certificates and root CA certificate.
Chapter 3 Configuring Access Point
VMware, Inc. 41