Upgrading vRealize Log Insight to Version 8.12: A Tale of SSL Certificates and Client Authentication

As I embarked on an upgrade of my vRealize Log Insight (Aria Operations for Logs) server from version 8.10 to 8.12, I encountered an unexpected issue with my custom SSL certificate. Despite having successfully used the same certificate for several months, the upgrade process failed with an obscure error message: “No SSL client purpose on certificate.”

At first, I thought it was a simple matter of reverting back to a self-signed certificate, but then I encountered the same issue when trying to readd both the existing SSL cert and a new one issued from my lab Root CA. Confused and determined to resolve the issue, I dove into research mode.

It turns out that the problem was related to the type of certificate I had installed on the server. My existing certificate was for Server Authentication, but vRealize Log Insight version 8.12 requires Client Authentication. This subtle difference in certificate purpose caused the upgrade to fail.

To resolve the issue, I needed to change the Certificate template on my Windows Root CA to include Client Authentication. This involved creating a new certificate template with the appropriate settings and then issuing a new certificate from this template.

As I delved deeper into the process, I discovered that there was no step-by-step guide available for changing a Certificate template on a Windows Root CA, issuing a new certificate, and uploading it to the Log Insight server. That is, until I found Mark Gabryjelski’s excellent post on the subject.

Mark’s post provided a detailed, step-by-step guide on how to change a Certificate template on a Windows Root CA, issue a new certificate, and upload it to the Log Insight server. The process involved creating a new certificate template with Client Authentication, issuing a new certificate from this template, and then uploading the certificate and corresponding private key along with the Root CA chain to the Log Insight server.

After following Mark’s guide, I was able to successfully upgrade my vRealize Log Insight server to version 8.12 and resolve the SSL certificate issue. The moral of the story is that when upgrading your Log Insight server, be sure to check the Certificate requirements in the Aria Operations for Logs documentation page. As of the time of this writing, the documentation does not list the requirement for Client Authentication, so it’s essential to double-check before starting the upgrade process.

In conclusion, if you encounter an SSL certificate issue during an upgrade of your vRealize Log Insight server to version 8.12, it may be due to a mismatch in certificate purpose between Server Authentication and Client Authentication. By following Mark Gabryjelski’s guide and changing the Certificate template on your Windows Root CA to include Client Authentication, you should be able to resolve the issue and successfully complete the upgrade.