No SSL client purpose on certificate issue on Aria Operations for Logs (aka vRLI)

During an upgrade of my vRealize Log Insight, aka Aria Operations for Logs, I encountered an issue with the custom SSL certificate I had installed on the server.

First I encountered this during the upgrade which had the upgrade to version 8.12 resulting in an error.

Certificate error

Then after resetting the SSL configuration on the server and reverting back to a self-signed cert and successfully upgrading to version 8.12 I encountered the same error when trying to readd both the existing SSL cert and a new one issued from my lab Root CA.

SSL client purpose missing

The error No SSL client purpose on certificate didn't make a whole lot of sense, but after digging around a bit I found some other references to Client Authentication as opposed to Server Authentication that my existing certificate already had

SSL certificate with Server Authentication

So I decided to try to add in Client Authentication on the same Certificate template

Updated Certificate template

And then I issued a new certificate from this template

Certificate with both Server and Client Auth

Finally I tried to upload this new certificate with the corresponding private key and the Root CA chain, and now it was successful

Certificate uploaded

For a step by step on how to change a Certificate template on a Windows Root CA, issue a new certificate and upload it to the Log Insight / Aria Operations for Logs server be sure to check out this post by fellow vExpert Mark Gabryjelski

As of the time of this writing the Certificate requirements on the Aria Operations for Logs documentation page does not list this requirement. Hopefully VMware can update the docs to reflect this.

This page was modified on May 1, 2023: Update