vRealize Automation uses SSL certificates for secure communication among IaaS components, the Identity Appliance, and instances of the vRealize Appliance.

The appliances and the Windows installation machines exchange these certificates to establish a trusted connection. You can obtain certificates from an internal or external certificate authority, or generate self-signed certificates during the deployment process for each component.

If you want to use certificates generated by a certificate authority that is not located on the addressable network, you must modify the web.config file for your web apps to ignore certificate revocation errors. Otherwise, HTTP requests fail with an invalid certificate error.

For important information about troubleshooting, supportability, and trust requirements for certificates, see the VMware knowledge base article at http://kb.vmware.com/kb/2106583.

You can update or replace certificates after deployment. For example, you may choose to use self-signed certificates during deployment, but then obtain certificates from a trusted authority before going live with your vRealize Automation implementation or a certificate may expire.

Table 1. Certificate Implementations

Component

Minimal Deployment (non production)

Distributed Deployment (production ready)

Virtual Appliances

Generate a self-signed certificate during appliance configuration.

For each appliance cluster, obtain a multi-use certificate, such as a Subject Alternative Name (SAN) certificate, from an internal or external certificate authority. Wildcard certificates are also supported.

IaaS Components

During installation, accept the generated self-signed certificates or select certificate suppression.

Obtain a multi-use certificate, such as a Subject Alternative Name (SAN) certificate, from an internal or external certificate authority that your Web client trusts. Install the same multi-use certificate on each IaaS installation machine.

Note:

If you do not have sufficient permissions to install IIS domain certificates, your Web browser prompts you with security exceptions when you open vRealize Automation. Follow the instructions for your browser to permanently trust each self-signed certificate.

Certificate Chains

If you use certificate chains, specify the certificates in the following order:

  • Client/server certificate signed by the intermediate CA certificate

  • One or more intermediate certificates

  • A root CA certificate

Include the BEGIN CERTIFICATE header and END CERTIFICATE footer for each certificate when you import certificates.