A system administrator can replace certificates for vRealize Automation components. Typically, you replace a certificate to switch from self-signed certificates to certificates provided by a certificate authority or when a certificate expires.

When you replace a certificate for a vRealize Automation component, components that have a dependency on this certificate are affected. You must register the new certificate with these components to ensure certificate trust.

You must update all components of the same type in a distributed system. For example, if you update a certificate for one vRealize Appliance in a distributed environment, you must update all instances of vRealize Appliance for that installation.

Certificates for the Identity Appliance management site and vRealize Appliance management site do not have registration requirements.

Note:

vRealize Automation supports both SHA1 and SHA2 certificates. The self-signed certificates generated by the system use SHA-256 With RSA Encryption. You may need to update vRealize Automation components to use SHA2 certificates due to browser requirements.

Update components in the following order:

  1. Identity Appliance

  2. vRealize Appliance

  3. IaaS components

With one exception, changes to later components in this list do not affect earlier ones. For example, if you import a new certificate to a vRealize Appliance, you must register this change with the IaaS server, but not with the Identity Appliance. The exception is that an updated certificate for IaaS components must be registered with vRealize Appliance.

The following table shows registration requirements when you update a certificate.

Table 1. Registration Requirements

Updated Certificate

Register new certificate with Identity Appliance

Register new certificate with vRealize Appliance

Register new certificate with IaaS

Identity Appliance

Not applicable

Done automatically when you replace the vRealize Appliance certificate

Done automatically when you replace the vRealize Appliance certificate

vRealize Appliance

No

Not applicable

Yes

IaaS

No

Yes

Not applicable

Note:

If your certificate uses a passphrase for encryption and you do not enter it when you replace your certificate on the virtual appliance, the certificate replacement fails and the message Unable to load private key appears.

In addition to certificates for the Identity Appliance, the vRealize Appliance, IaaS Website components, and Manager Service components, your deployment can have certificates for the Identity Appliance management site and the vRealize Appliance management site. Management Agents also have certificates. Each IaaS machine runs a Management Agent.

For important information about troubleshooting, supportability, and trust requirements for certificates, see the VMware knowledge base article at http://kb.vmware.com/kb/2106583.