A system administrator can update or replace certificates for vRealize Automation components.

vRealize Automation contains three main components that use SSL certificates in order to facilitate secure communication with each other. These components are as follows:

  • vRealize Automation appliance

  • IaaS website component

  • IaaS manager service component

In addition, your deployment can have certificates for the vRealize Automation appliance management site. Also, each IaaS machine runs a Management Agent that uses a certificate.

Typically, self-signed certificates are generated and applied to these components during product installation. You might need to replace a certificate to switch from self-signed certificates to certificates provided by a certificate authority or when a certificate expires. When you replace a certificate for a vRealize Automation component, trust relationships for other vRealize Automation components are updated automatically.

For instance, in a distributed system with multiple instances of a vRealize Automation appliance, if you update a certificate for one vRealize Automation appliance all other related certificates are updated automatically.

Note:

vRealize Automation supports SHA2 certificates. The self-signed certificates generated by the system use SHA-256 With RSA Encryption. You may need to update to SHA2 certificates due to operating system or browser requirements.

The vRealize Automation appliance management console provides three options for updating or replacing certificates for existing deployments:

  • Generate certificate - Use this option to have the system generate a self-signed certificate.

  • Import certificate - Use this option if you have a certificate that you want to use.

  • Provide certificate thumbprint - Use this option if you want to provide a certificate thumbprint to use a certificate that is already deployed in the certificate store on the IaaS servers. Using this option will not transmit the certificate from the virtual appliance to the IaaS servers. It enables users to deploy existing certificates on IaaS servers without uploading them in the vRealize Automation management console.

Also, you can select the Keep Existing option to keep your existing certificate.

Certificates for the vRealize Automation appliance management site do not have registration requirements.

With one exception, changes to later components in this list do not affect earlier ones. The exception is that an updated certificate for IaaS components must be registered with vRealize Automation appliance.

Note:

If your certificate uses a passphrase for encryption and you fail to enter it when replacing your certificate on the virtual appliance, the certificate replacement fails and the message Unable to load private key appears.

For important information about troubleshooting, supportability, and trust requirements for certificates, see the VMware knowledge base article at http://kb.vmware.com/kb/2106583.