A system administrator can replace an expired certificate or a self-signed certificate with one from a certificate authority to ensure security in a distributed deployment environment.

You can use a Subject Alternative Name (SAN) certificate on multiple machines. Certificates used for the IaaS components (Website and Manager Service) must be issued with SAN values including FQDNs of all Windows hosts on which the corresponding component is installed and with the Load Balancer FQDN for the same component.

The IaaS Manager Service and the IaaS Web Service share a single certificate.


  1. Open a Web browser to the vRealize Automation appliance management interface URL.
  2. Log in with user name root and the password you specified when deploying the vRealize Automation appliance.
  3. Select vRA Settings > Certificates.
  4. Click Manager Service from the Certificate Type menu.
  5. Select the certificate type from the Certificate Action menu.

    If you are using a PEM-encoded certificate, for example for a distributed environment, select Import.

    Certificates that you import must be trusted and must also be applicable to all instances of vRealize Automation appliance and any load balancer through the use of Subject Alternative Name (SAN) certificates.


    If you use certificate chains, specify the certificates in the following order:

    1. Client/server certificate signed by the intermediate CA certificate

    2. One or more intermediate certificates

    3. A root CA certificate



    Keep Existing

    Leave the current SSL configuration. Choose this option to cancel your changes.

    Generate Certificate

    1. The value displayed in the Common Name text box is the Host Name as it appears on the upper part of the page. If any additional instances of the vRealize Automation appliance available, their FQDNs are included in the SAN attribute of the certificate.

    2. Enter your organization name, such as your company name, in the Organization text box.

    3. Enter your organizational unit, such as your department name or location, in the Organizational Unit text box.

    4. Enter a two-letter ISO 3166 country code, such as US, in the Country text box.


    1. Copy the certificate values from BEGIN PRIVATE KEY to END PRIVATE KEY, including the header and footer, and paste them in the RSA Private Key text box.

    2. Copy the certificate values from BEGIN CERTIFICATE to END CERTIFICATE, including the header and footer, and paste them in the Certificate Chain text box. For multiple certificate values, include a BEGIN CERTIFICATE header and END CERTIFICATE footer for each certificate.


      In the case of chained certificates, additional attributes may be available.

    3. (Optional) If your certificate uses a pass phrase to encrypt the certificate key, copy the pass phrase and paste it in the Passphrase text box.

    Provide Certificate Thumbprint

    Use this option if you want to provide a certificate thumbprint to use a certificate that is already deployed in the certificate store on the IaaS servers. Using this option will not transmit the certificate from the virtual appliance to the IaaS servers. It enables users to deploy existing certificates on IaaS servers without uploading them in the management interface.

  6. Click Save Settings.

    After a few minutes, the certificate details appear on the page.

  7. If required by your network or load balancer, copy the imported or newly created certificate to the load balancer.
  8. Open a browser and navigate to https://managerServiceAdddress/vmpsProvision/ from a server that this running a DEM worker or agent.

    If you are using a load balancer, the host name must be the fully qualified domain name of the load balancer.

  9. If prompted, continue past the certificate warnings.
  10. Validate that the new certificate is provided and is trusted.
  11. If you are using a load balancer, configure and enable any applicable health checks.