The system administrator can update or replace a self-signed certificate with a trusted one from a certificate authority. You can use Subject Alternative Name (SAN) certificates, wildcard certificates, or any other method of multi-use certification appropriate for your environment as long as you satisfy the trust requirements.

About this task

When you update or replace the vRealize Automation appliance certificate, trust with other related components is re-initiated automatically. See Updating vRealize Automation Certificates for more information about updating certificates.

Procedure

  1. Open a Web browser to the vRealize Automation appliance management interface URL.
  2. Log in with user name root and the password you specified when deploying the vRealize Automation appliance.
  3. Select vRA Settings > Host Settings.
  4. Select the certificate type from the Certificate Action menu.

    If you are using a PEM-encoded certificate, for example for a distributed environment, select Import.

    Certificates that you import must be trusted and must also be applicable to all instances of vRealize Automation appliance and any load balancer through the use of Subject Alternative Name (SAN) certificates.

    If you want to generate a CSR request for a new certificate that you can submit to a certificate authority, select Generate Signing Request. A CSR helps your CA create a certificate with the correct values for you to import.

    Note:

    If you use certificate chains, specify the certificates in the following order:

    1. Client/server certificate signed by the intermediate CA certificate

    2. One or more intermediate certificates

    3. A root CA certificate

    Option

    Action

    Keep Existing

    Leave the current SSL configuration. Select this option to cancel your changes.

    Generate Certificate

    1. The value displayed in the Common Name text box is the Host Name as it appears on the upper part of the page. If any additional instances of the vRealize Automation appliance available, their FQDNs are included in the SAN attribute of the certificate.

    2. Enter your organization name, such as your company name, in the Organization text box.

    3. Enter your organizational unit, such as your department name or location, in the Organizational Unit text box.

    4. Enter a two-letter ISO 3166 country code, such as US, in the Country text box.

    Generate Signing Request

    1. Select Generate Signing Request.

    2. Review the entries in the Organization, Organization Unit, Country Code, and Common Name text boxes. These entries are populated from the existing certificate. You can edit these entries if needed.

    3. Click Generate CSR to generate a certificate signing request, and then click the Download the generated CSR here link to open a dialog that enables you to save the CSR to a location where you can send it to a certificate authority.

    4. When you receive the prepared certificate, click Import and follow instructions for importing a certificate into vRealize Automation.

    Import

    1. Copy the certificate values from BEGIN PRIVATE KEY to END PRIVATE KEY, including the header and footer, and paste them in the RSA Private Key text box.

    2. Copy the certificate values from BEGIN CERTIFICATE to END CERTIFICATE, including the header and footer, and paste them in the Certificate Chain text box. For multiple certificate values, include a BEGIN CERTIFICATE header and END CERTIFICATE footer for each certificate.

      Note:

      In the case of chained certificates, additional attributes may be available.

    3. (Optional) If your certificate uses a pass phrase to encrypt the certificate key, copy the pass phrase and paste it in the Passphrase text box.

  5. Click Save Settings.

    After a few minutes, the certificate details for all applicable instances of the vRealize Automation appliance appear on the page.

  6. If required by your network or load balancer, copy the imported or newly created certificate to the virtual appliance load balancer.

    You might need to enable root SSH access in order to export the certificate.

    1. If not already logged in, log in to the vRealize Automation appliance Management Console as root.
    2. Click the Admin tab.
    3. Click the Admin sub menu.
    4. Select the SSH service enabled check box.

      Deselect the check box to disable SSH when finished.

    5. Select the Administrator SSH login check box.

      Deselect the check box to disable SSH when finished.

    6. Click Save Settings.
  7. Confirm that you can log in to vRealize Automation console.
    1. Open a browser and navigate to https://vcac-hostname.domain.name/vcac/.

      If you are using a load balancer, the host name must be the fully qualified domain name of the load balancer.

    2. If prompted, continue past the certificate warnings.
    3. Log in with administrator@vsphere.local and the password you specified when configuring Directories Management.

      The console opens to the Tenants page on the Administration tab. A single tenant named vsphere.local appears in the list.

  8. If you are using a load balancer, configure and enable any applicable health checks.

Results

The certificate is updated.