The system administrator can replace an expired certificate or a self-signed certificate with one from a certificate authority to ensure security in a distributed deployment environment.

You can use a Subject Alternative Name (SAN) certificate on multiple machines. Certificates used for the IaaS components (Website and Manager Service) must be issued with SAN values including FQDNs of all Windows hosts on which the corresponding component is installed and with the Load Balancer FQDN for the same component.

There are three options for replacing a certificate:

  • Generate certificate - Use this option to have the system generate a self-signed certificate.

  • Import certificate - Use this option if you have a certificate that you want to use.

  • Provide certificate thumbprint - If you accept a certificate that is signed by a CA but that certificate is not trusted by your system, you must determine whether to accept the certificate thumbprint. The thumbprint is used to quickly determine if a presented certificate is the same as another certificate, such as the certificate that was accepted previously.

Also, you can use Keep Existing to keep your existing certificate.


  1. Open a Web browser to the vRealize Automation appliance management interface URL.
  2. Log in with user name root and the password you specified when deploying the vRealize Automation appliance.
  3. Select vRA Settings > Certificates.
  4. Click IaaS Web on the Component Type menu.
  5. Go to the IaaS Web Certificate pane.
  6. Select the certificate replacement option from the Certificate Action menu.

    If you are using a PEM-encoded certificate, for example for a distributed environment, select Import.

    Certificates that you import must be trusted and must also be applicable to all instances of vRealize Automation appliance and any load balancer through the use of Subject Alternative Name (SAN) certificates.


    If you use certificate chains, specify the certificates in the following order:

    1. Client/server certificate signed by the intermediate CA certificate

    2. One or more intermediate certificates

    3. A root CA certificate



    Keep Existing

    Leave the current SSL configuration. Choose this option to cancel your changes.

    Generate Certificate

    1. The value displayed in the Common Name text box is the Host Name as it appears on the upper part of the page. If any additional instances of the vRealize Automation appliance available, their FQDNs are included in the SAN attribute of the certificate.

    2. Enter your organization name, such as your company name, in the Organization text box.

    3. Enter your organizational unit, such as your department name or location, in the Organizational Unit text box.

    4. Enter a two-letter ISO 3166 country code, such as US, in the Country text box.


    1. Copy the certificate values from BEGIN PRIVATE KEY to END PRIVATE KEY, including the header and footer, and paste them in the RSA Private Key text box.

    2. Copy the certificate values from BEGIN CERTIFICATE to END CERTIFICATE, including the header and footer, and paste them in the Certificate Chain text box. For multiple certificate values, include a BEGIN CERTIFICATE header and END CERTIFICATE footer for each certificate.


      In the case of chained certificates, additional attributes may be available.

    3. (Optional) If your certificate uses a pass phrase to encrypt the certificate key, copy the pass phrase and paste it in the Passphrase text box.

    Provide Certificate Thumbprint

    Use this option if you want to provide a certificate thumbprint to use a certificate that is already deployed in the certificate store on the IaaS servers. Using this option will not transmit the certificate from the virtual appliance to the IaaS servers. It enables users to deploy existing certificates on IaaS servers without uploading them in the management interface.

  7. Click Save Settings.

    After a few minutes, the certificate details appear on the page.