If you update or change vRealize Automation appliance or IaaS certificates, you must update vRealize Orchestrator to trust the new or updated certificates.

This procedure applies to all vRealize Automation deployments that use an embedded vRealize Orchestrator instance. If you use an external vRealize Orchestrator instance, see Update External vRealize Orchestrator to Trust vRealize Automation Certificates.


This procedure resets tenant and group authentication back to the default settings. If you have customized your authentication configuration, note your changes so that you can re-configure authentication after completing the procedure.

See the vRealize Orchestrator documentation for information about updating and replacing vRealize Orchestrator certificates.

In a clustered configuration, you must complete this procedure on the master vRealize Automation appliance node and then perform a join-cluster against the master from each replica vRealize Automation appliance node.


In a cluster, stop the vco-configurator service on all replica nodes until the procedure is completed to avoid unwanted automatic control center synchronization.

If you replace or update vRealize Automation certificates without completing this procedure, the vRealize Orchestrator Control Center may be inaccessible, and errors may appear in the vco-server and vco-configurator log files.

Problems with updating certificates can also occur if vRealize Orchestrator is configured to authenticate against a different tenant and group than vRealize Automation. For information, see VMware Knowledge Base article Exception Untrusted certificate chain after replacing vRA certificate (2147612).

The trust command syntaxes shown herein are representative rather than definitive. While they are appropriate for most typical deployments, there may be situations in which you need to experiment with variations on the commands.

  • If you specify --certificate you must provide the path to a valid certificate file in PEM format.

  • If you specify --uri, you must provide the uri from which the command can fetch a trusted certificate.

  • If you specify the --registry-certificate option, you indicate that the requested certificate should be treated as the certificate for the component registry and the trusted certificate is added to the truststore under a specific alias used by the component registry certificate.

You can also manage certificates by using SSL Trust Manager workflows in vRealize Orchestrator. For information, see the Manage Orchestrator Certificates topic in vRealize Orchestrator documentation.


  1. Stop the vRealize Orchestrator server and Control Center services.
    service vco-server stop
    service vco-configurator stop
  2. Reset the vRealize Orchestrator authentication provider by running the following command.
    /var/lib/vco/tools/configuration-cli/bin/vro-configure.sh reset-authentication
    ls -l /etc/vco/app-server/
    mv /etc/vco/app-server/vco-registration-id /etc/vco/app-server/vco-registration-id.old
    vcac-vami vco-service-reconfigure
  3. Check the trusted certificate for the vRealize Orchestrator trust store using the command line interface utility located at /var/lib/vco/tools/configuration-cli/bin with the following command.
    /var/lib/vco/tools/configuration-cli/bin/vro-configure.sh list-trust
    • Check for the certificate with the following alias: vco.cafe.component-registry.ssl.certificate. This should be the vRealize Automation certificate that the vRealize Orchestrator instance uses as an authentication provider.

    • This certificate must match the newly configured vRealize Automation certificate. If it does not match, it can be changed as follows:

      1. Copy your vRealize Automation signed appliance certificate PEM file to the /tmp folder on the appliance.

      2. Run the following command adding the appropriate certificate path.

        ./vro-configure.sh trust --certificate path-to-the-certificate-file-in-PEM-format--registry-certificate

        See the following example command.

        /var/lib/vco/tools/configuration-cli/bin/vro-configure.sh trust --certificate /var/tmp/test.pem --registry-certifcate

  4. You may need to run the following commands to trust the certificate.
    /var/lib/vco/tools/configuration-cli/bin/vro-configure.sh trust --uri https://vra.domain.com
    /var/lib/vco/tools/configuration-cli/bin/vro-configure.sh trust --registry-certificate --uri https://vra.domain.com
  5. Ensure that the vRealize Automation certificate is now injected into the vRealize Orchestrator trust store using the following command.
    /var/lib/vco/tools/configuration-cli/bin/vro-configure.sh list-trust
  6. Start the vRealize Orchestrator server and control center services.
    service vco-server start
    service vco-configurator start

What to do next

You can validate that trust has been updated on a clustered system.

  1. Log in to the virtual appliance management interface as root.

  2. Select the Services page.

  3. Ensure that there are no duplicate vco services listed.

    If you see any duplication of the vco services listed, click Unregister to remove the services that do not have a state of Registered.

  4. Ensure that vco-configurator is started on all virtual appliance nodes.

  5. Log in to the vRealize Orchestrator control center and navigate to the Validate Configuration page to validate the configuration.

  6. Navigate to the Authentication Provider page, and verify that the auth settings are correct.

    You can also test the login credentials on this page.