vRealize Automation uses SSL certificates for secure communication among IaaS components and instances of the vRealize Automation appliance. The appliances and the Windows installation machines exchange these certificates to establish a trusted connection. You can obtain certificates from an internal or external certificate authority, or generate self-signed certificates during the deployment process for each component.

For important information about troubleshooting, support, and trust requirements for certificates, see VMware Knowledge Base article 2106583.

Note: vRealize Automation supports SHA2 certificates. The self-signed certificates generated by the system use SHA-256 With RSA Encryption. You might need to update to SHA2 certificates due to operating system or browser requirements.

You can update or replace certificates after deployment. For example, a certificate may expire or you may choose to use self-signed certificates during your initial deployment, but then obtain certificates from a trusted authority before going live with your vRealize Automation implementation.

Table 1. Certificate Implementations
Component Minimal Deployment (non-production) Distributed Deployment (production-ready)
vRealize Automation Appliance Generate a self-signed certificate during appliance configuration. For each appliance cluster, you can use a certificate from an internal or external certificate authority. Multi-use and wildcard certificates are supported.
IaaS Components During installation, accept the generated self-signed certificates or select certificate suppression. Obtain a multi-use certificate, such as a Subject Alternative Name (SAN) certificate, from an internal or external certificate authority that your Web client trusts.

Certificate Chains

If you use certificate chains, specify the certificates in the following order.

  • Client/server certificate signed by the intermediate CA certificate
  • One or more intermediate certificates
  • A root CA certificate

Include the BEGIN CERTIFICATE header and END CERTIFICATE footer for each certificate when you import certificates.

Certificate Changes if Customizing the vRealize Automation Login URL

If you want users to log in to a URL name other than a vRealize Automation appliance or load balancer name, see the pre and post installation CNAME steps in Set the vRealize Automation Login URL to a Custom Name.