The system administrator can update or replace a self-signed certificate with a trusted one from a certificate authority. You can use Subject Alternative Name (SAN) certificates, wildcard certificates, or any other method of multi-use certification appropriate for your environment as long as you satisfy the trust requirements.

When you update or replace the vRealize Automation appliance certificate, trust with other related components is re-initiated automatically. See Updating vRealize Automation Certificates for more information about updating certificates.


  1. Log in to the vRealize Automation appliance management interface as root.
    https:// vrealize-automation-appliance-FQDN:5480
  2. Select vRA > Certificates.
  3. Select the vRealize Automation component for which you are updating the certificate.
  4. Select the appropriate action from the Certificate Action menu.
    If you are using a PEM-encoded certificate, for example for a distributed environment, select Import.

    Certificates that you import must be trusted and must also be applicable to all instances of vRealize Automation appliance and any load balancer through the use of Subject Alternative Name (SAN) certificates.

    If you want to generate a CSR request for a new certificate that you can submit to a certificate authority, select Generate Signing Request. A CSR helps your CA create a certificate with the correct values for you to import.

    Note: If you use certificate chains, specify the certificates in the following order:
    1. Client/server certificate signed by the intermediate CA certificate
    2. One or more intermediate certificates
    3. A root CA certificate
    Option Action
    Keep Existing Leave the current SSL configuration. Select this option to cancel your changes.
    Generate Certificate
    1. The value displayed in the Common Name text box is the Host Name as it appears on the upper part of the page. If any additional instances of the vRealize Automation appliance available, their FQDNs are included in the SAN attribute of the certificate.
    2. Enter your organization name, such as your company name, in the Organization text box.
    3. Enter your organizational unit, such as your department name or location, in the Organizational Unit text box.
    4. Enter a two-letter ISO 3166 country code, such as US, in the Country text box.
    Generate Signing Request
    1. Select Generate Signing Request.
    2. Review the entries in the Organization, Organization Unit, Country Code, and Common Name text boxes. These entries are populated from the existing certificate. You can edit these entries if needed.
    3. Click Generate CSR to generate a certificate signing request, and then click the Download the generated CSR here link to open a dialog that enables you to save the CSR to a location where you can send it to a certificate authority.
    4. When you receive the prepared certificate, click Import and follow instructions for importing a certificate into vRealize Automation.
    1. Copy the certificate values from BEGIN PRIVATE KEY to END PRIVATE KEY, including the header and footer, and paste them in the RSA Private Key text box.
    2. Copy the certificate values from BEGIN CERTIFICATE to END CERTIFICATE, including the header and footer, and paste them in the Certificate Chain text box. For multiple certificate values, include a BEGIN CERTIFICATE header and END CERTIFICATE footer for each certificate.
      Note: In the case of chained certificates, additional attributes may be available.
    3. (Optional) If your certificate uses a pass phrase to encrypt the certificate key, copy the pass phrase and paste it in the Passphrase text box.
  5. Click Save Settings.

    A vRealize Automation appliance certificate update requires vRealize Automation services to gracefully restart. The restart might take anywhere from 15 minutes to an hour depending on the number of vRealize Automation appliances in your environment.

    After the restart, the certificate details for all applicable instances of the vRealize Automation appliance appear on the page.

  6. If required by your network or load balancer, copy the imported or newly created certificate to the virtual appliance load balancer.
    You might need to enable root SSH access in order to export the certificate.
    1. If not already logged in, log in to the vRealize Automation appliance Management Console as root.
    2. Click the Admin tab.
    3. Click the Admin sub menu.
    4. Select the SSH service enabled check box.
      Deselect the check box to deactivate SSH when finished.
    5. Select the Administrator SSH login check box.
      Deselect the check box to deactivate SSH when finished.
    6. Click Save Settings.
  7. Confirm that you can log in to vRealize Automation console.
    1. Open a browser and navigate to
      If you are using a load balancer, the host name must be the fully qualified domain name of the load balancer.
    2. If prompted, continue past the certificate warnings.
    3. Log in with administrator@vsphere.local and the password you specified when configuring Directories Management.
      The console opens to the Tenants page on the Administration tab. A single tenant named vsphere.local appears in the list.
  8. If you are using a load balancer, configure and enable any applicable health checks.


The certificate is updated.