A system administrator can update or replace certificates for vRealize Automation components.

vRealize Automation contains three main components that use SSL certificates in order to facilitate secure communication with each other:
  • vRealize Automation appliance
  • IaaS website component
  • IaaS manager service component

In addition, your deployment can have certificates for the vRealize Automation appliance management interface web site. Also, each IaaS machine runs a Management Agent that uses a certificate.

Note: vRealize Automation uses several third party products, such as Rabbit MQ, to support a variety of functionality. Some of these products use their own self signed certificates that persist even if you replace primary vRealize Automation certificates with certificates supplied by a CA. Because of this situation, users cannot effectively control certificate use on specific ports, such as 5671 which is used by RabbitMQ for internal communication.

With one exception, changes to later components in this list do not affect earlier ones. The exception is that an updated certificate for IaaS components must be registered with vRealize Automation appliance.

Typically, self-signed certificates are generated and applied to these components during product installation. You might need to replace a certificate to switch from self-signed certificates to certificates provided by a certificate authority or when a certificate expires. When you replace a certificate for a vRealize Automation component, trust relationships for other vRealize Automation components are updated automatically.

For instance, in a distributed system with multiple instances of a vRealize Automation appliance, if you update a certificate for one vRealize Automation appliance all other related certificates are updated automatically.

Note: vRealize Automation supports SHA2 certificates. The self-signed certificates generated by the system use SHA-256 With RSA Encryption. You might need to update to SHA2 certificates due to operating system or browser requirements.

The vRealize Automation appliance management interface provides options for updating or replacing certificates.

In a clustered deployment, you must initiate changes from the primary node interface.
  • Generate certificate — Have vRealize Automation generate a self-signed certificate.
  • Import certificate — Use your own certificate.
  • Provide certificate thumbprint — Provide a certificate thumb print to use a certificate already in the certificate store on IaaS Windows servers.

    This option does not transmit the certificate from the vRealize Automation appliance to IaaS Windows servers. The option allows users to deploy existing certificates already on IaaS Windows servers without uploading the certificates in the vRealize Automation appliance management interface.

  • Keep Existing — Continue to use the current certificate.

Certificates for the vRealize Automation appliance management interface web site do not have registration requirements.

Note: If your certificate uses a passphrase for encryption, and you fail to enter it when replacing your certificate on the appliance, the certificate replacement fails, and the message Unable to load private key appears.

Virtual Machine Templates

After you change vRealize Automation appliance or IaaS Windows server certificates, you must update vRealize Automation guest and software agents on virtual machine templates so that the templates work again in vRealize Automation. If you don't update the agents, deployment requests involving software components fail with an error similar to the following example.

The following component requests failed: Linux. Request failed: Machine VM-001: InstallSoftwareWorkflow. Install software work item timeout.

vRealize Orchestrator

After you change vRealize Automation certificates, you must update vRealize Orchestrator to trust the new certificates.

The vRealize Orchestrator component associated with your vRealize Automation deployment has its own certificates, but it must also trust the vRealize Automation certificates. By default, the vRealize Orchestrator component is embedded in vRealize Automation, although a few users elect to use an external vRealize Orchestrator. In either case, see the vRealize Orchestrator documentation for information about updating vRealize Orchestrator certificates.

If you run a multiple-node vRealize Orchestrator deployment behind a load balancer, all vRealize Orchestrator nodes must use the same certificate.

For More Information

For more about certificate troubleshooting, supportability, and trust requirements, see VMware Knowledge Base article 2106583.