A system administrator can update or replace certificates for vRealize Automation components.
- vRealize Automation appliance
- IaaS website component
- IaaS manager service component
In addition, your deployment can have certificates for the vRealize Automation appliance management interface web site. Also, each IaaS machine runs a Management Agent that uses a certificate.
With one exception, changes to later components in this list do not affect earlier ones. The exception is that an updated certificate for IaaS components must be registered with vRealize Automation appliance.
Typically, self-signed certificates are generated and applied to these components during product installation. You might need to replace a certificate to switch from self-signed certificates to certificates provided by a certificate authority or when a certificate expires. When you replace a certificate for a vRealize Automation component, trust relationships for other vRealize Automation components are updated automatically.
For instance, in a distributed system with multiple instances of a vRealize Automation appliance, if you update a certificate for one vRealize Automation appliance all other related certificates are updated automatically.
The vRealize Automation appliance management interface provides options for updating or replacing certificates.
- Generate certificate — Have vRealize Automation generate a self-signed certificate.
- Import certificate — Use your own certificate.
- Provide certificate thumbprint — Provide a certificate thumb print to use a certificate already in the certificate store on IaaS Windows servers.
This option does not transmit the certificate from the vRealize Automation appliance to IaaS Windows servers. The option allows users to deploy existing certificates already on IaaS Windows servers without uploading the certificates in the vRealize Automation appliance management interface.
- Keep Existing — Continue to use the current certificate.
Certificates for the vRealize Automation appliance management interface web site do not have registration requirements.
Virtual Machine Templates
After you change vRealize Automation appliance or IaaS Windows server certificates, you must update vRealize Automation guest and software agents on virtual machine templates so that the templates work again in vRealize Automation. If you don't update the agents, deployment requests involving software components fail with an error similar to the following example.
The following component requests failed: Linux. Request failed: Machine VM-001: InstallSoftwareWorkflow. Install software work item timeout.
After you change vRealize Automation certificates, you must update vRealize Orchestrator to trust the new certificates.
The vRealize Orchestrator component associated with your vRealize Automation deployment has its own certificates, but it must also trust the vRealize Automation certificates. By default, the vRealize Orchestrator component is embedded in vRealize Automation, although a few users elect to use an external vRealize Orchestrator. In either case, see the vRealize Orchestrator documentation for information about updating vRealize Orchestrator certificates.
If you run a multiple-node vRealize Orchestrator deployment behind a load balancer, all vRealize Orchestrator nodes must use the same certificate.
For More Information
For more about certificate troubleshooting, supportability, and trust requirements, see VMware Knowledge Base article 2106583.