If you plan to change an SSL certificate, you can generate a new certificate. You can generate the new certificate on the same computer on which Orchestrator is installed or on another computer.


  • Run the Java keytool utility. You can find the utility on the system on which Orchestrator is installed.

  • Back up the jssecacerts file, located at install_directory\app-server\conf\security\jssecacerts.


  1. Stop the Orchestrator server service.
    1. Select Start > Programs > Administrative Tools > Services.
    2. In the right pane, right-click VMware vCenter Orchestrator Server and select Stop.
  2. On the Windows Start menu, right-click Command Prompt, and select Run as administrator.
  3. Navigate to the keytool utility at the command prompt.



    If you installed the standalone version of Orchestrator

    Go to install_directory\VMware\Orchestrator\jre\bin\keytool.

    If the vCenter Server installed Orchestrator

    Go to install_directory\VMware\Infrastructure\Orchestrator\jre\bin\keytool.

  4. Delete the current dunes key from the keystore.
    keytool -delete-alias dunes -keystore "install_directory\app-server\conf\security\jssecacerts"
  5. Generate a new certificate for the dunes key, for example a 10-years certificate:
    keytool -keystore "install_directory\app-server\conf\security\jssecacerts" -storepass dunesdunes -genkey -keyalg RSA -alias dunes -validity 3650

    You can adjust the validity of the certificate in days.

  6. When prompted for your first and last name, enter the fully qualified domain name (FQDN) of your Orchestrator server.

    Make sure to enter the FQDN of the Orchestrator server. For example, if the FQDN of the Orchestrator server is vco-55.lab, you need to type the following information:

    What is your first and last name?
        [Unknown]: vco-55.lab
  7. For each of the remaining prompts such as Organizational Unit, Organization, City, State, Country Code, and so on, type the appropriate information for your organization.
  8. To confirm the change, type yes, and press Enter.
  9. When prompted for the password for dunes, press Enter to use the same password as the keystore password (dunesdunes).
  10. Log in to the Orchestrator configuration interface as vmware and start the Orchestrator server service.
    1. In the Orchestrator configuration interface, click the Startup Options tab.
    2. Click Start service.

What to do next

You can create a signing request and submit the certificate to a Certificate Authority. You can then import the signed certificate into your local keystore.

You can also replace the Web views SSL certificate, the SSL certificate for the Orchestrator configuration interface, or the SSL certificate for the Orchestrator client with the certificate you generated.