If you plan to change an SSL certificate, you can generate a new certificate. You can generate the new certificate on the same computer on which Orchestrator is installed or on another computer.
Before you begin
Run the Java keytool utility. You can find the utility on the system on which Orchestrator is installed.
Back up the jssecacerts file, located at install_directory\app-server\conf\security\jssecacerts.
- Stop the Orchestrator server service.
- Select .
- In the right pane, right-click VMware vRealize Orchestrator Server and select Stop.
- On the Windows Start menu, right-click Command Prompt, and select Run as administrator.
- Navigate to the keytool utility located at install_directory\VMware\CIS\jre\bin\keytool.
- Delete the current dunes key from the keystore.
keytool -delete -alias dunes -keystore "install_directory\app-server\conf\security\jssecacerts"
- Generate a new certificate for the dunes key, for example a 10-years certificate:
keytool -keystore "install_directory\app-server\conf\security\jssecacerts" -storepass dunesdunes -genkey -keyalg RSA -alias dunes -validity 3650
You can adjust the validity of the certificate in days.
- When prompted for your first and last name, enter the fully qualified domain name (FQDN) of your Orchestrator server.
Make sure to enter the FQDN of the Orchestrator server. For example, if the FQDN of the Orchestrator server is orchestrator.lab, you need to type the following information:
What is your first and last name? [Unknown]: orchestrator.lab
- For each of the remaining prompts such as Organizational Unit, Organization, City, State, Country Code, and so on, type the appropriate information for your organization.
- To confirm the change, type yes, and press Enter.
- When prompted for the password for dunes, press Enter to use the same password as the keystore password (dunesdunes).
- Log in to the Orchestrator configuration interface as vmware and start the Orchestrator server service.
- In the Orchestrator configuration interface, click the Startup Options tab.
- Click Start service.
What to do next
You can create a signing request and submit the certificate to a Certificate Authority. You can then import the signed certificate into your local keystore.
You can also replace the SSL certificate for the Orchestrator configuration interface or the SSL certificate for the Orchestrator client with the certificate you generated.