You can manage the Orchestrator certificates from the Certificates page in Control Center or through the Orchestrator client, by using the SSL Trust Manager workflows in the Configuration workflow category.

Import a Certificate to the Orchestrator Trust Store

Control Center uses a secure connection to communicate with vCenter Server, relational database management system (RDBMS), LDAP, Single Sign-On, and other servers. You can import the required SSL certificate from a URL or a PEM-encoded file. Each time you want to use an SSL connection to a server instance, you must import the corresponding certificate from the Trusted Certificates tab on the Certificates page and import the corresponding SSL certificate.

You can load the SSL certificate in Orchestrator from a URL address or a PEM-encoded file.

Option

Description

Import from URL or proxy URL

The URL of the remote server:

https://your_server_IP_address or your_server_IP_address:port

Import from file

Path to the PEM-encoded certificate file.

For more information on importing a PEM-encoded certificate file, see Import a Trusted Certificate Through Control Center.

Generate a Self-Signed Server Certificate

The Orchestrator Appliance includes a self-signed certificate that is generated automatically, based on the network settings of the appliance. If the network settings of the appliance change, you must generate a new self-signed certificate manually. You can create a self-signed certificate to guarantee encrypted communication and provide a signature for your packages. However, the recipient cannot be sure that the self-signed package is in fact a package issued by your server and not a third party claiming to be you. To prove the identity of your server, use a certificate signed by a Certificate Authority.

You can generate a self-signed certificate on the Orchestrator Server SSL Certificate tab from the Certificates page in Control Center.

Option

Description

Signature Algorithm

Encryption algorithm to generate a digital signature.

Common Name

Host name of the Orchestrator server.

Organization

Name of your organization. For example, VMware.

Organizational Unit

Name of your organizational unit. For example, R&D.

Country Code

Country code abbreviation. For example, US.

Orchestrator generates a server certificate that is unique to your environment. The details about the public key of the certificate appear in the Orchestrator Server SSL Certificate tab. The private key is stored in the vmo_keystore table of the Orchestrator database.

Import an Orchestrator Server SSL Certificate

vRealize Orchestrator uses an SSL certificate to identify itself to clients and remote servers during secure communication. By default, Orchestrator includes a self-signed SSL certificate that is generated automatically, based on the network settings of the appliance. You can import an SSL certificate signed by a Certificate Authority to avoid certificate trust errors.

You must import a certificate signed by a Certificate Authority as a PEM-encoded file that contains the public and the private key.

Package Signing Certificate

Packages exported from an Orchestrator server are digitally signed. Import, export, or generate a new certificate to be used for signing packages. Package signing certificates are a form of digital identification that is used to guarantee encrypted communication and a signature for your Orchestrator packages.

The Orchestrator Appliance includes a package signing certificate that is generated automatically, based on the network settings of the appliance. If the network settings of the appliance change, you must generate a new package signing certificate manually.

Note:

The Orchestrator Appliance includes a self-signed package signing certificate that is generated automatically during the initial Orchestrator configuration. You can change the package signing certificate, after which, all future exported packages are signed with the new certificate.