Set a custom TLS Certificate for your vRealize Orchestrator Appliance.

The vRealize Orchestrator Appliance includes a Trusted Layer Security (TLS) certificate that is generated automatically, based on the network settings of the appliance.

You can configure your vRealize Orchestrator Appliance to use an existing custom TLS certificate. You can set the certificate by importing the relevant PEM file from your local machine into the vRealize Orchestrator Appliance. You can also set your custom TLS certificate by copying the certificate chain directly into the vRealize Orchestrator Appliance. Both procedures require you to run the ./deploy.sh script before the new TLS certificate can be used in your vRealize Orchestrator deployment.

For information on generating a new custom TLS certificate, see Generate a Custom TLS Certificate for vRealize Orchestrator.

Prerequisites

  • Verify that SSH access for the vRealize Orchestrator Appliance is enabled. See Activate or Deactivate SSH Access to the vRealize Orchestrator Appliance.
  • Verify that the PEM file containing the TLS certificate contains the following components in the set order:
    1. The private key for the certificate.
    2. The primary certificate.
    3. If applicable, the Certificate Authority (CA) intermediate certificate or certificates.
    4. The root CA certificate.
    For example, the TLS certificate can have the following structure: 
     -----BEGIN RSA PRIVATE KEY-----
<Private Key>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<Primary TLS certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Root CA certificate>
-----END CERTIFICATE-----

Procedure

  1. Set the certificate by importing the PEM file into the vRealize Orchestrator Appliance.
    1. Import the certificate PEM from your local machine by running a secure copy (SCP) command from an SSH shell.
      For Linux, you can use a terminal SCP command: 
      scp ~/PEM_local_filepath/your_cert_file.PEM root@orchestrator_FQDN_or_IP:/PEM_orchestrator_filepath/your_cert_file.PEM
      For Windows, you can use a PuTTY client PSCP command: 
      pscp C:\PEM_local_filepath\your_cert_file.PEM root@<orchestrator_FQDN_or_IP>:/PEM_orchestrator_filepath/your_cert_file.PEM
    2. Log in to the vRealize Orchestrator Appliance command line over SSH as root.
    3. Run the vracli certificate ingress --set your_cert_file.PEM command.
  2. (Optional) Set the certificate by copying the certificate chain directly into the appliance.
    1. Log in to the vRealize Orchestrator Appliance command line over SSH as root.
    2. Run the vracli certificate ingress --set stdin command.
    3. Copy and paste the certificate chain, and press Ctrl+D.
  3. To apply the new TLS certificate, run the deployment script.
    1. Navigate to the /opt/scripts/ directory. 
      cd /opt/scripts/
    2. Run the ./deploy.sh script.
    Important: Do not interrupt the deployment script. You receive the following message when the script finishes running: 
    Prelude has been deployed successfully. 
To access, go to https://your_orchestrator_FQDN

Results

You have set custom TLS certificate for your vRealize Orchestrator Appliance.

What to do next

To confirm that the new certificate chain is applied, run the vracli certificate ingress --list command.