You can use the vRealize Orchestrator Appliance to generate a new TLS certificate for your environment or set an existing custom certificate.

The vRealize Orchestrator Appliance includes a Trusted Layer Security (TLS) certificate that is generated automatically, based on the network settings of the appliance. If the network settings of the appliance change, you must generate a new certificate manually. You can create a certificate chain to guarantee encrypted communication and provide a signature for your packages. However, the recipient cannot be sure that the self-signed package is in fact a package issued by your server and not a third party claiming to be you. To prove the identity of your server, use a certificate signed by a Certificate Authority (CA).

vRealize Orchestrator generates a server certificate that is unique to your environment. The private key is stored in the vmo_keystore table of the vRealize Orchestrator database.

Note: To configure your vRealize Orchestrator Appliance to use an existing custom TLS certificate, see Set a Custom TLS Certificate for vRealize Orchestrator.


Verify that SSH access for the vRealize Orchestrator Appliance is enabled. See Enable or Disable SSH Access to the vRealize Orchestrator Appliance.


  1. Log in to the vRealize Orchestrator Appliance command line over SSH as root.
  2. Run the vracli certificate ingress --generate auto --set stdin command.
  3. To apply the custom certificate to your vRealize Orchestrator Appliance, run the deployment script.
    1. Navigate to the /opt/scripts/ directory.
      cd /opt/scripts/
    2. Run the ./ script.
      Important: Do not interrupt the deployment script. You receive the following message when the script finishes running:
      Prelude has been deployed successfully. 
      To access, go to your_orchestrator_address

What to do next

To confirm that the new certificate chain is applied, run the vracli certificate ingress --list command.