This article provides the steps to generate the certificate signing request(CSR) and private key in VMware Aria Automation Orchestrator using an openssl command.

This certificate signing request can then be provided to your CA in order for them to provide you with a signed certificate.

This signed certificate then needs to be combined with the private key before instructing VMware Aria Automation Orchestrator to leverage it using the vracli certificate ingress command.

Note: This procedure is primarily applicable for standalone VMware Aria Automation Orchestrator in VMware Aria Suite Lifecycle managed environments the Lifecycle manager's locker component can be used to manage certificates.

Before proceeding best practice dictates you first snapshot the appliance.

1. SSH to the VMware Aria Automation Orchestrator appliance and login with the root user

2. Run the following command to generate the csr and private key files.

openssl req -nodes -newkey rsa:2048 -keyout <OrchestratorFQDN>.key -out <OrchestratorFQDN>.csr -subj "/C=IE/ST=Munster/L=Cork/O=GSS/OU=testing/CN=<OrchestratorFQDN>";

The subject information would need to altered to suit your own environment setup along with the country code , OU and CN.

For example with a hostname of vro.example.com the command would look like:

openssl req -nodes -newkey rsa:2048 -keyout vro.example.com.key -out vro.example.com.csr -subj "/C=IE/ST=Munster/L=Cork/O=GSS/OU=testing/CN=vro.example.com";

3. Provide the CSR to your Certificate authority to get a signed certificate.

4. Upload the full cert chain (signed certificate with the intermediate and root certs) to the Orchestrator appliance. The correct order of the certificate chain is: Server certificate, Intermediate certificate, Root certificate.

5. Attach the private key to the top of the certificate chain using a text editor such as vi. Correct order is: Private key, Server certificate, intermediate certificate, root certificate. Store the chain under /root/cert.pem

6. To instruct Orchestrator to leverage this new certificate execute the following command:

vracli certificate ingress --set /root/cert.pem

If an error is returned about the sha key, similar to this:

Certificate is signed by itself according to our internal policy
Certificate with sha256 sum: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX cannot be validated as it is self-signed.
If you want to proceed with that certificate, please confirm the sha256 sum using the parameter '--sh256 and the sha256 sum of the certificate.

You can specify this explicitly for example:

vracli certificate ingress --set /root/cert.pem --sha256 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

(using the relevant sha key from the error message)

7. When the command above completes run the deploy.sh script to redeploy Orchestrator services.

/opt/scripts/deploy.sh

In the event of any errors executing the above steps restore to snapshot taken prior to beginning procedure.