Replacing expired vRO/vCO SSL certificate
book
Article ID: 344366
calendar_today
Updated On:
Products
VMware Aria Suite
Issue/Introduction
This article provides:
- Information to import .pfx, .pem files to replace existing expired SSL certificates.
- Steps to confirm that the new certificate is properly imported.
Symptoms:
- VMware vRealize Automation(vRA) is unable to connect to vRealize Orchestrator(vRO)/vCenter Orchestrator(vCO).
- You see SSL certificate is expired in vRO/vCO.
Environment
VMware vRealize Orchestrator 6.x
VMware vRealize Orchestrator 7.x
VMware vRealize Automation 6.x
Resolution
To replace the expired SSL certificate:
Note: Take a backup of the vRO/vCO appliance.
- Connect to vRO/vCO appliance using SSH.
Note : If vRO/vCO was installed in a Windows server, connect to server through RDP and open Command Prompt with administrator privileges.
- Import private key into vRO jssecacerts keystore by running this command:
keytool -importkeystore -srckeystore "custom.pfx" -srcstoretype pkcs12 -srcstorepass dunesdunes -deststoretype jks -destkeystore "/etc/vco/app-server/security/jssecacerts" -deststorepass dunesdunes
- Change the imported private key alias to dunes by running this command:
keytool -changealias -alias "IMPORTED_CERTIFICATE_ALIAS" -destalias "dunes" -keystore "/etc/vco/app-server/security/jssecacerts" -storetype jks -storepass dunesdunes
- Change the imported private key entry password to match with the vRO jssecacerts keystore password dunesdunes by running this command:
$ keytool -keypasswd -keystore jssecacerts -alias dunes
- Enter keystore password: dunesdunes
- Enter key password for <dunes>: <certkeypass>
- New key password for <dunes>: dunesdunes
- Re-enter new key password for <dunes>: dunesdunes
- Verify the new certificate is imported properly by running this command:
keytool -keystore jssecacerts -v -list -alias dunes
- Verify certificate Entry type is PrivateKeyEntry
- Verify the certificate is valid and thumbprint matches with the expected one.
- Confirm the keypasswd of dunes private key is correct (dunesdunes) by generating a certificate signing request by running this command:
keytool -keystore jssecacerts -certreq -alias dunes -v
- Enter keystore password:
- Enter key password for <dunes>:
- You see a new Certificate Request being generated:
-----BEGIN NEW CERTIFICATE REQUEST-----
………………………….
Feedback
thumb_up
Yes
thumb_down
No