Replacing expired vRO/vCO SSL certificate
search cancel

Replacing expired vRO/vCO SSL certificate

book

Article ID: 344366

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

This article provides:
  • Information to import .pfx, .pem files to replace existing expired SSL certificates.
  • Steps to confirm that the new certificate is properly imported.


Symptoms:

  • VMware vRealize Automation(vRA) is unable to connect to vRealize Orchestrator(vRO)/vCenter Orchestrator(vCO).
  • You see SSL certificate is expired in vRO/vCO.

Environment

VMware vRealize Orchestrator 6.x
VMware vRealize Orchestrator 7.x
VMware vRealize Automation 6.x

Resolution

To replace the expired SSL certificate:
 
Note: Take a backup of the vRO/vCO appliance.
 
  1. Connect to vRO/vCO appliance using SSH.

    Note : If vRO/vCO was installed in a Windows server, connect to server through RDP and open Command Prompt with administrator privileges.
     
  2. Import private key into vRO jssecacerts keystore by running this command:

    keytool -importkeystore -srckeystore "custom.pfx" -srcstoretype pkcs12 -srcstorepass dunesdunes -deststoretype jks -destkeystore "/etc/vco/app-server/security/jssecacerts" -deststorepass dunesdunes

     
  3. Change the imported private key alias to dunes by running this command:

    keytool -changealias -alias "IMPORTED_CERTIFICATE_ALIAS" -destalias "dunes" -keystore "/etc/vco/app-server/security/jssecacerts" -storetype jks -storepass dunesdunes

     
  4. Change the imported private key entry password to match with the vRO jssecacerts keystore password dunesdunes by running this command:

    $ keytool -keypasswd -keystore jssecacerts -alias dunes

     
    1. Enter keystore password: dunesdunes
    2. Enter key password for <dunes>: <certkeypass>
    3. New key password for <dunes>: dunesdunes
    4. Re-enter new key password for <dunes>: dunesdunes

       
  5. Verify the new certificate is imported properly by running this command:

    keytool -keystore jssecacerts -v -list -alias dunes

     
    1. Verify certificate Entry type is PrivateKeyEntry
    2. Verify the certificate is valid and thumbprint matches with the expected one.
    3. Confirm the keypasswd of dunes private key is correct (dunesdunes) by generating a certificate signing request by running this command:

      keytool -keystore jssecacerts -certreq -alias dunes -v

       
      1. Enter keystore password:
      2. Enter key password for <dunes>:
      3. You see a new Certificate Request being generated:

        -----BEGIN NEW CERTIFICATE REQUEST-----
        ………………………….
Powered by Wolken Software