Replace vRO certificates in a vRA embedded installation

Some time ago I deployed vRealize Automation with vRealize Orchestrator embedded in the appliance in my home lab and I’m not very experienced yet with vRA and vRO. The reason that I deployed it is mainly that I want to get more hands-on experience with vRA and vRO and eventually use the gained knowledge for customers.

vRA was already running for a couple of months, and all the frontend self-signed certificates were already replaced by my Microsoft home lab CA issued certs. When I started using vRO, I noticed that the certificate was not replaced yet and that the appliance was still using the default self-signed one. I started googling how to replace the vRO certificate and found the following official VMware documentation. This article states that you can trust the already installed custom certificates in vRA. I executed every step from the official VMware guideline but was unsuccessful to replace the vRO certificates with the procedure. Fortunately, I was able to replace the certificates with another procedure. 

One of my ITQ co-workers Marco van Baggum already wrote an article about vRO certificate replacement back in 2015. This article was written in particular for an external vRO appliance and is also based on an older version and therefore not completely accurate anymore for my current situation. But it’s a pretty d*mn good article to use as a reference.

When I was talking with Mischa Buijs (another ITQ co-worker) about the problem I was facing, he suggested just to follow the procedure for an external vRO appliance to get the certificates replaced. Actually, this wasn’t a bad idea at all. With some help from Mischa I was able to successfully replace the embedded vRO certificates with this procedure.

– OpenSSL installed to create the CSR (use this How-To article as a reference)
– Certificates issued by your CA. (Base64)
– Make a backup or snapshot of the vRA appliance prior to the certificate replacement

At this stage you should have the following files
– Private Key (*.key)
– Certificate file (*.cer or *.crt)
– CA Certificate (and if applicable Intermediate certificates) (*.cer or *.crt)

1. Create chain
Create a *.pem file containing the intermediate and/or CA certificate. I prefer to do this with Notepad++. In this procedure, we are calling it the chain.pem. Our private key file is called vra.key and the issued certificate is called vra.cer.

2. Generate a certificate in pkcs12 format
#openssl pkcs12 -export -out vra.pfx -inkey vra.key -in vra.cer -certfile chain.pem

*note* Use the passphrase ‘dunesdunes’ to save the *.pfx file

3. Upload the certificate file to the vRA appliance.
Upload vra.pfx to the /tmp folder on the vRA appliance. (I used Filezilla)

4. Stop vRO and install the certificate
[Stop vRealize Orchestrator]:
#service vco-server stop
#service vco-configurator stop

[Get the password for the Java Keystore]: (referenced as *keystore.password* in the following steps)
#cat /var/lib/vco/keystore.password 

[Navigate to the temp folder]:
#cd /tmp

[Remove the old certificate]:
#keytool -delete -alias dunes -keystore /etc/vco/app-server/security/jssecacerts -storepass *keystore.password*

[Import the new certificate]:
#keytool -importkeystore -srckeystore /tmp/vra.pfx -srcstoretype pkcs12 -srcstorepass dunesdunes -deststoretype jks -destkeystore /etc/vco/app-server/security/jssecacerts -deststorepass *keystore.password*

[List the current keystore, the newly imported cert is called “1”]:
#keytool -list -keystore /etc/vco/app-server/security/jssecacerts -storetype jks -storepass *keystore.password*

[Rename the certificate from “1” to “dunes”]
#keytool -changealias -alias “1” -destalias “dunes” -keystore /etc/vco/app-server/security/jssecacerts -storetype jks -storepass *keystore.password*

*if the command requests an additonal password please enter the ‘dunesdunes’ password since it is the password of the imported vra.pfx certificate file.

[List the current keystore, verify if the certificate is renamed to “dunes”]:
#keytool -list -keystore /etc/vco/app-server/security/jssecacerts -storetype jks -storepass *keystore.password*

[Reboot the vRA appliance]:

When the vRA appliance has booted and the embedded vRO services have been started you should be able to see that the newly imported certificate is used for the vRO front-end.

Once again, many credits to my ITQ co-workers Marco and Mischa. Follow them on twitter and visit their blogs for awesome articles!

Until the next one!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s