So when deploying vRealize Automation, I can be bit OCD when it comes to certificates and websites. Where possible/plausible, I like to make sure all of the sites in the deployment have trusted certificates especially if there is a root CA in play (after all they’re free certificates right?).
After deploying the VMware vRealize Automation 7.x appliance from the OVA (that’s the easy bit) and successfully (normally on the second/third attempt) running through the deployment wizard to deploy a Medium distributed environment. We end up with certificates for the following components:
- VMware vRealize Automation Virtual Appliance Website / VIP
- VMware vRealize Automation IaaS Web Server / VIP
- VMware vRealize Automation Manager Service Server /VIP
Assuming you supply CA Trusted Certificates during the deployment wizard, there is normally no need to make any changes to these certificates unless they age out.
(Note: in a Reference Architecture Medium Distributed environment, the IaaS Web Server and Manager Service is on a single Server (or load balanced pair) and uses a single Subject Alternative Name (SAN) certificate covering both VIPs and the 2 host FQDNs)
However, when carrying on the post deployment configuration I was left with that familiar OCD feeling because there were some certificates that were still self-signed. Namely, these were:
- VMware vRealize Appliance Virtual Appliance Management Infrastructure (VAMI)
- VMware vRealize Orchestrator Configurator
- VMware vRealize Orchestrator Package Signing Certificate
So, let’s scratch that OCD itch and tackle these one at a time in a series of posts to make it easier to read:
- Configuring SSL certificates for vRA 7.x (inc vRO)
- Replacing the Appliance Management Site Certificate for vRealize Automation
- Replacing the Control Center Certificate on an embedded vRO instance
- Replacing the Package Signing Certificate in vRO 7