Replacing the Control Center Certificate on an embedded vRO instance

This is the third post in a series tackling the extra certificates you may want to replace once you have deployed vRealize Automation.

There are plenty of articles on changing the SSL certificate for this website (https://vra-fqdn:8283/vco-vcoconfigurator) on an External instance of vRealize Orchestrator, most notably is @SpasKaloferov‘s post http://kaloferov.com/blog/how-to-change-the-ssl-certificate-of-a-vro-appliance-7-x/

However, as the screenshots below show, the embedded vRO instances do not have the same options as the external vRO instances.

External Orchestrator

ext-orchestrator

Embedded Orchestrator

emb-orchestrator

So how do you update the SSL Certificate for embedded vRO?  We’ll if you have already completed the steps to update the VAMI certificate for the Virtual Appliance highlighted above, the good news is you already have… it’s that simple

I haven’t had time to look into what black magic goes on under the covers to make this happen, but I did try and reboot the vco-configurator and vco-server services but the certificate didn’t update.  It took a reboot of the vRA Virtual Appliance for the certificate to register.

7 Comments

  1. So this doesn’t appear to be the case in an HA vRA 7.3 install I just performed. I’m seeing that the certificate for embedded vRO is a self-signed certificate. The vRA VAMI is a CA signed cert that I gave it during the install of vRA…

    1. So, it turns out that I’m seeing an issue where the embedded vRO is unable to be browsed to; when we attempt to browse to the Control Center, after enabling it, we see this message is almost any browser (Chrome / Firefox) “The owner of has configured their website imp[roperly. To protect your information from being stolen, Firefox has not connected to this website. This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely.” What the heck…

    2. To follow up…. Nope… A clean install of vRA 7.3 did not replace the VAMI cert or the vRO 8281 or 8283 certs.

      vRA 7.3 does not replace the VAMI certs automatically, which is both disappointing and plain old ODD. It takes two seconds to replace the VAMI certs once you have the certs on the vRA appliance. (It takes longer to logon.)

      In vRO, the certificate is supposed to be replaced automatically with the SSL certificate for port 443. In our case it did not.

          1. Hi Gary,

            Your original post prompted me to start a certificate series. Unfortunately due to some serious health issues over christmas I have been unable to complete the series as yet.

            Please stay tuned!

            Chris

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.