Replacing the vRealize Automation 7.3 Appliance Certificate

Certificates VMware vRealize Automation vRealize Orchestrator

Published on 11 December 2017 by Christopher Lewis. Words: 467. Reading Time: 3 mins.

This is the first in a series of posts covering the replacement of vRealize Automation SSL Certificates. For the purpose of these posts, I have deployed vRealize Automation 7.3 environment with self signed certificates. This means that when you navigate to https://vra7.fqdn/vcac , the site is not secure nor trusted. Therefore, you will be presented with something like the following in your browser (I mostly use Chrome):

We’re looking to achieve the following in the browser URL bar after the certificate has been replaced.


Note: The same process detailed here can be used when replacing expiring SSL certificates.

This post is based on the VMware procedure and this is documented here .


The following are expected prerequisites for this walkthrough:

  • A fully deployed and working vRealize Automation solution.
  • A set of certificate files:
    • The RSA Private Key used to encrypt the vRA certificate.
    • The Root CA Certificate file.
    • The vRA Certificate file.
  • The Root CA Certificate and any Subordinate/Intermediate CA Certificates are installed within the appropriate Certificate store on the local machine (normally the Trusted Root Certification Authorities and the Intermediate Certification Authority respectively).

Replacing the vRealize Automation Appliance Certificate

Navigate to the vRealize Automation Appliances Virtual Appliance Management Infrastructure (VAMI) interface, https://vra.fqdn:5480.

Log into the VAMI by typing the User Name and Password configured during the install wizard and clicking Login.

Note: By default, the username is always root.

Under SSL Configuration, select the Import option.

Open the RSA Private Key file in a text editor and copy and paste the information into the RSA Private Key field.

Note: You should include the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- text.

Open the Certificate, Intermediate CA (if applicable) and the Root Certificate file(s) in a text editor and copy and paste the information into the Certificate Chain text field.

Note: You should include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- text for each certificate.

Note: The client SSL certificate should be first, then any intermediate CA certificates, followed by the Root CA certificate.

If required, enter the Passphrase into the text field.

Under Actions, click Save Settings.

Note: The process of replacing the certificates may take some time, so go grab a beverage!

Click Logout user root.

And there you have it!


I always found myself having to logout of the VAMI and refresh the browser window (Google Chrome) after each certificate otherwise I would get the following error. I do acknowledge this could be something to do with my limited test environment.

Checking the certificate

When you now navigate to https://vra.fqdn/vcac you now get the green padlock to say the certificate is trusted and you immediately get a warm fuzzy feeling!

Next Step(s)

In the next post, we’ll look at Replacing the vRealize Automation 7.3 Infrastructure as a Service Web Certificate.

Published on 11 December 2017 by Christopher Lewis. Words: 467. Reading Time: 3 mins.