Replacing SSL Certificates in vRealize Automation 7.3

In this series of posts we will walk through the process of upgrading all of the vRealize Automation Certificates.  We’ll be moving  from self-signed certificates that were deployed during the installation, to certificates that have been provided by an Enterprise Certificate Authority (CA).  It is worth noting that the same process can be used to replace expiring SSL certificates as well.

Amongst other reasons, the purpose of doing this is to update the certificates so that communications between components is secured via a CA and for the following sites within the vRealize Automation deployment to be secured and trusted:

  • vRealize Automation Portal
  • vRealize Automation VAMI Certificate
  • vRealize Orchestrator Configuration
  • vRealize Orchestrator Control Center

Finally, I wanted to give a #ShoutOut to the vRealize Automation product team at VMware because this process has become so much slicker in vRA7 than it used to be in vRA6.

The Lab

The vRealize Automation 7.3 deployment used in these posts consists of the following components:

  • 1 x vRealize Automation Appliance
  • 1 x vRealize Automation IaaS Web Server
  • 1 x vRealize Automation IaaS Manager Service Server
  • 1 x vRealize Automation IaaS DEM Server
  • 1 x vRealize Automation IaaS Agent Server
  • 1 x vRealize Orchestrator Appliance
  • 1 x vRealize Business Server

So whilst the lab is a “distributed” deployment it is NOT a “Highly Available” distributed deployment you may see in an enterprise scenario.  The good news is the majority of the work is centralised so it doesn’t actually matter!

The Posts

I have split this topic into multiple posts that, if you were replacing all certificates in one go, they should be completed in the order detailed below:

  1. Replacing the vRealize Automation 7.3 Appliance Certificate(s).
  2. Replacing the vRealize Automation 7.3 IaaS Web Certificate.
  3. Replacing the vRealize Automation 7.3 Manager Service Certificate.
  4. Updating vRealize Orchestrator Certificates:
  5. Replacing the vRealize Automation VAMI Certificate.
  6. Replacing the vRealize Automation Management Agent Certificate(s) (on all IaaS/DEM/Agent Hosts).
  7. Replacing the vRealize Business for Cloud Certificate.

Whilst I always replace all the SSL certificates in one go, I see no reason as to why (with the exception of the vRealize Orchestrator certificates) the procedures could not be completed in any order.  You only have to update the orchestrator certificates IF you replace the vRealize Automation Appliance certificate.

(The posts will not all appear at once so keep calm, carry on and check back regularly…)

Please let me know below if it is helpful!

Leave a Reply