vRA 8.x Replace certificate guide

 vRealize Automation 8.x Replace certificate guide

Thankfully Certificate replacement has been further simplified in vRA 8.x with the certificate change being performed as a Day 2 operation in vRLCM(vRealize Lifecycle Manager).

There are two options when choosing a certificate for vRA 8.x , you can generate a self-signed certificate signed by vRLCM itself or you can leverage a CA(certificate authority) signed certificate. vRA 8.x supports both SAN(Subject Alternative Name) and Wildcard certificates. However, for wildcard certs note the Public Suffix list limitation in official docs below

If using your own CA signed certificates you can create your own CSR file or vRLCM can  generate this CSR for you. For more on the latter see official Guide on configuring certificates within vRLCM locker


Official VMware documentation on the certificate requirements(DNS entries and SAN field entries) are covered below:

  • Single vRA appliance Multi-Tenant deployment certificate requirements
  • Clustered vRA appliance Multi-Tenant deployment certificate requirements


In the example below we will cover the generation and replacement of a vRLCM signed certificate for  a single vRA appliance node leveraging teh default tenant.

Certificate requirements for single tenant setups are quite straight forward. For clustered setups the certificate needs to have all the node names, as well as the cluster FQDN, as Subject Alternate Names (SAN), for single appliance setups we just need the one entry.


On to the process.


1) Generate vRA Certificate in vRLCM Locker:



Login to vRLCM and navigate and select Locker tile then Generate.
Fill in the required certificate information & select Generate.








The newly generated certificate is then displayed in the UI




2) Snapshot vRA & vIDM nodes in vRLCM:

As best practise precaution prior to any major config change take a Snapshot of the vRA & vIDM appliance(s) in vRLCM.

Navigate to Lifecycle operations -> Manage Environments
Select View Details on vRA environment
Then the 3 dots (ellipsis) in the top right-hand corner of vRA environment.
Take Snapshot
Provide a relevant name for the snapshot , for example pre certificate replacement
Wait for snapshot tasks to complete.

3) Replace vRA Certificate in vRLCM:


Navigate to Lifecycle operations -> Manage Environments
Select View Details on vRA environment
Then the 3 dots (ellipsis) in the top right-hand corner of vRA environment.
Then Replace Certificate






It will display the current certificate information.
Next select the certificate created or imported earlier.
Finally, Run Precheck








Once Precheck is successful Select FINISH to begin Certificate replacement task.




This brings us to the vRLCM requests UI where replacement task can be monitored.







Once request completes successfully login to vRA and validate that the new certificate is now presented.



(warning can be ignored as my vRLCM root CA is not imported into trust store on browser & client machine trust stores)


Any questions in relation to vRA certificate operations please drop a comment below.

Comments

Post a Comment

Popular posts from this blog

vRealize Automation appliance services not registering

Image
Note this article covers only vRA 7.x, for vRA 8.x be sure to check out vRA 8 related articles: vRA 8.x basics vRA 8.x health check failing vRA 8.x Tutorial A common issue can be vRealize Automation appliance services not registering. This issue is typically noticed after a reboot or unplanned service outtage. The following article is intended to provide a walkthrough of troubleshooting such a scenario. Unfortunately the vRA catalina.out logfile located under /var/log/vmware/vcac can be quite cryptic in these scenario's and often just reports generic http response response codes. The service registry can be checked under the vami interface in vRA Settings -> Services tab and also via the component registry URL: https://vRAappliance/component-registry/ services / status / current Based on my experience the main offenders for vRA appliance service registry issues are as follows: Disk space. RabbitMQ  - internal messaging broker service leveraged by vRA. vIDM 
Read more

IaaS service not registering

Image
IaaS refers to the collection components installed on the Windows servers in a vRealize Automation environment. This article will focus specifically on the troubleshooting methodology applied when this IaaS service is not registering on the vRA appliances, I intend to create a separate post at a later date to focus solely on the purpose of each individual IaaS component. See vRA Management agents explained article for further explanation specifically for IaaS Management Agent components. The Problem The IaaS service registry status can be viewed in the Services tab of the VAMI interface or at the vRA appliance component service registry health check URL. https://vRA:5480 https://vRA/ component-registry/services/status/ current   Typically, IaaS service registry issues will be noticed here first. Other common symptoms of IaaS service registry issues include problems accessing the Infrastructure tab or general provisioning/data collection failures.      
Read more

vRA 7.x Certificate Replacement Process

Image
  vRA 7.x Certificate Replacement Process Certificate for component "website" on node "<node name>" will expire on <date> Certificate for component "ManagerService" on node "<node name>" will expire on <date> Seeing the above message in your vRA vami interface, that means its time to replace your vRA ssl certificates. This post will cover the vRA 7.x cert replacement process. Certificate Management in vRA 7.x has been simplified and is all performed from the Certificates tab of the VAMI interface: https:<vRAFQDN>:5480 -> vRA -> Certificates A distributed vRA will have three main certificate components: vRA cert itself IaaS web certificate IaaS manager certificate !! In a simple install with a single IaaS web server the Manager and Web component will share the same certificate!! You have two options when choosing a certificate: Self-signed certificate generated by vRA itself Certificate Authority Signed certif
Read more