vRA 8.x Replace certificate guide
vRealize Automation 8.x Replace certificate guide
Thankfully Certificate replacement has been further simplified in vRA 8.x with the certificate change being performed as a Day 2 operation in vRLCM(vRealize Lifecycle Manager).
There are two options when choosing a certificate for vRA 8.x , you can generate a self-signed certificate signed by vRLCM itself or you can leverage a CA(certificate authority) signed certificate. vRA 8.x supports both SAN(Subject Alternative Name) and Wildcard certificates. However, for wildcard certs note the Public Suffix list limitation in official docs below
If using your own CA signed certificates you can create your own CSR file or vRLCM can generate this CSR for you. For more on the latter see official Guide on configuring certificates within vRLCM locker
Official VMware documentation on the certificate requirements(DNS entries and SAN field entries) are covered below:
- Single vRA appliance Multi-Tenant deployment certificate requirements
- Clustered vRA appliance Multi-Tenant deployment certificate requirements
In the example below we will cover the generation and replacement of a vRLCM signed certificate for a single vRA appliance node leveraging teh default tenant.
Certificate requirements for single tenant setups are quite straight forward. For clustered setups the certificate needs to have all the node names, as well as the cluster FQDN, as Subject Alternate Names (SAN), for single appliance setups we just need the one entry.
On to the process.
1) Generate vRA Certificate in vRLCM Locker:
Login to vRLCM and navigate and select Locker tile then Generate.
Fill in the required certificate information & select Generate.
The newly generated certificate is then displayed in the UI
2) Snapshot vRA & vIDM nodes in vRLCM:
As best practise precaution prior to any major config change take a Snapshot of the vRA & vIDM appliance(s) in vRLCM.
Navigate to Lifecycle operations -> Manage Environments
Select View Details on vRA environment
Then the 3 dots (ellipsis) in the top right-hand corner of vRA environment.
Take Snapshot
Provide a relevant name for the snapshot , for example pre certificate replacement
Wait for snapshot tasks to complete.
3) Replace vRA Certificate in vRLCM:
Navigate to Lifecycle operations -> Manage Environments
Select View Details on vRA environment
Then the 3 dots (ellipsis) in the top right-hand corner of vRA environment.
Then Replace Certificate
It will display the current certificate information.
Next select the certificate created or imported earlier.
Finally, Run Precheck
Once Precheck is successful Select FINISH to begin Certificate replacement task.
This brings us to the vRLCM requests UI where replacement task can be monitored.
Once request completes successfully login to vRA and validate that the new certificate is now presented.
(warning can be ignored as my vRLCM root CA is not imported into trust store on browser & client machine trust stores)
Any questions in relation to vRA certificate operations please drop a comment below.
Comments
Post a Comment