If you worked with vRA 6.x and earlier, you will definetly know that replacing certs was a very involving process. The great news is that vRA 7 has eliminated most of the work required to do so and automated a good part of the process. Unfortunately, this is not clearly documented in vRA 7 documentation, although in my opinion this is one of the major improvements in vRA 7.0. As I have discovered those improvement the hard way through going through engineering and support, I thought It’s worth sharing as it can save you tons of time.
Let’s start by the scenario where you have setup the vRealize Automation 7.x system up and running, and you want to replace your certificates. Let’s assume you have already generated the certs for the different services, but if you did not and need help with that keep reading as I will give you guidance on that later on in this article. Below is how to replace the certs of each of the services making up your vRA 7.0.
– SSO/Identity Appliance: As vRA 7.0 does not make use of vCenter SSO any more and it moved to embeded vIDM, you will not have to worry about the certs of this any more. VOILA!!! One Less Cert to worry about VOILA!!!
– vRA 7 Appliance: This has not changed much, and you still can do it easily at through the vRA VAMI, but now you don’t have to worry about updating the Identity Appliance to trust it anymore. Below is a screenshot of how that look like.
vRA 7 Appliance Manager Service & Web: Unlike vRA 6 where you had to change them in IIS and re-register them through command line to the vRA appliance, now you can do them as well through the vRA VAMI in a similar fashion to the vRA Appliance Certificate as shown in the screenshot below. If you have wroked with earlier versions of vRA and you had to replace the Manager Service or Web certificate after word, you would definitely appreciate this change.
That should give you all the instructions you need to update vRA 7 certificate assuming you have the certs, if you need help generating them, then you can follow my following posts with the following tips:
1- vCloud Automation Center 6 Certificates A to Z <== This one has stayed exactly the same for vRA 7.0. You can follow it as is.
2- Generating Certificates for the identity Appliance/vCAC Appliance <== You can follow this one as is, just skip the part for generating cert for the identity appliance as the identity appliance is not longer required in vRA 7.
3- Generating Certificates for vCAC 6 IaaS Web Server & Manager Service <== You can follow this as is, just stop before step three as you no longer need to convert the certs into PFX format.
New vRA 7 Installation: If you are doing a new vRA 7 Implementation, the installation wizard ask you for the contents of these certs and key files. It will automatically add them to the appliances as well the Windows VMs. You don’t have to add them manually anywhere anymore unlike vRA 6.x.x implementation.
Hi,
The IaaS part in your procedure is false, there is a bug in the product preventing the update of IaaS certificates. Only “Provide Certificate Thumbprint” works by placing manually the IaaS Certificate in the “Trusted People” store manually.
Pierre
Hi Eiad, Is it requires downtime for the certs replacement?
While vRA Certs replacements should be really quick, the service might be interrupted during the certs replacement and therefor I would ask for an outage during that replacement. I would not do a cert replacement for it during peak hours for sure. Hope this helps.
What about replacing all of the certificates on the non-standard ports, the embedded vRO certs (Control Center and Package Signing certificate), other VAMIs, etc.?
Hi,
I have not changed the VAMI certificated before to be honest, as these are totally internal and used by admins and not user facing. I remember reading somewhere it was possible to replace using some manual files updates, but I can’t recall the exact way of doing it.
Regards,
Eiad