There are actually two different keystores used by vRO.  Once is on the node itself and the other is stored in the DB.  I know there are some post out there on replacing the vRO certificated and for me I have ended up creating new keystores with the cert and private keys added.

I have bookmarked this - https://blog.netnerds.net/wp-content/uploads/2013/07/ReplaceSSL-vSphere41U3-50.ps1

Inside is a section for VCO that I have keep to use as an example with syntax

##############################################################################

#

# Orchestrator

#

###############################################################################

if ($isvmo) {

$vmoservice = Get-WmiObject -Class Win32_Service -Filter "Name='VMwareOrchestrator'"

if ($vmoservice -ne $null) { $vmoexists = $true }

Write-Host -Foreground "DarkBlue" -Background "White" "Updating Orchestrator.."

Copy-Item -Force "$vmosslnew\rui.crt" $vmossl

Copy-Item -Force "$vmosslnew\rui.key" $vmossl

Copy-Item -Force "$vmosslnew\rui.pfx" $vmossl

if ($vmoexists -eq $true) {

if ((Get-Service VMwareOrchestrator).status -eq "Running") { Stop-Service VMwareOrchestrator ; $startvmo = $true }

}

Remove-Item "$vmossl\jssecacerts"

&"$Infrastructure\jre\bin\keytool.exe" -v -importkeystore -srckeystore "$vmossl\rui.pfx" -srcstoretype pkcs12 -srcstorepass testpassword -srcalias "rui" -destkeystore "$vmossl\jssecacerts" -deststoretype JKS -deststorepass dunesdunes -destkeypass dunesdunes -destalias "dunes"

&"$Infrastructure\jre\bin\keytool.exe" -noprompt -importcert -alias vcenter -keystore "$vmossl\jssecacerts" -storepass dunesdunes -file "$vcsslnew\rui.crt"

Write-Host -Foreground "DarkBlue" -Background "White" "Restarting Orchestrator. This can take a while.."

if ((Get-Service vCOConfiguration).status -eq "Running"){ Restart-Service vCOConfiguration} else { Start-Service vCOConfiguration ; Stop-Service vCOConfiguration}

if ($vmoexists -eq $true) {

if ((Get-Service VMwareOrchestrator).status -eq "Running"){ Restart-Service VMwareOrchestrator } else{ Start-Service VMwareOrchestrator ; Stop-Service VMwareOrchestrator}

}

if ($startvmo -eq $true) {Start-Service VMwareOrchestrator}

}

In case you missed it "http://pubs.vmware.com/vsphere-55/topic/com.vmware.ICbase/PDF/vcenter-orchestrator-551-install-confi..." there is chapter for replacing SSL certificate of vCO with CA signed.  Check under section "Install a Certificate from a Certificate Authority". Important part is the path to the certificate store ""install_directory\app-server\conf\security\jssecacerts" and the alias name of certificate used for SSL -"dunes". Since it is standard java keystore all tools like e java utility keytool can be used for replacing the certificate.

Related to load balaning there is sample configuration with apache here : http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=203415...

There is also automatic tool for replacing all certificates in vSphere. but personally I have not used it

VMware KB:    Implementing CA signed SSL certificates with vSphere 5.x

Hope it helps!

HI,

to 1) PFX is fine:

If you already have working vRO with PS you can use the "Generate Certificate" WF and i twill generate everything for you form the config file to the PFX file:
vCO Workflow to automate the certificate generation process | Spas Kaloferov's Blog

To learn more on how to change the certificate, visit:

How to change the SSL certificate of a vCO Appliance

http://kaloferov.com/blog/how-to-change-the-ssl-certificate-of-a-vco-appliance/

to 2) If you do not do SSL interruption on the LB level, then there is nothing out of the ordinary about the certificate.

the CFG file should look like this:

[ req ]

default_md = sha512 (if your CA support it, otherwise you can also use sha1, ect ...)

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:false

keyUsage = digitalSignature, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vro-01.myDomain.com, DNS: vro-01, DNS: vro-02.myDomain.com, DNS: vro-02, DNS: vro-clu.myDomain.com, DNS: vro-clu,

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = London

localityName = London

0.organizationName = VMware

organizationalUnitName = vRealize Orchestrator

commonName = vra-orch-clu.sddc.lab

Best Regards,

Spas Kaloferov
(www.kaloferov.com/blog)