VMware Cloud Community

vRO 8 - replace self-signed certificate

Hello guys,

Can someone explain how to replace vro 8 self-signed certificate?

thank you.

0 Kudos
5 Replies

Hi, Ilian,

I'had the same doubt. I read the documentation and I didn't find nothing specific about how to change the self signed certificate by a Certification Authority. Some doubts about this subject:

1 - Where and how to generate the .csr file to send to a certification authority? (I should use openssl commands inside the vro appliance or this command should be executed inside a docker container?)

2 - After the certification authority returns the certificate signed, how I input this certificate on my appliance? Is directly in the appliance or in docker container?

3 - How turn this changes permanents? (Survive after the appliance reboot)?

Thanks in advance 😃

Diego Bejar

0 Kudos
Hot Shot
Hot Shot


I solved this by doing the following:

  • SSH into vro 8
  • run the following command

     openssl req -nodes -newkey rsa:2048 -keyout vro8.mylab.local.key -out vro8.mylab.local.csr -subj "/C=AU/ST=Victoria/L=Melbourne/O=vleet apac/OU=testing/CN=vro8.mylab.local";

  • That creates two files. one CSR and a Key
  • use the CSR to get a signed cert
  • upload the signed cert with the intermediate and root  certs (ORDER: Host, intermediate, root)
  • attach the key to the top of the file (Order: Private:host,intermediate,root) -> /root/cert.pem
  • then run:
    vracli certificate ingress --set /root/cert.pem
  • this showed an error about the sha254 but thats fine. just redrun the command
    vracli certificate ingress --set /root/cert.pem -sha265 [the sha key from the error message]
  • wait till this finised
  • the cd /opt/script
  • and run ./deploy.sh
  • This will take a while but work.
  • Reload your browser




I am also searching for the possibility to change the certificates, but it does not want to work.

I did what @Windspirit described but receive the following error:

"vracli certificate ingress --set /root/cert.pem
Invalid encryption or hash algorithm:
Expected one of: ['sha224WithRSAEncryption', 'sha256WithRSAEncryption', 'sha384W ithRSAEncryption', 'sha512WithRSAEncryption']"

I also tried the other way to create the csr by creating a .cfg-file with all parameters which is then combined with the encrypted .key-file to finally create the csr. The .cfg-file looked like this:

"[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: XX, DNS: XX, DNS: XX

[ req_distinguished_name ]
countryName = XX
stateOrProvinceName = XX
localityName = XX
0.organizationName = XX
organizationalUnitName = XX
commonName = XX"

In both ways I receive the same error as shown above.

Which command do I have to enter to go on/ignore the error as described? And why does the error concerning the encryption is even mentioned since at least in the cfg-file it is mentioned explicitly that sha512 should be used which seems to be asked for concerning the error message?

Unfortunately there are not a lot of detailed articles from VMware for the certificate issue.

Thanks in advance for your support.



Hot Shot
Hot Shot

The error said you haven't used the right encryption...check that

Did you get ur cert signed?

Did you put all the certs in the right order?

  • Host cert (the one you got signed)
  • any intermediate certs
  • root cert (of your domain that signed the cert)
  • Private Key (I think it needs to go to the end of the PEM file...may have that wrong in the description


0 Kudos