Can someone explain how to replace vro 8 self-signed certificate?
There are some sections about certificate management in official documentation - check https://docs.vmware.com/en/vRealize-Orchestrator/8.0/com.vmware.vrealize.orchestrator-install-config... and https://docs.vmware.com/en/vRealize-Orchestrator/8.0/com.vmware.vrealize.orchestrator-install-config...
I'had the same doubt. I read the documentation and I didn't find nothing specific about how to change the self signed certificate by a Certification Authority. Some doubts about this subject:
1 - Where and how to generate the .csr file to send to a certification authority? (I should use openssl commands inside the vro appliance or this command should be executed inside a docker container?)
2 - After the certification authority returns the certificate signed, how I input this certificate on my appliance? Is directly in the appliance or in docker container?
3 - How turn this changes permanents? (Survive after the appliance reboot)?
Thanks in advance 😃
I solved this by doing the following:
openssl req -nodes -newkey rsa:2048 -keyout vro8.mylab.local.key -out vro8.mylab.local.csr -subj "/C=AU/ST=Victoria/L=Melbourne/O=vleet apac/OU=testing/CN=vro8.mylab.local";
I am also searching for the possibility to change the certificates, but it does not want to work.
I did what @Windspirit described but receive the following error:
"vracli certificate ingress --set /root/cert.pem
Invalid encryption or hash algorithm:
Expected one of: ['sha224WithRSAEncryption', 'sha256WithRSAEncryption', 'sha384W ithRSAEncryption', 'sha512WithRSAEncryption']"
I also tried the other way to create the csr by creating a .cfg-file with all parameters which is then combined with the encrypted .key-file to finally create the csr. The .cfg-file looked like this:
"[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: XX, DNS: XX, DNS: XX
[ req_distinguished_name ]
countryName = XX
stateOrProvinceName = XX
localityName = XX
0.organizationName = XX
organizationalUnitName = XX
commonName = XX"
In both ways I receive the same error as shown above.
Which command do I have to enter to go on/ignore the error as described? And why does the error concerning the encryption is even mentioned since at least in the cfg-file it is mentioned explicitly that sha512 should be used which seems to be asked for concerning the error message?
Unfortunately there are not a lot of detailed articles from VMware for the certificate issue.
Thanks in advance for your support.
The error said you haven't used the right encryption...check that
Did you get ur cert signed?
Did you put all the certs in the right order?