sposs
Contributor
Contributor

vRealize Suite custom certificates

Hi everyone! I have a question about using custom certificates for vRealize Suite products. I'm planning to deploy an HA architecture (so 3 instances for vRA, 3 for vRO, 3 for vRLI and so on), and I want to use custom certificates for them, the question is: I have to use SAN certificates? Could you please link me some documentation I can read about? I'm planning to use vRealize Lifecycle Manager 8.2 for installing products.

 

thanks for your help

0 Kudos
1 Reply
lnairn
VMware Employee
VMware Employee

Hi @sposs ,

Yes, you need to have SAN certificates.

From documentation:

Subject Alternative Name (SAN) Certificate Requirements

You must create two Workspace ONE Access certificates, one that applies on the cluster appliances and one that applies on the load balancer. In addition, create a certificate that applies to the vRealize Automation appliances, the tenants you are creating, excluding the default tenant, and the load balancer.

  • Create a certificate for the Workspace ONE Access appliances that list the FQDNs of the Workspace ONE Access appliances as well as the default tenant and other tenants you create. This certificate should include the IP addresses of the Workspace ONE Access appliances.
  • As a best practice, create an SSL termination on the load balancer. To support this ternination, create a certificate for the Workspace ONE Access load balancer that lists the FQDN of the Workspace ONE Access load balancer as well as the default tenant and all other tenants you create. This certificate should include the IP address of the load balancer.
  • You must create a certificate for vRealize Automation that lists the host names of the three vRealize Automation appliances as well as the related load balancer and the tenants you are creating. In addition, it should list the IP addresses of the three vRealize Automation appliances.
  • As an option, to simplify configuration, you can use wildcards for the Workspace ONE Access and vRealize Automation certificates. For example, *.example.com, *.vra.example.com, and *.vra-lb.example.com.

Note: vRealize Automation 8.x supports wildcard certificates only for DNS names that match the specifications in the Public Suffix list at https://publicsuffix.org. For example, *.myorg.com is a valid name while *.myorg.local is invalid.

 

You can read full documentation here https://docs.vmware.com/en/vRealize-Automation/8.2/administering-vrealize-automation.pdf (Managing certificate and DNS configuration under clustered vRealize Automation deployments)

 

Regards,

Leandro.

0 Kudos