- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vRO 8 - replace self-signed certificate
Hello guys,
Can someone explain how to replace vro 8 self-signed certificate?
thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
There are some sections about certificate management in official documentation - check https://docs.vmware.com/en/vRealize-Orchestrator/8.0/com.vmware.vrealize.orchestrator-install-config... and https://docs.vmware.com/en/vRealize-Orchestrator/8.0/com.vmware.vrealize.orchestrator-install-config...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Ilian,
I'had the same doubt. I read the documentation and I didn't find nothing specific about how to change the self signed certificate by a Certification Authority. Some doubts about this subject:
1 - Where and how to generate the .csr file to send to a certification authority? (I should use openssl commands inside the vro appliance or this command should be executed inside a docker container?)
2 - After the certification authority returns the certificate signed, how I input this certificate on my appliance? Is directly in the appliance or in docker container?
3 - How turn this changes permanents? (Survive after the appliance reboot)?
Thanks in advance ![]()
Diego Bejar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I solved this by doing the following:
- SSH into vro 8
- run the following command
openssl req -nodes -newkey rsa:2048 -keyout vro8.mylab.local.key -out vro8.mylab.local.csr -subj "/C=AU/ST=Victoria/L=Melbourne/O=vleet apac/OU=testing/CN=vro8.mylab.local";
- That creates two files. one CSR and a Key
- use the CSR to get a signed cert
- upload the signed cert with the intermediate and root certs (ORDER: Host, intermediate, root)
- attach the key to the top of the file (Order: Private:host,intermediate,root) -> /root/cert.pem
- then run:
vracli certificate ingress --set /root/cert.pem - this showed an error about the sha254 but thats fine. just redrun the command
vracli certificate ingress --set /root/cert.pem --sha256 [the sha key from the error message] - wait till this finised
- the cd /opt/script
- and run ./deploy.sh
- This will take a while but work.
- Reload your browser
ENJOY!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
I am also searching for the possibility to change the certificates, but it does not want to work.
I did what @Windspirit described but receive the following error:
"vracli certificate ingress --set /root/cert.pem
Invalid encryption or hash algorithm:
Expected one of: ['sha224WithRSAEncryption', 'sha256WithRSAEncryption', 'sha384W ithRSAEncryption', 'sha512WithRSAEncryption']"
I also tried the other way to create the csr by creating a .cfg-file with all parameters which is then combined with the encrypted .key-file to finally create the csr. The .cfg-file looked like this:
"[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: XX, DNS: XX, DNS: XX
[ req_distinguished_name ]
countryName = XX
stateOrProvinceName = XX
localityName = XX
0.organizationName = XX
organizationalUnitName = XX
commonName = XX"
In both ways I receive the same error as shown above.
Which command do I have to enter to go on/ignore the error as described? And why does the error concerning the encryption is even mentioned since at least in the cfg-file it is mentioned explicitly that sha512 should be used which seems to be asked for concerning the error message?
Unfortunately there are not a lot of detailed articles from VMware for the certificate issue.
Thanks in advance for your support.
Greetings
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The error said you haven't used the right encryption...check that
Did you get ur cert signed?
Did you put all the certs in the right order?
- Host cert (the one you got signed)
- any intermediate certs
- root cert (of your domain that signed the cert)
- Private Key (I think it needs to go to the end of the PEM file...may have that wrong in the description
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can now use LCM 8.12+ to manage certificates and updates for vRO (vra and standalone