Does anyone have the steps to manually replace the IaaS Manager service certificates in vRA 7.0.1? The VAMI is not allowing us to replace the certificates, so we need to bind the correct certs manually. Unfortunately, it appears that in vRA 7 VMware moved away from using the IIS Manager so we're unable to figure out how.
Thanks in advance!
Hello Skoch,
I ran into something similar. There are no updated instructions for vRA 7 on how to do that manually. You can try following the steps provided for vRA 6, but I would recommend trying to resolve the issue with the VAMI. For me I was able to get the VAMI to work after I manually added the certificates to the Local Computer "Trusted People" certificate store on the IaaS machine. VMware only shows the VAMI steps, so they are not providing a method to manually install officially. If it doesn't work then they should be able to help you if you open a support request.
Previous post I found for my issue: vRA 7 certificate replacement error
Updating IaaS Manager certificates in 7: vRealize Automation 7.0
Manual Instructions for 6: Generating Certificates for vCAC 6 IaaS Web Server & Manager Service
Regards,
Darrenoid
Actually, it's still using IIS Manager.
The issue you're seeing is because the certificate you want to import isn't in the "Trusted People" keystore. Drop it in there manually and then try it from the VAMI again.
This problem is fixed in 7.1.
The cert had been added to the Trusted People keystore before attempting the change. I double checked in both the customer's environment and our ATC environment and neither have IIS or the IIS Manager installed on the IaaS Manager servers. Can you confirm that these should be installed in a distributed environemnt where the IaaS Manager is separate from the IaaS Web servers?
We do have a support request open with VMware however they escalated it to engineering almost immediately so due to time constraints we decided to scrap the environment and rebuild.
Ah, it's split out? My bad on the assumption. You're correct that the IIS Manager won't be on a standalone Manager Service server.
I haven't dealt with a completely distributed deployment in a while now, so need to go validate the behaviour as I'm a little hazy on the details.
Out of curiosity, how large is this environment? That architecture is only recommended for more than 30k managed machines.
Ok - bit of an update here. I was able to deploy a standalone manager service node and update the cert without issue.
What is the error message that you are seeing?
If you prefer to not discuss the details on a public forum, drop me a note - first initial lastname at vmware dot com.
Hi,
I'm facing the same issue. I could trigger the update of the Manager Service certificate just the first time. It failed in the last step because I didn't have the certs in the Trusted People store, now I cannot trigger it any more. Even I cannot trigger the update of the Web Server certificates, just the "Reinitiate Trust" option but it doesn't solve anything.
How can I trigger manually this process or fix the last two steps?
Regards,
Jose