VMware Cloud Community
SpasKaloferov
VMware Employee
VMware Employee
‎11-25-2014 06:04 AM

Blog post "How to change the SSL certificate of a vCO Appliance"

In this post we will take a look into the certificate replacement process for vCenter Orchestrator (vCO)/vRealize Orchestrator (vRO) appliance in order for the appliance to work over SSL.We will be using vCO version 5.5.2, but the process is the same for previous versions of vCO, with exception that paths to the keystores or the keytool might have changed. 

If you are searching how to change the SSL certificate of a WIndows installed vCO/vRO , check this blog post: How to change the SSL certificate of windows installed vCO

  Generally there are two scenarios you might see related to the vCO/vRO SSL certificates.

Scenario 1:

  In the first scenario you use the existing private key of the existing vCO/vRO self-signed certificate (with alias dunes) and the existing keystore. With this private key you generate a certificate request which than is being used by a Certificate Authority (CA) to generate the certificate. You than import this certificate to the existing keystore together with the certificates of all Certificate Authorities up to the root of the certificate chain. So for example if you have the usual 3-tier Root CA , Intermediate CA and Issuing CA hierarchy, you will need to import the certificates of all 3 of them into the keystore. You can also create a new keystore and import all certificates there or if you have a certificate package (PKCS21, ect…) you can import only it.

  In the first scenario we will use the existing keystore to import all of the certificates. In the second scenario we will create new keystore and import the certificate package containing the private key and all certificates form the certificate chain.

Scenario 2:

  In the second scenario you have received a certificate package from your company’s CA or 3rd party public CA and you want to use this certificate to secure the communication to and from the vCO/vRO. A reason why you would want to have custom private key might be that you company has security policies which require higher bit encryption or particular cypher being used for all SSL communications.

  In this example we will be importing a PFX certificate package that contains the certificate private key and also all of the certificates for all CA’s from the certificate chain. We will be creating new keystore to use.

"How to change the SSL certificate of a vCO Appliance"
http://kaloferov.com/blog/how-to-change-the-ssl-certificate-of-a-vco-appliance/

Best regards,

Spas Kaloferov

0 Kudos
0 Replies