Going through a process of converting all self-signed certificates in our EHC environment to CA-signed certs. First we converted all of the vCenter Server certificates, available here, but then we were faced with updating the certificates used by the various other vRealize Suite components that integrate with vCenter.
vRealize Operations Manager was the first on the list of those components.
We needed to update the certificate for vR Ops itself, but we also needed to update the certificate that vR Ops uses for it’s connection to vCenter (which has been changed to CA-signed).
The environment consists of:
- vR Ops v6.1
- Single Node vR Ops Appliance
- No Load Balancer
- vCenter v5.5 Update 3a
Update vR Ops to CA-signed Certificate
Using the SSL Certificate Automation Tool, we selected the option to Generate Certificate Signing Request, and from there chose ‘Other Service’ as shown below.
We then entered the vR Ops details as required in order to generate the rui.csr and rui.key files, as shown below:
We followed the procedure as prescribed in VMware KB2044696, to generate the required CA-signed certificate. Some of the high level tasks included:
- Submit cert to domain CA-server
- Create chain from root and Intermediate certs
- Create PEM file with new cert, key, root and intermediate cert detail
One difference of note (different from the vCenter CA-Signed certs) is that the vR Ops CA-signed cert requires the inclusion of the content of the rui.key file in the final chain.pem file.
One the PEM file was ready, we browsed to the vR Ops Admin UI and clicked the amber button in the top right-hand corner, as shown below.
We then selected Install New Certificate which prompted us to browse for the PEM file which we had created earlier.
Once uploaded, the PEM file is validated and installed to vR Ops. The end result being that are then proud owners of a totally legit, CA-signed vR Ops, and have the official green padlock and paintwork to go with our new status of CA-signed citizens:
Updating the vCenter Server certificate in vR Ops
After we had updated the vCenter Server to a CA-signed cert, the vCenter adapter had ceased to pull metrics, so it meant that we had to update that connection in vR Ops.
When we tested the connection first, vR Ops informed us that a new certificate was available, but we couldn’t accept that certificate before first removing the existing certificate, as indicated below:
Removing the existing certificate is very easy. In the vR Ops UI, just navigate to Administration > Certificates and remove the previous vCenter certificate, as shown below:
Once the previous vCenter cert has been deleted, we could then go and update the connection with the new cert simply by clicking Test Connection on the vCenter Adapter Instance, as shown below:
Once that succeeds, save the new settings and that’s that.
Interestingly the vCenter Adapter instance required for the EMC Storage Analytics Adapter did NOT need top be updated.
Other vRealize products that integrate with vR Ops also should be considered at this stage, such as:
- vRealize Automation
- vR Ops Health Badges via vRA Metrics Provider (no update required in vRA)
- vR Ops Management Pack
- Log Insight
- Launch In Context
- vRealize Business
- vR Ops Server Connection
- vRealize Orchestrator
- vR Ops Solution & Workflow package (if in use)
Each of these products integrates with vR Ops for one reason or another and may need to be updated to connect to vR Ops using the new CA-signed certificate.