One of my customer was recently replacing the SSL Certificates on the Private Cloud environment based off version 6.2.3 of vRA. It was the first time they were doing this and hence he had done his research of going through the internet on various blogs on how to go about the replacement. So when he tried to lay down the steps based on the reading done on the internet, he was even more confused because the blogs differed by at least more than a step in the overall certificate replacement process. So thats when he involved me and I tried to look into it.
vRA(or I should say vCAC) 6.0 , 6.1 & in fact 6.2.0 were released quite some time back and hence we have a lot of blog posts which would talk with respect to those versions(of course 6.2 was not released then. Mind you a lot of blog posts do use the word vCAC 6, so it doesnt mean that ALL the steps are going to work for your 6.2.3 or 6.2.4 versions of vRA.
Then we decided that we fallback to the trusted pubs.vmware.com and it becomes really important to look into the version of documentation which we were looking into since there is a 6.0, 6.1 and a 6.2 documentation available.
Ok so first lesson learnt: Ensure whatever you are reading on the Internet is right and validate it with respect to the versions that you are working on.
In a nutshell if you ask me the process which we followed to get the certificates replaced came from http://pubs.vmware.com/vra-62/index.jsp#com.vmware.vra.install.doc/GUID-F493819D-D4FB-4854-BEC4-295388BB6EF7.html which clearly shows you the flow of your certificate changes. I am not going through each and every step as I said that the above VMware Documentation link tells you what exactly you are are supposed to do. I will try and fill in the other interesting details.
PRO TIP: Dont skip steps in the pubs and if you are referencing KB Articles, dont hop,skip and jump the lines in Knowledge Base Articles —-> Another lesson learnt!
As it mentions you start with the Identity Appliance and then you inform(or re-establish trust between the Identity Appliance & ) the vRA Appliance to let it know about the change in the Certificate on the Identity Appliance.
So in essence there are two parts to the whole certificate replacement:
- Replace the Actual Certificate using the Key and the Certificate itself
- Re-establishing Trust among the various other components.
You should update all the components of the same type in a distributed setup and then go for the trust re-establishment.
It is the Point#2 which caused a lot of confusion(prior to we reading the official VMware Documentation) . The confusion was due to the fact that the steps are different for 6.1 and 6.2 so take note of the versions involved.
For versions 6.2.x after replacing the certificates in the vRealize Automation Appliance and updating the SSO registration for the vRealize Automation Appliance, we update the IaaS Servers with the vRealize Automation Appliance Certificate(or to say re-establish the trust between the vRA appliances and the IaaS components) by running the command vcac-config.exe command from the the server running the Model Manager Data component using the UpdateServerCertificates argument
The command for 6.2.x would be “vcac-config UpdateServerCertificates –d <name of the vRA Database> -s <FQDN of the SQL Server hosting the vRA DB> -v” as compared to 6.1 where you use a “DownloadRootCertificates” argument with vcac-config.exe.
P.S: In vRA 6.2.3 you will not find the “DownloadRootCertificates” argument if you run the “vcac-config.exe help” command.
At this point, my attention was taken to a VMware KB Article http://kb.vmware.com/kb/2110207 which lists down the steps very clearly on how to re-establish the trust.
I would highly recommend you to read the KB article fully atleast twice, just to make sure you fully understand the sequence of steps because all of them are really important.
Since it is a distributed environment, you will have to run these commands on all the nodes of the same type & hence I would recommend(a wise guy told me to do this) that you copy down those commands on to a notepad and fill in those details as requested so that you could just copy and then paste in the Command Prompt of those IaaS Nodes.
P.S: you don’t need to run the last command in the step#11 with a Note which is specifically for 6.0 and NOT for 6.2.3.
Post the iisreset & reboot of the appliances and IaaS boxes. I again went back to our documentation at http://pubs.vmware.com/vra-62/index.jsp#com.vmware.vra.install.doc/GUID-F493819D-D4FB-4854-BEC4-295388BB6EF7.html to make sure I update the other certificates such as the VAMI for Identity and vRA Appliances.
Once done successfully, we are all set for another year with a clean set of SSL Certs across the board 🙂
I ran into a couple of other issues such as creating the certificate chain, so it is important that you create the certificate chain in the right order which is:
- Server Certificate signed by the Intermediate CA
- Intermediate Certificate
- Root Certificate.
Although this is mentioned clearly in our documentation, we missed out on this too, so I wanted to make sure you guys don’t miss this.
Hope this helps!