Securing vRO with a CA SSL Certificate

This post includes information to change the default SSL self-signed cert in a highly available configuration of vRO 6.x Appliances (Not tested on 7.x), using CA issued SAN certs or similar.

Many times, especially in enterprise environments, securing communications to the vRO server(s)  is mandatory to comply with security standards. Self-signed certificates are then replaced with SAN certs issued by a CA. There is a trick to this, and I found numerous articles for this process but fell short every time with the configurator service not allowing connections.

It's actually really simple, but I've found disjointed pieces of references everywhere and I found they lacked cohesion. Hopefully I haven't made the mistake below, but ultimately, I use this page for my own reference :-)

  1. If you've configured a vRO cluster, shut down the other nodes first. You'll need to repeat this process below for each node.
  2. SSH into your appliance and stop the vRO (vco) service:
    service vco-server stop
  3. Get into the correct directory:
    cd /etc/vco/app-server/security
  4. Back up your jssecacerts file
    cp jssecacerts jssecacerts-backup
  5. Remove the existing dunes alias
    keytool -keystore jssecacerts -delete -alias dunes -storepass dunedunes
  6. SCP or SFTP your PFX (.pfx) cert and your root cert (.cer) into a directory on the appliance - you can create one on the root as follows:
    /vrealize-certs/
  7. Import your root cert to the keystore
    keytool -import -alias root -keystore jssecacerts -trustcacerts -file "/vrealize-certs/<Root cert name>.cer"
  8. Import your CA cert into the keystore
    keytool -importkeystore -srckeystore "/vrealize-certs/<CA cert name>.pfx" -srcstoretype pkcs12 -srcstorepass <passphrase for CA cert> -deststoretype jks -destkeystore jssecacerts -deststorepass dunesdunes
    Note: When you run the above command, an alias for the import is output in the window. This alias is what you will use in the next command.
  9. Rename the above alias into "dunes" so that vRO understands it
    keytool -changealias -alias "<alias name here>" -destalias "dunes" -keystore jssecacerts -storetype jks -storepass dunesdunes
  10. Now, we need to ensure that the password to the keystore is "dunesdunes" so that vRO can access it.
    keytool -keypasswd -keystore /etc/vco/app-server/security/jssecacerts -alias dunes
    • First prompt, enter the password:
      dunesdunes
    • 2nd prompt, enter the passphrase you used in step 8. above
    • 3rd prompt, again, enter the password:
      dunesdunes
    • Final prompt, confirm the password:
      dunesdunes
  11. Assign ownership to vco user
    chown vco:vco "/etc/vco/app-server/security/jssecacerts"
  12. If HA, shut down this appliance and start the same process on the next appliance. Otherwise, reboot this appliance and you're done.

Hopefully the above helps you. It's certainly already helped me as reference material.