How to replace the vRealize Orchestrator appliance certificate

After a lot of struggling in the past I finally found a dummy proof way to replace the vRealize Orchestrator (vRO) appliance certificate that works every time. The official documentation for replacing the certificate of the vRO appliance with a CA signed certificate is not so clear, so I hope this helps a bit.


Lets get started!

To create the certificate request first download OpenSSL for Windows and install it in the default location : C:\OpenSSL-Win64

After OpenSSL is installed create the certificate configuration file : C:\OpenSSL-Win64\Certs\rui.cfg and add the following information. Change the marked values starting and ending with % to your own specification.

Next we need to create the PFX file that we are going to import in vRO.

Open a command prompt and run the following commands :

Now we can submit the Certificate Request to the Certificate Authority (CA).


Save the generated certificate as a base64 file : C:\OpenSSL-Win64\Certs\rui.cer
Save the CA certificate as a base64 file : C:\OpenSSL-Win64\Certs\ca.cer
Save the optional Intermediate CA certificate as a base64 file : C:\OpenSSL-Win64\Certs\intca.cer

Then run the following command :

Note : Be sure to use the passphrase “dunesdunes” or change the passphrase in the examples below!

Now upload your brand spanking new PFX file called C:\OpenSSL-Win64\Certs\rui.pfx to the vRO appliance in the folder /tmp.

SSH with your favourite SSH client to the vRO appliance and run the following commands :

A list of certificates is shown, replace “1” in the command below with the alias from the list of certificates containing the “PrivateKeyEntry” entry.

After your vRO appliance has been rebooted open your browser and point it to https://%fqdn%:8281 an voila no more certificate warnings.

But even after you replaced the certificate on the vRO appliance and you log in through the vRO client a warning still appears.


The reason for this is that the vRO client uses a local keystore which doesn’t know / trusts the new CA signed certificate.

You can fix this by logging onto the client and stop the Orchestrator client.
Back up the jssecacerts file, located at :
C:\Program Files\VMware\Orchestrator\jre\bin\jre\lib\security\jssecacerts

Now you have to create a new chain that includes the client, CA and possible CA Intermediate certificates. Go to the server where the base64 certificates are located from the previous steps, open a command prompt and run these commands.

Copy the clientchain.pem file to the machine where you have the vRO client installed in the folder C:\Program Files\VMware\Orchestrator\jre\bin. Now on the machine with the vRO client open a command prompt and run these commands to add the certificate to the local keystore :

Happy developing 🙂 !

Many thanks to Sky Cooper for his excellent post about importing the PFX file in vRO.

Marco van Baggum

Marco works as a Staff Consulting Architect at VMware. Want to learn more about Marco? Check out Marco's About page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.