vOrchestrator Appliance SSL certificates

I’ll start out with a easy one…

So I ran in to a snag changing the SSL certificates on the vOrchestrator appliance. Our internal CA does not support the encryption that the appliance uses to generate the certificate when you use the web interface.

It turns out that VMware has some nice documentation on how to do this, but if you just want the quick and dirty steps on how to update the certificate for the client and for the web views, here you go:

Connect to the appliance using SSH.

Generate the keystore:

/opt/vmo/jre/bin/keytool -genkey -alias mySslCertificate -keyalg RSA -keystore vorchestrator.key -keysize 2048 -sigalg SHA512withRSA

Give it a simple password, you will be putting this password in clear text in some config files…

Generate the certificate request:

/opt/vmo/jre/bin/keytool -certreq -alias mySslCertificate -file vorchestrator.csr -keystore vorchestrator.keyvorchestrator.yourdomain.local

Your department

Your company

Your city

Your state

Your country

Get the certificate signed by your CA and scp the certificate as well as the ones for the CA’s in the chain to the appliance, I put the files in /opt.

Import the root certificate:

/opt/vmo/jre/bin/keytool -import -keystore vorchestrator.key -trustcacerts -file root.cer

Import any intermediate signing entities:

/opt/vmo/jre/bin/keytool -import -keystore vorchestrator.key -trustcacerts -file ipsec.cer

Import the server certificate:

/opt/vmo/jre/bin/keytool -import -alias mySslCertificate -keystore vorchestrator.key -trustcacerts -file vorchestrator.cer

Edit the Orchestrator Client web services config file:

vi /opt/vmo/app-server/server/vmo/conf/jboss-service.xml

Find the keystore lines in the config file and change to this:

<attribute name=”KeyStoreURL”>/opt/vorchestrator.key</attribute>
<attribute name=”KeyStorePass”>your keystore password</attribute>

Edit the Web Views config file:

vi /opt/vmo/app-server/server/vmo/deploy/jboss-deploy-tomcat/jbossweb-tomcat55.sar/server.xml

Find the keystore lines in the config file and change to this:


Reboot the appliance and enjoy your new signed environment.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">