Search the VMware Knowledge Base (KB)
View by Article ID

Replacing expired vRO/vCO SSL certificate (2141912)

  • 1 Ratings


  • VMware vRealize Automation(vRA) is unable to connect to vRealize Orchestrator(vRO)/vCenter Orchestrator(vCO).
  • You see SSL certificate is expired in vRO/vCO.


This article provides:
  • Information to import .pfx, .pem files to replace existing expired SSL certificates.
  • Steps to confirm that the new certificate is properly imported.


To replace the expired SSL certificate:

Note: Take a backup of the vRO/vCO appliance.

  1. Connect to vRO/vCO appliance using SSH.

    Note : If vRO/vCO was installed in a Windows server, connect to server through RDP and open Command Prompt with administrator privileges.

  2. Import private key into vRO jssecacerts keystore by running this command:

    keytool -importkeystore -srckeystore "custom.pfx" -srcstoretype pkcs12 -srcstorepass dunesdunes -deststoretype jks -destkeystore "/etc/vco/app-server/security/jssecacerts" -deststorepass dunesdunes

  3. Change the imported private key alias to dunes by running this command:

    keytool -changealias -alias "IMPORTED_CERTIFICATE_ALIAS" -destalias "dunes" -keystore "/etc/vco/app-server/security/jssecacerts" -storetype jks -storepass dunesdunes

  4. Change the imported private key entry password to match with the vRO jssecacerts keystore password dunesdunes by running this command:

    $ keytool -keypasswd -keystore jssecacerts -alias dunes

    1. Enter keystore password: dunesdunes
    2. Enter key password for <dunes>: <certkeypass>
    3. New key password for <dunes>: dunesdunes
    4. Re-enter new key password for <dunes>: dunesdunes

  5. Verify the new certificate is imported properly by running this command :

    keytool -keystore jssecacerts -v -list -alias dunes

    1. Verify certificate Entry type is PrivateKeyEntry
    2. Verify the certificate is valid and thumbprint matches with the expected one.
    3. Confirm the keypasswd of dunes private key is correct (dunesdunes) by generating a certificate signing request by running this command:

      keytool -keystore jssecacerts -certreq -alias dunes -v

      1. Enter keystore password:
      2. Enter key password for <dunes>:
      3. You see a new Certificate Request being generated:


Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 1 Ratings