Search the VMware Knowledge Base (KB)
View by Article ID

Configuring SAN certificates for vRA instances where the IaaS server domain names differ from the load balancer domain (2150346)

  • 2 Ratings


In some configurations the domain portion of the IaaS server's individual FQDNs differ from the load balancing FQDN. In such case, when generating the certificate for the web server role, the certificate should contain both the load balancing FQDN and the server's FQDNs as Subject Alternative Names.
On some occasions, a SAN certificate cannot be generated and a wildcard certificate representing only the domain of the load balancing FQDN must be used.

For Example:

vRealize Automation Appliance FQDN:
vRealize Automation Appliance LB FQDN:
vRealize Automation Web Server FQDN:
vRealize Automation Web Server LB FQDN:
Certificate Subject CN: *


The certificate used for Web Server load balancing should contain FQDNs of all the web servers present in the configuration as described. For more information, refer to Certificate Trust Requirements in a Distributed Deployment section of Installing or upgrading vRealize Automation 7.2 Guide .


This issue can be resolved by changing the Primary DNS Suffix of each Web server while preserving domain membership. While the proposed solution is assuming there is Microsoft Active Directory in use, it may successfully be applied against other LDAP solutions. For more information consult the documentation of your LDAP solution.

To resolve this issue:
  1. Create DNS entries for each web server in the DNS zone responsible for the domain for which the certificate was issued

    For example:
  2. If vRA Management Agents are installed on the web server machines, uninstall each one of them.
  3. Edit the msDS-AllowedDNSSuffixes attribute in the domain object container in Active Directory so that it includes the domain the load balancing FQDN belongs to. For example:

    For more information, see the Microsoft TechNet article Configure the Primary DNS Suffix for a client Computer.

  4. Change the DNS suffix search list to include the domain the load balancing FQDN belongs to. For example:

    For more information, see the Microsoft TechNet article Create a Disjoint Namespace

  5. Change the default DNS Suffix of each Web server machine. For example:

    For more information, see the Microsoft TechNet article Configure the Primary DNS Suffix for a Client Computer.

  6. Install vRA Management Agent on each web server.
  7. Confirm that the new Management Agent installations report to vRA appliances with updated FQDNs by either going to VAMI > Cluster or to the Installation Prerequisites page on the Installation Wizard.
  8. Import the certificate for the Web role.

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 2 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 2 Ratings