Manually generated certificate request for vRealize Automation in VMware Cloud Foundation

VMware Cloud Foundation has a really neat certificate authority integration feature that makes the management of certificates much easier than it is in a normal VMware environment. However, this integration has its limitations:

  • Only Microsoft Certificate Authority is supported
  • Only basic authentication with Microsoft Certificate Authority is supported – if you require kerberos authentication then that doesn’t work

Therefore, if you need to use certificates from a public certificate authority or require kerberos authentication then the generation of certificates is a more manual process. Thankfully it is not as manual as usual so there is no need to use OpenSSL.

SSH to SDDC Manager and login as the vcf user

Enter su and enter the root password

Navigate to the following directory (operations manager is correct)


Run the following command:


Enter 1 to generate the CSR

Press enter to accept default resource type (vra)

Enter the information for the certificate request; country, state etc.

Enter the VIP FQDN for vRA

Take care on the next section to add all of the subject alternate names correctly as it is very frustrating when you come to validate the install of vRA in SDDC Manager and find that one of the FQDNs doesn’t match an entry in the certificate

Once complete type ‘done’ as the final subject alternate name

Enter the file path to create the private key file (defaults to /tmp/private_key.pem)

Enter the file path to create the CSR file (defaults to /tmp/csr.pem)

Change the permissions on the files so that the vcf user can download them (the owner will be root). The commands below will grant (more than) the necessary permissions:

chmod 777 /tmp/private_key.pem
chmod 777 /tmp/csr.pem

Download the files from the SDDC Manager via the scp client of your choice

Use the CSR file to create the certificate using the ‘vmware’ template as detailed in the VMware Cloud Foundation documentation. The certificate should be downloaded in Base64 format as should the certificate chain.

Using the text editor of your choice create a new file. This file should contain the certificate, any intermediate certificates and the root certificate in the following order:

  • vRA certificate
  • Intermediate certificate
  • Root certificate

The easiest way to determine which is which is that the vRA certificate will be the largest, the intermediate the next largest and the root certificate the smallest

Use the contents of this file during the deployment of vRA within SDDC Manager

Manually uploading product bundles to vRealize Lifecycle Manager

Under most circumstances product binaries for vRealize Lifecycle Manager can be downloaded directly (or via a proxy) from However, where internet connectivity is not available there is a method by which a local repository can be used . This post outlines the steps required to achieve this.

Firstly, download the relevant (and supported by vRLCM) OVA file from

SSH to the vRLCM server and create a new directory into which the OVA files will be stored for example:

mkdir /data/binaries/OVA

Upload the OVA files downloaded previously to this directory. The example below uses pscp to upload vRealize Log Insight 4.8 but other methods such as winscp are absolutely fine.

pscp c:\temp\ovafilename.ova root@FQDN:/data/binaries/OVA

Wait until the OVA file has uploaded successfully

Login to the UI of vRealize Lifecycle Manager and navigate to Settings > Product Support and click Add Binaries.

Ensure that ‘local’ is selected as the location type and then enter the path to the OVAs that was created previously.

Click the Discover button and then select the products that you want to add to vRLCM and then click Add.

The mapping of product binaries then takes place

Once complete the product will be shown under product binaries and can then be used to deploy into an environment