Manually generated certificate request for vRealize Automation in VMware Cloud Foundation

VMware Cloud Foundation has a really neat certificate authority integration feature that makes the management of certificates much easier than it is in a normal VMware environment. However, this integration has its limitations:

  • Only Microsoft Certificate Authority is supported
  • Only basic authentication with Microsoft Certificate Authority is supported – if you require kerberos authentication then that doesn’t work

Therefore, if you need to use certificates from a public certificate authority or require kerberos authentication then the generation of certificates is a more manual process. Thankfully it is not as manual as usual so there is no need to use OpenSSL.

SSH to SDDC Manager and login as the vcf user

Enter su and enter the root password

Navigate to the following directory (operations manager is correct)


Run the following command:


Enter 1 to generate the CSR

Press enter to accept default resource type (vra)

Enter the information for the certificate request; country, state etc.

Enter the VIP FQDN for vRA

Take care on the next section to add all of the subject alternate names correctly as it is very frustrating when you come to validate the install of vRA in SDDC Manager and find that one of the FQDNs doesn’t match an entry in the certificate

Once complete type ‘done’ as the final subject alternate name

Enter the file path to create the private key file (defaults to /tmp/private_key.pem)

Enter the file path to create the CSR file (defaults to /tmp/csr.pem)

Change the permissions on the files so that the vcf user can download them (the owner will be root). The commands below will grant (more than) the necessary permissions:

chmod 777 /tmp/private_key.pem
chmod 777 /tmp/csr.pem

Download the files from the SDDC Manager via the scp client of your choice

Use the CSR file to create the certificate using the ‘vmware’ template as detailed in the VMware Cloud Foundation documentation. The certificate should be downloaded in Base64 format as should the certificate chain.

Using the text editor of your choice create a new file. This file should contain the certificate, any intermediate certificates and the root certificate in the following order:

  • vRA certificate
  • Intermediate certificate
  • Root certificate

The easiest way to determine which is which is that the vRA certificate will be the largest, the intermediate the next largest and the root certificate the smallest

Use the contents of this file during the deployment of vRA within SDDC Manager