Hello,
I'm looking for some guidance on how to proceed with creating certificates for my vRA7 HA/distributed solution. I'm in the process of going through the installation wizard and I'm at the part where I need to deal with the vRA appliance certificates. I found a blog that provides step-by-step installation of an enterprise deployment. He used a Windows CA and a vRealize Automation Identity appliance. He went through how to build a CA, get the templates setup and create the certs using openSSL. I've followed most of the instructions but I'm a little confused at this point.
here is a link to the blog on creating the CA and issues certs http://open902.com/create-a-windows-enterprise-ca-and-issue-certificates-for-vra-and-other-vmware-products-with-examples…
here is a link to the blog on deploying vRA7 enterprise http://open902.com/vrealize-automation-7-enterprise-install/
I have a couple of questions:
1. Can I finish my deployment with self-signed certs, then replace the certs after the fact?
2. I like the idea of a single cert for all the components, the challenge is how would I achieve this in my deployment. Identity appliance is built into vRA7 and (I think) I need to complete the installation wizard in order to use vIDM. So this leads me to believe I create self signed certs (to complete the installation wizard deployment) then replace all the certs using the procedures in the blog above.
3. Based on my deployment model below, I don't think I can follow the procedures listed above, and if I can, I'm really not sure how to pull this off.
Here is my deployment setup:
- Win-CA.domain.com (Windows CA Server)
- vra7-app01.domain.com (vRA7 appliance node 1)
- vra7-app02.domain.com (vRA7 appliance node 2)
- vra7-web-mgr01.domain.com (Windows, Web and Manager services node 1)
- vra7-web-mgr02.domain.com (Windows, Web and Manager services node 2)
- vra7-DEM01.domain.com (Windows, DEM services node 1)
- vra7-DEM02.domain.com (Windows, DEM services node 2)
- vra7-agent01.domain.com (Windows, Agents node 1)
- vra7-agent02.domain.com (Windows, Agents node 2)
- vra7-vro01.domain.com (Orchestrator appliance node 1)
- vra7-vro02.domain.com (Orchestrator appliance node 2)
- NSX Edge appliance configured as a load balancer
- vra7.domain.com (VIP for vRA7 appliances)
- web.domain.com (VIP for Web/Mgr servers)
- mgr.domain.com (VIP for Web/Mgr servers)
- vro.domain.com (VIP for Orchestrator appliances)
- windows workstation with OpenSSL installed
I'm probably over thinking this too much, but I'm reluctant to complete the deployment until I know for sure how to proceed with certificates.