
By Spas Kaloferov
In this post, we will take a look at how to change the Package Signing Certificate (PSC) in a vRealize Orchestrator appliance.
To change the PSC, let’s review a few steps first:
Issue a certificate to meet the company’s requirements. The certificate must have:
- Digital Signature and Key Encipherment Key Usage attributes
- Server Authentication Extended Key Usage attribute
- Assurance that the certificate has a private key
Use the keytool to:
- Create new keystore; the keystore type must be JCEKS.
- Import the certificate into the keystore.
- Change the alias of the certificate to _dunesrsa_alias_.
- Generate a Security Key and place it in the keystore.
- Change the alias of the Security Key to _dunessk_alias_.
Use the Control Center interface to:
- Import the keystore you created.
- Restart the Orchestrator server.
Here is a screenshot of the original PSC certificate:

Changing the Package Signing Certificate
First, you must obtain a PFX Certificate Package (containing your PSC Certificate) issued from the Certificate Authority (CA).



Note that the certificate has the Digital Signature and Key_Encipherment Key Usage attributes as shown above. It also has the Server Authentication Extended Key Usage attribute.
Copy the PFX certificate package to any Linux appliance.

Using the OpenSSL tool, enter the following commands to create a new keystore and import the PFX certificate package at the same time.
keytool -importkeystore -srckeystore "/etc/vco/app-server/security/rui.pfx" -srcstoretype pkcs12 -srcstorepass "dunesdunes" -deststoretype jceks -destkeystore "/etc/vco/app-server/security/psckeystore" -deststorepass "dunesdunes"

Enter the following command to change the alias of the certificate:
keytool -changealias -alias rui -destalias _dunesrsa_alias_ -keystore "/etc/vco/app-server/security/psckeystore" -storetype jceks -storepass "dunesdunes"
Next, enter this command to generate a security key:
keytool -genseckey -alias _dunessk_alias_ -keyalg DES -keysize 56 -keypass "dunesdunes" -storetype jceks -keystore "/etc/vco/app-server/security/psckeystore" -storepass "dunesdunes"
Notice I’ve used the DES algorithm and 56 key size in the above command, but you can also use the 3DES (DESese) algorithm and 168 key size.
Enter the following command to list the contents of the store.
keytool -list -storetype jceks -keystore "/etc/vco/app-server/security/psckeystore"
Copy the keystore file to your Windows machine.
Open Control Center and navigate to Certificates > Package Signing Certificate.
Click Import > Import from JavaKeyStore file.
Browse the keystore file, and enter the password.

Click Import to import the certificate.
Go to Startup Options and restart the Orchestrator service.
Navigate back to Certificates > Package Signing Certificate.
You should now see the new certificate.

Open your vRealize Orchestrator appliance client, and navigate to Tools > Certificate Manager.

You should now see the certificate shown below. The common name can differ, but if you compare the thumbprints, it should match the private key entry in your keystore.

I hope this post was valuable in helping you learn how to change the Package Signing Certificate in a vRealize Orchestrator appliance. Stay tuned for my next post!
Spas Kaloferov is an acting Solutions Architect member of Professional Services Engineering (PSE) for the Software-Defined Datacenter (SDDC) – a part of the Global Technical & Professional Solutions (GTPS) team. Prior to VMware, Kaloferov focused on cloud computing solutions.