You can deploy the vCloud Director appliance with signed wildcard certificates. You can use these certificates to secure an unlimited number of servers that are subdomains of the domain name listed in the certificate.

By default, when deploying vCloud Director appliances, vCloud Director generates self-signed certificates and uses them to configure the vCloud Director cell for the HTTPS and console proxy communication.

When you successfully deploy a primary appliance, the appliance configuration logic copies the responses.properties file from the primary appliance to the common NFS shared transfer service storage at /opt/vmware/vcloud-director/data/transfer. Other appliances deployed for this vCloud Director server group use this file to configure themselves automatically. The responses.properties file includes a path to the SSL certificate keystore, which includes the auto-generated self-signed certificates user.keystore.path. By default, this path is to a keystore file that is local to each appliance.

After you deploy the primary appliance, you can reconfigure it to use signed certificates. For more information on creating the keystore with signed certificates, see Create and Import CA-Signed SSL Certificates to the vCloud Director Appliance.

If the signed certificates you use on the primary vCloud Director appliance are wildcard signed certificates, these certificates can apply to all other appliances in the vCloud Director server group, that is, standby cells and vCloud Director application cells. You can use the deployment of the appliance with signed wildcard certificates for HTTPS and console proxy communication to configure the additional cells with the signed wildcard SSL certificates.

Prerequisites

  • Verify that the keystore containing the signed wildcard SSL certificates for both HTTPS and console proxy aliases is available on the primary appliance, that is, /opt/vmware/vcloud-director/certificates.ks.
  • Verify that the private password for the keys within the keystore matches the password of the keystore. The keystore password must match the initial root password used when deploying all appliances, for example,
    /opt/vmware/vcloud-director/jre/bin/keytool -keypasswd -alias http_or_consoleproxy -keystore /opt/vmware/vcloud-director/certificates.ks -storetype jceks -storepass root-password
    .

Procedure

  1. Copy the new certificates.ks file containing the well-signed certs from the primary appliance to the transfer share at /opt/vmware/vcloud-director/data/transfer/.
  2. Change the owner and the group permissions on the keystore file to vcloud.
    chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/certificates.ks
  3. Verify that the owner of the keystore file has read and write permissions.
    chmod 0750 /opt/vmware/vcloud-director/data/transfer/certificates.ks
  4. On the primary appliance, run the command to import the new signed certificates into the vCloud Director instance.

    This command also updates the responses.properties file in the transfer share, modifying the user.keystore.path variable to point to the keystore file in the transfer share.

    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -j -p --keystore /opt/vmware/vcloud-director/data/transfer/certificates.ks --keystore-password root-password
  5. For the new signed certificates to take effect, restart the vmware-vcd service on the primary appliance.
    service vmware-vcd restart
  6. Deploy the standby cell and application cell appliances, using the initial root password that matches the keystore password.

Results

All newly deployed appliances that use the same NFS shared transfer service storage are configured with the same signed wildcard SSL certificates used by the primary appliance.