By default, the embedded PostgreSQL database and the VMware Cloud Director appliance management user interface share a set of self-signed SSL certificates. For increased security, you can replace the default self-signed certificates with certificate authority (CA) signed certificates.
When you deploy the VMware Cloud Director appliance, it generates self-signed certificates with a validity period of 365 days. The VMware Cloud Director appliance uses two sets of SSL certificates. The VMware Cloud Director service uses one set of certificates for HTTPS and the console proxy communications. The embedded PostgreSQL database and the VMware Cloud Director appliance management user interface share the other set of SSL certificates.
Note: The process of replacing the database and appliance management UI certificates does not affect the certificates for HTTPS and console proxy communications. Replacing one of the sets of certificates does not mean you must replace the other set.
Procedure
- Send the certificate signing request which is located at /opt/vmware/appliance/etc/ssl/vcd_ova.csr to the CA for signing.
- If you are replacing the certificate for the primary database, place all other nodes into maintenance mode to prevent the possibility of data loss.
- Replace the existing PEM-format certificate at /opt/vmware/appliance/etc/ssl/vcd_ova.crt with the signed certificate, obtained from your CA in Step 1.
- To pick up the new certificate, restart the vpostgres, nginx, and vcd_ova_ui services.
systemctl restart nginx.service && systemctl restart vcd_ova_ui.service
systemctl restart vpostgres.service
- If you are replacing the certificate for the primary database, take all other nodes out of maintenance mode.
Results
The new certificate is imported to the VMware Cloud Director truststore on other VMware Cloud Director cells the next time the appliance-sync function runs. The operation might take up to 60 seconds.