When you deploy the VMware Cloud Director appliance, it generates self-signed certificates with a validity period of 365 days. If there are expiring or expired certificates in your environment, you can generate new self-signed certificates. You must renew the certificates for each VMware Cloud Director cell individually.

The VMware Cloud Director appliance uses two sets of SSL certificates. The VMware Cloud Director service uses one set of certificates for HTTPS and console proxy communications. The embedded PostgreSQL database and the VMware Cloud Director appliance management user interface share the other set of SSL certificates.

You can change both sets of self-signed certificates. Alternatively, if you use CA-signed certificates for the HTTPS and console proxy communications of VMware Cloud Director, you can change only the embedded PostgreSQL database and appliance management UI certificate. CA-signed certificates include a complete trust chain rooted in a well-known public certificate authority.

Prerequisites

Procedure

  1. Log in directly or SSH to the OS of the VMware Cloud Director appliance as root.
  2. To stop the VMware Cloud Director services, run the following command. 
    /opt/vmware/vcloud-director/bin/cell-management-tool -u administrator cell --shutdown
  3. Generate new self-signed certificates for the database and appliance management UI or for the HTTPS and console proxy communication, the database, and appliance management UI.
    • Generate self-signed certificates only for the embedded PostgreSQL database and the VMware Cloud Director appliance management UI, run:
      /opt/vmware/appliance/bin/generate-certificates.sh <root-password> --skip-vcd-certs

      This command automatically puts into use the newly generated certificates for the embedded PostgreSQL database and the appliance management UI. The PostgreSQL and the Nginx servers restart.

    • Generate new self-signed certificates for HTTPS and console proxy communication of VMware Cloud Director in addition to certificates for the embedded PostgreSQL database and the appliance management UI.
      1. Run the following command:
        /opt/vmware/appliance/bin/generate-certificates.sh <root-password>
      2. If you are not using CA-signed certificates, run the commands to import the newly generated self-signed certificates to VMware Cloud Director.
        /opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password root_password
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /opt/vmware/vcloud-director/etc/user.consoleproxy.pem --key /opt/vmware/vcloud-director/etc/user.consoleproxy.key --key-password root_password
      3. Restart the VMware Cloud Director service. 
        service vmware-vcd start

      These commands automatically put into use the newly generated certificates for the embedded PostgreSQL database and the appliance management UI. The PostgreSQL and the Nginx servers restart. The commands generate new, self-signed SSL certificates /opt/vmware/vcloud-director/etc/user.http.pem and /opt/vmware/vcloud-director/etc/user.consoleproxy.pem with private keys /opt/vmware/vcloud-director/etc/user.http.key and /opt/vmware/vcloud-director/etc/user.consoleproxy.key, which are used in Step 1.

Results

The renewed self-signed certificates are visible in the VMware Cloud Director user interface.

The new PostgreSQL certificate is imported to the VMware Cloud Director truststore on other VMware Cloud Director cells the next time the appliance-sync function runs. The operation can take up to 60 seconds.

What to do next

If necessary, a self-signed certificate can be replaced with a certificate signed by an external or internal certificate authority.