You might need to replace the VMware Cloud Director appliance management key-certificate pair for security reasons, expiration of the certificate, upgrades or changes to the appliance, or compliance requirements.

Procedure

  1. Log in directly or SSH to the OS of the VMware Cloud Director appliance as root.
  2. Create a backup copy of the original vcd_ova.crt. 
    cp /opt/vmware/appliance/etc/ssl/vcd_ova.crt /opt/vmware/appliance/etc/ssl/vcd_ova.crt.original
cp /opt/vmware/appliance/etc/ssl/vcd_ova.key /opt/vmware/appliance/etc/ssl/vcd_ova.key.original
  3. Generate self-signed certificates only for the embedded PostgreSQL database and the VMware Cloud Director appliance management UI. 
    /opt/vmware/appliance/bin/generate-certificates.sh <root-password> --skip-vcd-certs
    The command puts into use the newly generated certificates for the embedded PostgreSQL database and the appliance management UI. The PostgreSQL and the Nginx servers restart.
  4. If you are using CA-signed certificates, obtain the CA-signed certificates, copy them and restart the services.
    1. Create a certificate signing request in the vcd_ova.csr file. 
      openssl req -new -key /opt/vmware/appliance/etc/ssl/vcd_ova.key -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:vcd2.example.com,DNS:vcd2,IP:10.100.101.10\n")) -out vcd_ova.csr
    2. Send the certificate signing request to your certificate authority.
      If you must specify a web server type, use Jakarta Tomcat.
      You obtain the CA-signed certificate.
    3. Copy the CA-signed certificate. 
      cp ca-signed-vcd_ova.pem /opt/vmware/appliance/etc/ssl/vcd_ova.crt
    4. Restart the nginx and postgres services. 
      systemctl restart nginx.service
systemctl restart vpostgres.service