Create and Import CA-Signed SSL Certificates to the VMware Cloud Director Appliance

Creating and importing certificates signed by a certificate authority (CA) provides the highest level of trust for SSL communications and helps you secure the connections within your cloud.

Each VMware Cloud Director server must support two different SSL endpoints, one for HTTPS and one for console proxy communications.

In the VMware Cloud Director appliance, these two endpoints share the same IP address or hostname, but use two distinct ports - 443 for HTTPS and 8443 for console proxy communications. You can use the same certificate for both endpoints, for example, by using a wildcard certificate.

Certificates for both endpoints must include an X.500 distinguished name and X.509 Subject Alternative Name extension.

If you already have your own private key and CA-signed certificate files, follow the procedure described in Import Private Keys and CA-Signed SSL Certificates to the VMware Cloud Director Appliance.

Important: Upon deployment, the VMware Cloud Director appliance generates self-signed certificates with a 2048-bit key size. You must evaluate your installation's security requirements before choosing an appropriate key size. Key sizes less than 1024 bits are no longer supported per NIST Special Publication 800-131A.

The private key password used in this procedure is the root user password, and it is represented as root_password.

Procedure

Log in directly or by using an SSH client to the VMware Cloud Director appliance console as root.
Depending on your environment needs, choose one of the following options.
When you deploy the VMware Cloud Director appliance, VMware Cloud Director automatically generates self-signed certificates with a 2048-bit key size for the HTTPS service and the console proxy service.
- If you want your Certificate Authority to sign the certificates that are generated upon deployment, skip to Step 5.
- If you want to generate new certificates with custom options, such as a greater key size, continue to Step 3.

Run the command to back up the existing certificate files.

cp /opt/vmware/vcloud-director/etc/user.http.pem /opt/vmware/vcloud-director/etc/user.http.pem.original
cp /opt/vmware/vcloud-director/etc/user.http.key /opt/vmware/vcloud-director/etc/user.http.key.original
cp /opt/vmware/vcloud-director/etc/user.consoleproxy.pem /opt/vmware/vcloud-director/etc/user.consoleproxy.pem.original
cp /opt/vmware/vcloud-director/etc/user.consoleproxy.key /opt/vmware/vcloud-director/etc/user.consoleproxy.key.original

Run the following commands to create public and private key pairs for the HTTPS service and for the console proxy service.
```
/opt/vmware/vcloud-director/bin/cell-management-tool generate-certs --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password root-password
/opt/vmware/vcloud-director/bin/cell-management-tool generate-certs --cert /opt/vmware/vcloud-director/etc/user.consoleproxy.pem --key /opt/vmware/vcloud-director/etc/user.consoleproxy.key --key-password root-password
```
The commands create or overwrite the certificate file by using the default values, and create or overwrite the private key file with the specified passwords. Depending on the DNS configuration of your environment, the Issuer Common Name (CN) is set to either the IP address or the FQDN for each service. The certificate uses the default 2048-bit key length and expires one year after creation.

Important: Because of configuration restrictions in the VMware Cloud Director appliance, you must use the locations /opt/vmware/vcloud-director/etc/user.http.pem and /opt/vmware/vcloud-director/etc/user.http.key for the HTTPS certificate files and /opt/vmware/vcloud-director/etc/user.consoleproxy.pem and /opt/vmware/vcloud-director/etc/user.consoleproxy.key for the console proxy certificate files.

Note: You use the appliance root password as the key passwords.
Create certificate signing requests (CSR) for the HTTPS service and for the console proxy service.

Important: The VMware Cloud Director appliance shares the same IP address and hostname for both the HTTPS service and the console proxy service. Because of that, the CSR creation commands must have the same DNS and IPs for the Subject Alternative Name (SAN) extension argument.
1. Create a certificate signing request in the http.csr file.
```
openssl req -new -key /opt/vmware/vcloud-director/etc/user.http.key -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:vcd2.example.com,DNS:vcd2,IP:10.100.101.10\n")) -out http.csr
```
2. Create a certificate signing request in the consoleproxy.csr file.
```
openssl req -new -key /opt/vmware/vcloud-director/etc/user.consoleproxy.key -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:vcd2.example.com,DNS:vcd2,IP:10.100.101.10\n")) -out consoleproxy.csr
```
Send the certificate signing requests to your Certificate Authority.
If your certification authority requires you to specify a Web server type, use Jakarta Tomcat.

You obtain the CA-signed certificates.
Copy the the CA-signed certificates, the CA root certificate, and any intermediate certificates to the VMware Cloud Director appliance and run the commands to overwrite the existing certificates.
1. Run the command to overwrite the existing user.http.pem cert on the appliance with your CA-signed version.
```
cp ca-signed-http.pem /opt/vmware/vcloud-director/etc/user.http.pem
```
2. Run the command to overwrite the existing user.consoleproxy.pem on the appliance with your CA-signed version.
```
cp ca-signed-consoleproxy.pem /opt/vmware/vcloud-director/etc/user.consoleproxy.pem
```

Run the command to append the root CA-signed certificate and any intermediate certificates to the HTTP and console proxy certificate.

cat intermediate-certificate-file-1.cer intermediate-certificate-file-2.cer root-CA-certificate.cer >> /opt/vmware/vcloud-director/etc/user.http.pem
cat intermediate-certificate-file-1.cer intermediate-certificate-file-2.cer root-CA-certificate.cer >> /opt/vmware/vcloud-director/etc/user.consoleproxy.pem

Run the command to import the certificates into the VMware Cloud Director instance.

/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password root_password
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /opt/vmware/vcloud-director/etc/user.consoleproxy.pem --key /opt/vmware/vcloud-director/etc/user.consoleproxy.key --key-password root_password

For the new signed certificates to take effect, restart the vmware-vcd service on the VMware Cloud Director appliance.
1. Run the command to stop the service.
```
/opt/vmware/vcloud-director/bin/cell-management-tool cell -i $(service vmware-vcd pid cell) -s
```
2. Run the command to start the service.
```
systemctl start vmware-vcd
```

What to do next

If you are using wildcard certificates, see Deploy the VMware Cloud Director Appliance with Signed Wildcard Certificates for HTTPS and Console Proxy Communication .
If you are not using wildcard certificates, repeat this procedure on all VMware Cloud Director servers in the server group.
For more information on replacing the certificates for the embedded PostgreSQL database and for the VMware Cloud Director appliance management user interface, see Replace a Self-Signed Embedded PostgreSQL and VMware Cloud Director Appliance Management UI Certificate.