Replacing Certificates for the HTTPS Endpoint

Use the certificates command of the cell management tool to replace SSL certificates for the HTTPS endpoint.

Starting with VMware Cloud Director 10.4, the console proxy uses the same endpoint as the REST API. VMware Cloud Director 10.4.1 and later do not support the legacy implementation of the console proxy feature. In VMware Cloud Director 10.4, you can enable the LegacyConsoleProxy feature from the Feature Flags settings menu under the Administration tab. If you enable the LegacyConsoleProxy feature, you can use the certificates command of the cell management tool to replace SSL certificates for the HTTPS and console proxy endpoints.

The certificates command of the cell management tool automates the process of replacing existing certificates with new ones stored in PEM format. Use the certificates command to replace self-signed certificates with signed ones or replace expiring certificates with new ones. To create signed certificates, see Create Self-Signed SSL Certificates for VMware Cloud Director on Linux.

To replace SSL certificates for one or both endpoints use a command with the following form:

cell-management-tool certificates options

Starting with VMware Cloud Director 10.4.1, --http and --consoleproxy are legacy flags. If you do not provide either of them, VMware Cloud Director reconfigures the HTTP certificates. You cannot import certificates by providing only --consoleproxy. You can import certificates by providing only --http. If you provide both --http and --consoleproxy, VMware Cloud Director ignores --consoleproxy and updates only the HTTP certificates.

Table 1. Cell Management Tool Options and Arguments, certificates Subcommand
Option	Argument	Description
--help (-h)	None	Provides a summary of available commands in this category.
--config (-c)	full pathname to the cell's global.properties file	Defaults to $VCLOUD_HOME/etc/global.properties.
--http (-j)	None	Replace the certificate file named certificates.pem and the private key file named certificates.key used by the HTTP endpoint.
--consoleproxy (-p)	None	For VMware Cloud Director 10.4, if LegacyConsoleProxy is enabled, replace the certificate file named proxycertificates.pem and the private key file named proxycertificates.key used by the console proxy endpoint.
--responses (-r)	full pathname to the cell's responses.properties file	Defaults to $VCLOUD_HOME/etc/responses.properties.
--cert	cert-pathname	Full pathname to a PEM-encoded X.509 certificate.
--key	key-pathname	Full pathname to a PEM-encoded PKCS #8 private key for the certificate referenced by the --cert argument.
--key-password	`key-password`	Password for the private key referenced by the --key option.

Replacing certificates

You can omit the --config and --responses options unless those files were moved from their default locations. In this example, the cell's existing HTTP endpoint certificate and private key are replaced with those found in /opt/vmware/vcloud-director/etc/user.http.pem and /opt/vmware/vcloud-director/etc/user.http.key, which is protected with the password kpw.

[root@cell1 /opt/vmware/vcloud–director/bin]# ./cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password kpw
SSL configuration has been updated. You will need to restart the cell for changes to take effect.

Note: You must restart the cell after you replace the certificates.