Renew the VMware Cloud Director Appliance Certificates for Version 10.4

When you deploy the VMware Cloud Director appliance, it generates self-signed certificates with a validity period of 365 days. If there are expiring or expired certificates in your environment, you can generate new self-signed certificates. You must renew the certificates for each VMware Cloud Director cell individually. The procedure for version 10.4 includes console proxy settings.

If you want to renew the VMware Cloud Director appliance certificates for version 10.4.1 or later, see Renew the VMware Cloud Director Appliance Certificates for Version 10.4.1 and Later.

Starting with VMware Cloud Director 10.4, the VMware Cloud Director service uses one certificate for HTTPS and console proxy communications. The embedded PostgreSQL database and the VMware Cloud Director appliance management user interface share another SSL certificate.

Note: VMware Cloud Director 10.4.1 and later do not support the legacy implementation of the console proxy feature.

For VMware Cloud Director 10.4, if you want to use the legacy implementation with a dedicated console proxy access point, you can enable the LegacyConsoleProxy feature from the Feature Flags settings menu under the Administration tab of the Service Provider Admin Portal. To enable the LegacyConsoleProxy feature, your installation or deployment must have console proxy settings configured in a previous version and transferred through a VMware Cloud Director upgrade. After enabling or deactivating the feature you must restart the cells. If you enable the legacy console proxy implementation, the console proxy must have a separate certificate.

You can change all self-signed certificates. Alternatively, if you use a CA-signed certificate for the HTTPS and console proxy communications of VMware Cloud Director, you can change only the embedded PostgreSQL database and appliance management UI certificate. CA-signed certificates include a complete trust chain rooted in a well-known public certificate authority.

Prerequisites

To verify that this is the relevant procedure for your environment needs, familiarize yourself with SSL Certificate Creation and Management of the VMware Cloud Director Appliance.
If you are renewing the certificate for the primary node in a database high availability cluster, run the opt/vmware/vcloud-director/bin/cell-management-tool cell -m command of the cell management tool place all other nodes in maintenance mode and to prevent data loss. See Managing a Cell.
If FIPS mode is enabled, the root password of the appliance must contain 14 or more characters. See Change the Root Password of the VMware Cloud Director Appliance 10.4.1 or Later.

Procedure

To stop the VMware Cloud Director services, run the following command.

/opt/vmware/vcloud-director/bin/cell-management-tool -u administrator cell --shutdown

Generate new self-signed certificates for the database and appliance management UI or for the HTTPS and console proxy communication, the database, and appliance management UI.
- Generate self-signed certificates only for the embedded PostgreSQL database and the VMware Cloud Director appliance management UI, run:
```
/opt/vmware/appliance/bin/generate-certificates.sh <root-password> --skip-vcd-certs
```
  This command automatically puts into use the newly generated certificates for the embedded PostgreSQL database and the appliance management UI. The PostgreSQL and the Nginx servers restart.
- Generate new self-signed certificates for HTTPS and console proxy communication of VMware Cloud Director in addition to certificates for the embedded PostgreSQL database and the appliance management UI.
  1. Run the following command:
```
/opt/vmware/appliance/bin/generate-certificates.sh <root-password>
```
  2. If you are not using CA-signed certificates, run the commands to import the newly generated self-signed certificates to VMware Cloud Director.
```
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password root_password
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /opt/vmware/vcloud-director/etc/user.consoleproxy.pem --key /opt/vmware/vcloud-director/etc/user.consoleproxy.key --key-password root_password
```
  3. Restart the VMware Cloud Director service.
```
service vmware-vcd start
```
  These commands automatically put into use the newly generated certificates for the embedded PostgreSQL database and the appliance management UI. The PostgreSQL and the Nginx servers restart. The commands generate new, self-signed SSL certificates /opt/vmware/vcloud-director/etc/user.http.pem and /opt/vmware/vcloud-director/etc/user.consoleproxy.pem with private keys /opt/vmware/vcloud-director/etc/user.http.key and /opt/vmware/vcloud-director/etc/user.consoleproxy.key, which are used in Step 1.

Results

The renewed self-signed certificates are visible in the VMware Cloud Director user interface.

The new PostgreSQL certificate is imported to the VMware Cloud Director truststore on other VMware Cloud Director cells the next time the appliance-sync function runs. The operation can take up to 60 seconds.

What to do next

If necessary, a self-signed certificate can be replaced with a certificate signed by an external or internal certificate authority.