Import Private Keys and CA-Signed SSL Certificates to the VMware Cloud Director Appliance 10.4

If you have your own private key and CA-signed certificate files, importing them into your VMware Cloud Director environment provides the highest level of trust for SSL communications and helps you secure the connections within your cloud infrastructure. The procedure for version 10.4 includes console proxy settings.

If you want to import private keys and CA-signed certificates to the VMware Cloud Director appliance 10.4.1 or later, see Import Private Keys and CA-Signed SSL Certificates to the VMware Cloud Director Appliance 10.4.1 and Later.

Starting with VMware Cloud Director 10.4, both the console proxy traffic and HTTPS communications go over the default 443 port. You do not need a separate certificate for the console proxy.

Note: VMware Cloud Director 10.4.1 and later do not support the legacy implementation of the console proxy feature.

If you want to use the legacy implementation with a dedicated console proxy access point in VMware Cloud Director 10.4, you can enable the LegacyConsoleProxy feature from the Feature Flags settings menu under the Administration tab of the Service Provider Admin Portal. To enable the LegacyConsoleProxy feature, your installation or deployment must have console proxy settings configured in a previous version and transferred through a VMware Cloud Director upgrade. After enabling or deactivating the feature you must restart the cells. If you enable the legacy console proxy implementation, the console proxy must have a separate certificate.

Prerequisites

To verify that this is the relevant procedure for your environment needs, familiarize yourself with SSL Certificate Creation and Management of the VMware Cloud Director Appliance.
Copy your intermediate certificates, root CA certificate, CA-signed HTTPS service certificate to the appliance.
If the legacy console proxy implementation is enabled, see the VMware Cloud Director version of this document.

Procedure

Back up the existing certificate files.

Option Description

Option	Description
If your environment was upgraded from VMware Cloud Director 10.2.	Make a note of the existing `http` and `consoleproxy` certificate file paths from /opt/vmware/vcloud-director/etc/global.properties using the properties of `user.http.pem`, `user.http.key`, `user.consoleproxy.pem`, and `user.consoleproxy.key`. To back up the existing certificate files, use the paths from step 2a to run the following commands. cp `path_to_the_user.http.pem` /opt/vmware/vcloud-director/etc/user.http.pem.original cp `path_to_the_user.http.key` /opt/vmware/vcloud-director/etc/user.http.key.original cp `path_to_the_user.consoleproxy.pem` /opt/vmware/vcloud-director/etc/user.consoleproxy.pem.original cp `path_to_the_user.consoleproxy.key` /opt/vmware/vcloud-director/etc/user.consoleproxy.key.original
If your environment was upgraded from VMware Cloud Director 10.3 or is a new deployment.	To back up the existing certificate files, run the following commands. cp /opt/vmware/vcloud-director/etc/user.http.pem /opt/vmware/vcloud-director/etc/user.http.pem.original cp /opt/vmware/vcloud-director/etc/user.http.key /opt/vmware/vcloud-director/etc/user.http.key.original cp /opt/vmware/vcloud-director/etc/user.consoleproxy.pem /opt/vmware/vcloud-director/etc/user.consoleproxy.pem.original cp /opt/vmware/vcloud-director/etc/user.consoleproxy.key /opt/vmware/vcloud-director/etc/user.consoleproxy.key.original

If your environment was upgraded from VMware Cloud Director 10.2.

Make a note of the existing http and consoleproxy certificate file paths from /opt/vmware/vcloud-director/etc/global.properties using the properties of user.http.pem, user.http.key, user.consoleproxy.pem, and user.consoleproxy.key.

To back up the existing certificate files, use the paths from step 2a to run the following commands.

cp path_to_the_user.http.pem /opt/vmware/vcloud-director/etc/user.http.pem.original
cp path_to_the_user.http.key /opt/vmware/vcloud-director/etc/user.http.key.original
cp path_to_the_user.consoleproxy.pem /opt/vmware/vcloud-director/etc/user.consoleproxy.pem.original
cp path_to_the_user.consoleproxy.key /opt/vmware/vcloud-director/etc/user.consoleproxy.key.original

If your environment was upgraded from VMware Cloud Director 10.3 or is a new deployment.

To back up the existing certificate files, run the following commands.

cp /opt/vmware/vcloud-director/etc/user.http.pem /opt/vmware/vcloud-director/etc/user.http.pem.original
cp /opt/vmware/vcloud-director/etc/user.http.key /opt/vmware/vcloud-director/etc/user.http.key.original
cp /opt/vmware/vcloud-director/etc/user.consoleproxy.pem /opt/vmware/vcloud-director/etc/user.consoleproxy.pem.original
cp /opt/vmware/vcloud-director/etc/user.consoleproxy.key /opt/vmware/vcloud-director/etc/user.consoleproxy.key.original

Copy and replace the key and certificate files that you must import at /opt/vmware/vcloud-director/etc/user.http.pem, /opt/vmware/vcloud-director/etc/user.http.key, /opt/vmware/vcloud-director/etc/user.consoleproxy.pem, and /opt/vmware/vcloud-director/etc/user.consoleproxy.key.
If you have intermediate certificates, to append the root CA-signed certificate and any intermediate certificates to the HTTP and console proxy certificates, run the following command.
```
cat intermediate-certificate-file-1.cer intermediate-certificate-file-2.cer root-CA-certificate.cer >> /opt/vmware/vcloud-director/etc/user.http.pem

cat intermediate-certificate-file-1.cer intermediate-certificate-file-2.cer root-CA-certificate.cer >> /opt/vmware/vcloud-director/etc/user.consoleproxy.pem
```
Where intermediate-certificate-file-1.cer and intermediate-certificate-file-2.cer are the names of intermediate certificates and root-CA-certificate.cer is the name of the root CA-signed certificate.

Run the command to import the signed certificates into the VMware Cloud Director instance.

/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password imported_key_password
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /opt/vmware/vcloud-director/etc/user.consoleproxy.pem --key /opt/vmware/vcloud-director/etc/user.consoleproxy.key --key-password imported_key_password

For the CA-signed certificates to take effect, restart the vmware-vcd service on the VMware Cloud Director appliance.
1. Run the command to stop the service.
```
/opt/vmware/vcloud-director/bin/cell-management-tool cell -i $(service vmware-vcd pid cell) -s
```
2. Run the command to start the service.
```
systemctl start vmware-vcd
```

What to do next

If you are using wildcard certificates, see Deploy the VMware Cloud Director Appliance 10.4.1 and Later with a Signed Wildcard Certificate for HTTPS Communication.
If you are not using wildcard certificates, repeat this procedure on all VMware Cloud Director appliance cells in the server group.
For more information on replacing the certificates for the embedded PostgreSQL database and for the VMware Cloud Director appliance management user interface, see Replace a Self-Signed Embedded PostgreSQL and VMware Cloud Director Appliance Management UI Certificate.