Creating and importing certificates signed by a certificate authority (CA) provides the highest level of trust for SSL communications and helps you secure the connections within your cloud.
If you want to create and import CA-signed SSL certificates for VMware Cloud Director 10.4, see Create and Import CA-Signed SSL Certificates for VMware Cloud Director 10.4.
The private key password used in this procedure is the root user password, and it is represented as root_password.
Starting with VMware Cloud Director 10.4, both the console proxy traffic and HTTPS communications go over the default 443 port.
To verify that this is the relevant procedure for your environment needs, familiarize yourself with SSL Certificate Creation and Management of the VMware Cloud Director Appliance.
- Log in directly or by using an SSH client to the VMware Cloud Director appliance console as root.
- Depending on your environment needs, choose one of the following options.
When you deploy the VMware Cloud Director appliance, VMware Cloud Director automatically generates self-signed certificates with a 2048-bit key size for the HTTPS service and the console proxy service.
- Run the command to back up the existing certificate files.
cp /opt/vmware/vcloud-director/etc/user.http.pem /opt/vmware/vcloud-director/etc/user.http.pem.original cp /opt/vmware/vcloud-director/etc/user.http.key /opt/vmware/vcloud-director/etc/user.http.key.original
- Run the following commands to create public and private key pairs for the HTTPS service.
/opt/vmware/vcloud-director/bin/cell-management-tool generate-certs --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password root-password
The commands create or overwrite the certificate file by using the default values, and create or overwrite the private key file with the specified passwords. Depending on the DNS configuration of your environment, the Issuer Common Name (CN) is set to either the IP address or the FQDN for each service. The certificate uses the default 2048-bit key length and expires one year after creation.Important: Because of configuration restrictions in the VMware Cloud Director appliance, you must use the locations /opt/vmware/vcloud-director/etc/user.http.pem and /opt/vmware/vcloud-director/etc/user.http.key for the HTTPS certificate files.Note: You use the appliance root password as the key passwords.
- Create certificate signing requests (CSR) for the HTTPS service in the http.csr file.
openssl req -new -key /opt/vmware/vcloud-director/etc/user.http.key -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:vcd2.example.com,DNS:vcd2,IP:10.100.101.10\n")) -out http.csr
- Send the certificate signing requests to your Certificate Authority.
If your certification authority requires you to specify a Web server type, use Jakarta Tomcat.You obtain the CA-signed certificates.
- Copy the CA-signed certificates, the CA root certificate, and any intermediate certificates to the VMware Cloud Director appliance and run the command to overwrite the existing
user.http.pemcert on the appliance with your CA-signed version.
cp ca-signed-http.pem /opt/vmware/vcloud-director/etc/user.http.pem
- To append the root CA-signed certificate and any intermediate certificates to the HTTP and console proxy certificate, run the following command.
cat intermediate-certificate-file-1.cer intermediate-certificate-file-2.cer root-CA-certificate.cer >> /opt/vmware/vcloud-director/etc/user.http.pem
- To import the certificates into the VMware Cloud Director instance, run the following command.
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password root_password
- For the new signed certificates to take effect, restart the
vmware-vcdservice on the VMware Cloud Director appliance.
- Run the command to stop the service.
/opt/vmware/vcloud-director/bin/cell-management-tool cell -i $(service vmware-vcd pid cell) -s
- Run the command to start the service.
systemctl start vmware-vcd
- Run the command to stop the service.
What to do next
- If you are using wildcard certificates, follow the Deploy the VMware Cloud Director Appliance 10.4.1 and Later with a Signed Wildcard Certificate for HTTPS Communication procedure so that any future appliance instances that you add to the cluster use the same wildcard signed certificates.
- Repeat this procedure on all VMware Cloud Director appliance instances in the server group.
- For more information on replacing the certificates for the embedded PostgreSQL database and for the VMware Cloud Director appliance management user interface, see Replace a Self-Signed Embedded PostgreSQL and VMware Cloud Director Appliance Management UI Certificate.