Use the certificates command of the VMware Cloud Director cell management tool to replace SSL certificates for the HTTPS endpoint.

Important: Starting with VMware Cloud Director 10.5.1, you must manage a cell by using the Service Provider Admin Portal. See View and Manage Your VMware Cloud Director Cell Infrastructure. The certificates command appears to work correctly, but after a cell restart, the changes are not in effect because the cell no longer reads the certificate files from the files on-disk. In version 10.5.1 and later, VMware Cloud Director reads the certificates from the database.

The certificates command of the cell management tool automates the process of replacing existing certificates with new ones stored in PEM format. Use the certificates command to replace self-signed certificates with signed ones or replace expiring certificates with new ones. To create signed certificates, see Create Self-Signed SSL Certificates for Your VMware Cloud Director on Linux.

To replace SSL certificates for one or both endpoints use a command with the following form:
cell-management-tool certificates options

--http and --consoleproxy are legacy flags, and if you provide them, VMware Cloud Director ignores them. You can only configure the HTTP certificates.

Table 1. Cell Management Tool Options and Arguments, certificates Subcommand
Option Argument Description
--help (-h) None Provides a summary of available commands in this category.
--config (-c) full pathname to the cell's global.properties file Defaults to $VCLOUD_HOME/etc/global.properties.
--http (-j) None Replace the certificate file named certificates.pem and the private key file named certificates.key used by the HTTP endpoint.
--responses (-r) full pathname to the cell's responses.properties file Defaults to $VCLOUD_HOME/etc/responses.properties.
--cert cert-pathname Full pathname to a PEM-encoded X.509 certificate.
--key key-pathname Full pathname to a PEM-encoded PKCS #8 private key for the certificate referenced by the --cert argument.
--key-password key-password Password for the private key referenced by the --key option.

Replacing certificates

You can omit the --config and --responses options unless those files were moved from their default locations. In this example, the cell's existing HTTP endpoint certificate and private key are replaced with those found in /opt/vmware/vcloud-director/etc/user.http.pem and /opt/vmware/vcloud-director/etc/user.http.key, which is protected with the password kpw.
[root@cell1 /opt/vmware/vcloud–director/bin]# ./cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password kpw
SSL configuration has been updated. You will need to restart the cell for changes to take effect.
Note: You must restart the cell after you replace the certificates.