Use the certificates command of the VMware Cloud Director cell management tool to replace SSL certificates for the HTTPS endpoint.
Important: Starting with
VMware Cloud Director 10.5.1, you must manage a cell by using the
Service Provider Admin Portal. See
View and Manage Your VMware Cloud Director Cell Infrastructure. The
certificates command appears to work correctly, but after a cell restart, the changes are not in effect because the cell no longer reads the certificate files from the files on-disk. In version 10.5.1 and later,
VMware Cloud Director reads the certificates from the database.
The certificates command of the cell management tool automates the process of replacing existing certificates with new ones stored in PEM format. Use the certificates command to replace self-signed certificates with signed ones or replace expiring certificates with new ones. To create signed certificates, see Create Self-Signed SSL Certificates for Your VMware Cloud Director on Linux.
To replace SSL certificates for one or both endpoints use a command with the following form:
cell-management-tool certificates options
--http and --consoleproxy are legacy flags, and if you provide them, VMware Cloud Director ignores them. You can only configure the HTTP certificates.
Option | Argument | Description |
---|---|---|
--help (-h) | None | Provides a summary of available commands in this category. |
--config (-c) | full pathname to the cell's global.properties file | Defaults to $VCLOUD_HOME/etc/global.properties. |
--http (-j) | None | Replace the certificate file named certificates.pem and the private key file named certificates.key used by the HTTP endpoint. |
--responses (-r) | full pathname to the cell's responses.properties file | Defaults to $VCLOUD_HOME/etc/responses.properties. |
--cert | cert-pathname | Full pathname to a PEM-encoded X.509 certificate. |
--key | key-pathname | Full pathname to a PEM-encoded PKCS #8 private key for the certificate referenced by the --cert argument. |
--key-password | key-password | Password for the private key referenced by the --key option. |
Replacing certificates
You can omit the
--config and
--responses options unless those files were moved from their default locations. In this example, the cell's existing HTTP endpoint certificate and private key are replaced with those found in
/opt/vmware/vcloud-director/etc/user.http.pem and
/opt/vmware/vcloud-director/etc/user.http.key, which is protected with the password
kpw
.
[root@cell1 /opt/vmware/vcloud–director/bin]# ./cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password kpw SSL configuration has been updated. You will need to restart the cell for changes to take effect.
Note: You must restart the cell after you replace the certificates.