By default, the embedded PostgreSQL database and the VMware Cloud Director appliance management user interface share a set of self-signed SSL certificates. For increased security, you can replace the default self-signed certificates with certificate authority (CA) signed certificates.

When you deploy the VMware Cloud Director appliance, it generates self-signed certificates with a validity period of 365 days. The VMware Cloud Director appliance uses two sets of SSL certificates. Starting with VMware Cloud Director 10.4, both the console proxy traffic and HTTPS communications go over the default 443 port and the VMware Cloud Director service uses one certificate for HTTPS communications that includes the console proxy communications. The embedded PostgreSQL database and the VMware Cloud Director appliance management user interface share the other set of SSL certificates.

Note: The process of replacing the database and appliance management UI certificates does not affect the certificate for HTTPS and console proxy communications. Replacing the HTTPS certificate does not mean you must replace the others.

Procedure

  1. Send the certificate signing request which is located at /opt/vmware/appliance/etc/ssl/vcd_ova.csr to the CA for signing.
  2. If you are replacing the certificate for the primary database, place all other nodes into maintenance mode to prevent the possibility of data loss.
  3. Replace the existing PEM-format certificate at /opt/vmware/appliance/etc/ssl/vcd_ova.crt with the signed certificate, obtained from your CA in Step 1.
  4. To pick up the new certificate, restart the vpostgres, nginx, and vcd_ova_ui services. 
    systemctl restart nginx.service && systemctl restart vcd_ova_ui.service
    systemctl restart vpostgres.service
  5. If you are replacing the certificate for the primary database, take all other nodes out of maintenance mode.
    See Managing a VMware Cloud Director Cell.

Results

The new certificate is imported to the VMware Cloud Director truststore on other VMware Cloud Director cells the next time the appliance-sync function runs. The operation might take up to 60 seconds.