When you deploy the VMware Cloud Director appliance, it generates self-signed certificates with a validity period of 365 days. If there are expiring or expired certificates in your environment, you can generate new self-signed certificates. You must renew the certificates for each VMware Cloud Director cell individually.
certificates
command appears to work correctly, but after a cell restart, the changes are not in effect because the cell no longer reads the certificate files from the files on-disk. In version 10.5.1 and later,
VMware Cloud Director reads the certificates from the
Certificates Library.
The VMware Cloud Director service uses one certificate for HTTPS and console proxy communications. The embedded PostgreSQL database and the VMware Cloud Director appliance management user interface share another SSL certificate.
You can change all self-signed certificates. Alternatively, if you use a CA-signed certificate for the HTTPS communications of VMware Cloud Director, you can change only the embedded PostgreSQL database and appliance management UI certificate. CA-signed certificates include a complete trust chain rooted in a well-known public certificate authority.
Prerequisites
-
Important: This procedure is different in VMware Cloud Director 10.5.1 and later. See Certificate Management in the VMware Cloud Director Appliance 10.5.1 and Later.Verify that you are reading the documentation for the correct product version.
To verify that this is the relevant procedure for your environment needs, familiarize yourself with SSL Certificate Creation and Management of Your VMware Cloud Director Appliance.
- If you are renewing the certificate for the primary node in a database high availability cluster, run the
opt/vmware/vcloud-director/bin/cell-management-tool cell -m
command of the cell management tool place all other nodes in maintenance mode and to prevent data loss. See Managing a VMware Cloud Director Cell. - If FIPS mode is enabled, the root password of the appliance must contain 14 or more characters. See Change the Root Password of Your VMware Cloud Director Appliance.
Procedure
Results
The renewed self-signed certificates are visible in the VMware Cloud Director user interface.
The new PostgreSQL certificate is imported to the VMware Cloud Director truststore on other VMware Cloud Director cells the next time the appliance-sync function runs. The operation can take up to 60 seconds.
What to do next
If necessary, a self-signed certificate can be replaced with a certificate signed by an external or internal certificate authority.