Renew Your VMware Cloud Director 10.5.0 Appliance Certificates

When you deploy the VMware Cloud Director appliance, it generates self-signed certificates with a validity period of 365 days. If there are expiring or expired certificates in your environment, you can generate new self-signed certificates. You must renew the certificates for each VMware Cloud Director cell individually.

Important: For certificates documentation for VMware Cloud Director 10.5.1 and later, see Certificate Management in the VMware Cloud Director Appliance 10.5.1 and Later. Starting with VMware Cloud Director 10.5.1, the certificates command of the cell management tool is deprecated. The certificates command appears to work correctly, but after a cell restart, the changes are not in effect because the cell no longer reads the certificate files from the files on-disk. In version 10.5.1 and later, VMware Cloud Director reads the certificates from the Certificates Library.

The VMware Cloud Director service uses one certificate for HTTPS and console proxy communications. The embedded PostgreSQL database and the VMware Cloud Director appliance management user interface share another SSL certificate.

Note: VMware Cloud Director 10.4.1 and later do not support the legacy implementation of the console proxy feature.

You can change all self-signed certificates. Alternatively, if you use a CA-signed certificate for the HTTPS communications of VMware Cloud Director, you can change only the embedded PostgreSQL database and appliance management UI certificate. CA-signed certificates include a complete trust chain rooted in a well-known public certificate authority.

Prerequisites

Important: This procedure is different in VMware Cloud Director 10.5.1 and later. See Certificate Management in the VMware Cloud Director Appliance 10.5.1 and Later.
Verify that you are reading the documentation for the correct product version.
To verify that this is the relevant procedure for your environment needs, familiarize yourself with SSL Certificate Creation and Management of Your VMware Cloud Director Appliance.
If you are renewing the certificate for the primary node in a database high availability cluster, run the opt/vmware/vcloud-director/bin/cell-management-tool cell -m command of the cell management tool place all other nodes in maintenance mode and to prevent data loss. See Managing a VMware Cloud Director Cell.
If FIPS mode is enabled, the root password of the appliance must contain 14 or more characters. See Change the Root Password of Your VMware Cloud Director Appliance.

Procedure

To stop the VMware Cloud Director services, run the following command.

/opt/vmware/vcloud-director/bin/cell-management-tool -u administrator cell --shutdown

Generate new self-signed certificates for the database and appliance management UI or for the HTTPS communication, the database, and appliance management UI.
Starting with VMware Cloud Director appliance 10.5.1, the self-signed certificates you generate include the SubjectKeyIdentifier and AuthorityKeyIdentifier certificate extensions. Every time you run the generate-certificates.sh script, the VMware Cloud Director appliance recreates the vcd_ova.{key, csr} files.
- Generate self-signed certificates only for the embedded PostgreSQL database and the VMware Cloud Director appliance management UI.
  1. Run the following command:
```
/opt/vmware/appliance/bin/generate-certificates.sh <root-password> --skip-vcd-certs
```
  2. Restart the VMware Cloud Director service.
```
service vmware-vcd start
```
  This command automatically puts into use the newly generated certificates for the embedded PostgreSQL database and the appliance management UI. The PostgreSQL and the Nginx servers restart.
- Generate new self-signed certificates for HTTPS communication of VMware Cloud Director in addition to certificates for the embedded PostgreSQL database and the appliance management UI.
  1. Run the following command:
```
/opt/vmware/appliance/bin/generate-certificates.sh <root-password>
```
  2. If you are not using CA-signed certificates, run the commands to import the newly generated self-signed certificates to VMware Cloud Director.
```
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password root_password
```
  3. Restart the VMware Cloud Director service.
```
service vmware-vcd start
```
  These commands automatically put into use the newly generated certificates for the embedded PostgreSQL database and the appliance management UI. The PostgreSQL and the Nginx servers restart. The commands generate a new, self-signed SSL certificate /opt/vmware/vcloud-director/etc/user.http.pem with private key /opt/vmware/vcloud-director/etc/user.http.key, which are used in Step 1.

Results

The renewed self-signed certificates are visible in the VMware Cloud Director user interface.

The new PostgreSQL certificate is imported to the VMware Cloud Director truststore on other VMware Cloud Director cells the next time the appliance-sync function runs. The operation can take up to 60 seconds.

What to do next

If necessary, a self-signed certificate can be replaced with a certificate signed by an external or internal certificate authority.