You might need to replace the VMware Cloud Director appliance management key-certificate pair for security reasons, expiration of the certificate, upgrades or changes to the appliance, or compliance requirements.

Important: For certificates documentation for VMware Cloud Director 10.5.1 and later, see Certificate Management in the VMware Cloud Director Appliance 10.5.1 and Later. Starting with VMware Cloud Director 10.5.1, the certificates command of the cell management tool is deprecated. The certificates command appears to work correctly, but after a cell restart, the changes are not in effect because the cell no longer reads the certificate files from the files on-disk. In version 10.5.1 and later, VMware Cloud Director reads the certificates from the Certificates Library.

Prerequisites

Important: This procedure is different in VMware Cloud Director 10.5.1 and later. See Certificate Management in the VMware Cloud Director Appliance 10.5.1 and Later.
Verify that you are reading the documentation for the correct product version.

Procedure

  1. Log in directly or SSH to the OS of the VMware Cloud Director appliance as root.
  2. Create a backup copy of the original vcd_ova.crt. 
    cp /opt/vmware/appliance/etc/ssl/vcd_ova.crt /opt/vmware/appliance/etc/ssl/vcd_ova.crt.original
cp /opt/vmware/appliance/etc/ssl/vcd_ova.key /opt/vmware/appliance/etc/ssl/vcd_ova.key.original
  3. Stop the VMware Cloud Director service on all cells in the cluster. 
    /opt/vmware/vcloud-director/bin/cell-management-tool -u <administrator_username> cell --shutdown
systemctl stop vmware-vcd
  4. Generate self-signed certificates only for the embedded PostgreSQL database and the VMware Cloud Director appliance management UI. 
    /opt/vmware/appliance/bin/generate-certificates.sh <root-password> --skip-vcd-certs
    The command puts into use the newly generated certificates for the embedded PostgreSQL database and the appliance management UI. The PostgreSQL and the Nginx servers restart.
  5. If you are using CA-signed certificates, obtain the CA-signed certificates, copy them and restart the services.
    1. Create a certificate signing request in the vcd_ova.csr file. 
      openssl req -new -key /opt/vmware/appliance/etc/ssl/vcd_ova.key -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:vcd2.example.com,DNS:vcd2,IP:10.100.101.10\n")) -out vcd_ova.csr
    2. Send the certificate signing request to your certificate authority.
      If you must specify a web server type, use Jakarta Tomcat.
      You obtain the CA-signed certificate.
    3. Copy the CA-signed certificate. 
      cp ca-signed-vcd_ova.pem /opt/vmware/appliance/etc/ssl/vcd_ova.crt
    4. Restart the nginx and postgres services. 
      systemctl restart nginx.service
systemctl restart vpostgres.service
  6. Restart the VMware Cloud Director service on all cells. 
    systemctl start vmware-vcd