Starting with VMware Cloud Director 10.5.1, you can manage the cell HTTP certificate using the Service Provider Admin Portal and the cell management tool's certificates command is deprecated. For these reasons, certificate management for 10.5.1 and later versions differs significantly from earlier versions.

By default, when deploying VMware Cloud Director appliance instances, VMware Cloud Director generates self-signed certificates and uses them to configure the VMware Cloud Director cell for secure communication. After you deploy an appliance, you can reconfigure the cell to use signed certificates.

When upgrading from version 10.5.0 and earlier to version 10.5.1 and later, VMware Cloud Director migrates the existing HTTP certificate of each cell from on-disk into the Certificate Library of the System organization. If the on-disk HTTP certificate was previously shared across each cell in the server group, for example, like a wildcard certificate, VMware Cloud Director adds only one copy to the Certificate Library and each cell will be a consumer of the library item.

Starting with VMware Cloud Director 10.5.1, in addition to the certificate that VMware Cloud Director uses for the HTTPS communication of the cell, VMware Cloud Director also uses a second certificate to secure Java Management Extensions (JMX) communication. JMX is used to facilitate cell-to-cell communication. With JMX, each cell can invoke remotely operations on other cells in the server group. The first time a VMware Cloud Director 10.5.1 cell starts, VMware Cloud Director automatically generates a JMX certificate and adds it to both the Certificate Library and Trusted Certificates of the System organization.

Replace or Renew the Certificates of the VMware Cloud Director Cell

You might want to replace or renew the HTTP or JMX certificates of the VMware Cloud Director cell if they expire or if you want to replace self-signed with well-signed certificates.

Prerequisites

  • After deployment, the VMware Cloud Director appliance generates self-signed certificates with a 2048-bit key size. Evaluate the security requirements for your installation before choosing an appropriate key size. VMware Cloud Director does not support key sizes less than 1024 bits as per NIST Special Publication 800-131A.

    If you need to generate new certificates for your Certificate Authority (CA) to sign, see Generating Self-Signed Certificates for the VMware Cloud Director HTTPS Endpoint.

  • Important: VMware Cloud Director no longer accepts certificates whose signature algorithms use SHA-1.
    Verify that none of the certificates in the certificate chain use SHA-1 as their signature algorithm, for example, sha1WithRSAEncryption.
  • Before you upload the HTTP material to the Certificates Library, you must prepare the certificate chain that will be served by the cell.

    If you have intermediate certificates, for example, intermediate-certificate-file-{1-n}.cer, append them to your HTTPS certificate.

    cat intermediate-certificate-file-1.cer intermediate-certificate-file-2.cer >> your-http-certificate.pem

    Where intermediate-certificate-file-1.cer and intermediate-certificate-file-2.cer are the names of intermediate certificates.

    The file must contain a sequence of certificates that starts with your certificate followed by the intermediate certificates, and lastly, the root certificate, if needed. You must order all certificates so that each certificate is immediately followed by its issuer's certificate.

    Note: In rare cases, you might also append the root certificate root-CA-certificate.cer. This is not common, and generally, it is not applicable if your CA is one of the well-known certificate authorities whose certificate is distributed using the most modern browsers. Consult with your CA for more information and to determine whether you must append your root certificate.
  • Verify that the certificate is in the PEM-encoded X.509 format and its associated private key is in the PEM-encoded PKCS #8 format. You can upload only these formats to the Certificates Library.
Procedure
  1. Import the certificate and its associated private key into the certificate library of the System organization. See Import Certificates to the Certificates Library Using Your VMware Cloud Director Service Provider Admin Portal.
  2. Change the Certificates of a Cell.
  3. Repeat steps 1 and 2 for each appliance in the cluster.

Replace or Renew the VMware Cloud Director Appliance Management Certificates

  1. Log in directly or SSH to the OS of the VMware Cloud Director appliance as root.
  2. To stop the VMware Cloud Director services, run the following command.
    /opt/vmware/vcloud-director/bin/cell-management-tool -u administrator cell --shutdown
  3. For VMware Cloud Director 10.5.1.1 and later, generate self-signed certificates for the embedded PostgreSQL database and the VMware Cloud Director appliance management UI by running the following command.
    /opt/vmware/appliance/bin/generate-appliance-certificates.sh
    Note: Starting with VMware Cloud Director 10.5.1.1, the generate-certificates.sh script is renamed to generate-appliance-certificates.sh and the script renews only the VMware Cloud Director appliance certificates. The VMware Cloud Director certificate renewal and replacement is no longer part of the script.

    This command automatically puts into use the newly generated certificates for the embedded PostgreSQL database and the appliance management UI. The PostgreSQL and the Nginx servers restart.

  4. For VMware Cloud Director 10.5.1, generate self-signed certificates for the embedded PostgreSQL database and the VMware Cloud Director appliance management UI by running the following command.
    /opt/vmware/appliance/bin/generate-certificates.sh <root-password> --skip-vcd-certs

    This command automatically puts into use the newly generated certificates for the embedded PostgreSQL database and the appliance management UI. The PostgreSQL and the Nginx servers restart.

  5. (Optional) If you want to have a CA sign the newly generated certificates, obtain the CA-signed certificates, copy them, and restart the services.
    1. Create a certificate signing request in the vcd_ova.csr file.
      openssl req -new -key /opt/vmware/appliance/etc/ssl/vcd_ova.key -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:vcd2.example.com,DNS:vcd2,IP:10.100.101.10\n")) -out vcd_ova.csr
    2. Send the certificate signing request to your CA. If you must specify a web server type, use Jakarta Tomcat.
    3. When you obtain the CA-signed certificate, copy the CA-signed certificate to overwrite the original.
      cp ca-signed-vcd_ova.pem /opt/vmware/appliance/etc/ssl/vcd_ova.crt
    4. Restart the nginx and postgres services.
      systemctl restart nginx.service systemctl restart vpostgres.service
  6. Restart the VMware Cloud Director service.
    service vmware-vcd start