By default, the embedded PostgreSQL database and the vCloud Director appliance management user interface share a set of self-signed SSL certificates. For increased security, you can replace the default self-signed certificates with certificate authority (CA) signed certificates.

When you deploy the vCloud Director appliance, it generates self-signed certificates with a validity period of 365 days. The vCloud Director appliance uses two sets of SSL certificates. The vCloud Director service uses one set of certificates for HTTPS and the console proxy communications. The embedded PostgreSQL database and the vCloud Director appliance management user interface share the other set of SSL certificates.

Note: The process of replacing the database and appliance management UI certificates does not affect the certificates for HTTPS and console proxy communications. Replacing one of the sets of certificates does not mean you must replace the other set.

Procedure

  1. Send the certificate signing request which is located at /opt/vmware/appliance/etc/ssl/vcd_ova.csr to the CA for signing.
  2. If you are replacing the certificate for the primary database, place all other nodes into maintenance mode to prevent the possibility of data loss.
  3. Replace the existing PEM-format certificate at /opt/vmware/appliance/etc/ssl/vcd_ova.crt with the signed certificate, obtained from your CA in Step 1.
  4. To pick up the new certificate, restart the vpostgres and vcd_ova_ui services.
    systemctl restart vcd_ova_ui.service
    systemctl restart vpostgres.service
  5. If you are replacing the certificate for the primary database, take all other nodes out of maintenance mode.

Results

The new certificate is imported to the vCloud Director truststore on other vCloud Director cells the next time the appliance-sync function runs. The operation might take up to 60 seconds.