Use the certificates command of the cell management tool to replace the cell's SSL certificates.

The certificates command of the cell management tool automates the process of replacing a cell's existing certificates with new ones stored in a JCEKS keystore. The certificates command helps you replace self-signed certificates with signed ones. To create a JCEKS keystore containing signed certificates, see Create a Self-Signed SSL Certificate in the vCloud Director Installation and Upgrade Guide.

To replace the cell's SSL certificates, use a command with the following form:

cell-management-tool certificates options

Table 1. Cell Management Tool Options and Arguments, certificates Subcommand

Option

Argument

Description

--help (-h)

None

Provides a summary of available commands in this category.

--config (-c)

full pathname to the cell's global.properties file

Defaults to $VCLOUD_HOME/etc/global.properties.

--httpks (-j)

None

Replace the keystore file named certificates used by the http endpoint.

--consoleproxyks (-p)

None

Replace the keystore file named proxycertificates used by the console proxy endpoint.

--responses (-r)

full pathname to the cell's responses.properties file

Defaults to$VCLOUD_HOME/etc/responses.properties.

--keystore (-k)

keystore-pathname

Full pathname to a JCEKS keystore containing the signed certificates. Deprecated -s short form replaced by -k.

--keystore-password (-w)

keystore-password

Password for the JCEKS keystore referenced by the --keystore option. Replaces deprecated -kspassword and --keystorepwd options.

Replacing Certificates

You can omit the --config and --responses options unless those files were moved from their default locations. In this example, a keystore at /tmp/my-new-certs.ks has the password kspw. This example replaces the cell's existing http endpoint certificate with the one found in /tmp/my-new-certs.ks

[root@cell1 /opt/vmware/vcloud–director/bin]# ./cell-management-tool certificates -j -k /tmp/my-new-certs.ks -w kspw
Certificate replaced by user specified keystore at /tmp/new.ks.
You will need to restart the cell for changes to take effect.

Note:

You must restart the cell after you replace the certificates.