Use the generate-certs command of the cell management tool to generate new self-signed SSL certificates for the cell.

The generate-certs command of the cell management tool automates the Create a Self-Signed SSL Certificate procedure shown in the vCloud Director Installation and Upgrade Guide.

To generate new self-signed SSL certificates and add them to a new or existing keystore, use a command line with the following form:

cell-management-tool generate-certs options

Table 1. Cell Management Tool Options and Arguments, generate-certs Subcommand

Option

Argument

Description

--help (-h)

None

Provides a summary of available commands in this category.

--expiration (-x)

days-until-expiration

Number of days until the certificates expire. Defaults to 365

--issuer (-i)

name=value [, name=value, ...]

X.509 distinguished name of the certificate issuer. Defaults to CN=FQDN. where FQDN is the fully-qualified domain name of the cell or its IP address if no fully-qualified domain name is available. If you specify multiple attribute and value pairs, separate them with commas and enclose the entire argument in quotation marks.

--httpcert (-j)

None

Generate a certificate for the http endpoint.

--key-size (-s)

key-size

Size of key pair expressed as an integer number of bits. Defaults to 2048. Note that key sizes smaller than 1024 are no longer supported per NIST Special Publication 800-131A.

--keystore-pwd (-w)

keystore-password

Password for the keystore on this host.

--out (-o)

keystore-pathname

Full pathname to the keystore on this host.

--consoleproxycert (-p)

None

Generate a certificate for the console proxy endpoint.

Note:

To maintain compatibility with previous releases of this subcommand, omitting both -j and -p has the same result as supplying both -j and -p.

Creating Self-Signed Certificates

Both of these examples assume a keystore at /tmp/cell.ks that has the password kspw. This keystore is created if it does not already exist.

This example creates the new certificates using the defaults. The issuer name is set to CN=Unknown. The certificate uses the default 2048-bit key length and expires one year after creation.

[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool generate-certs -j -p -o /tmp/cell.ks -w kspw
New keystore created and written to /tmp/cell.ks.

This example creates a new certificate for the http endpoint only. It also specifies custom values for key size and issuer name. The issuer name is set to CN=Test, L=London, C=GB. The new certificate for the http connection has a 4096 bit key and expires 90 days after creation. The existing certificate for the console proxy endpoint is unaffected.

[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool generate-certs -j -o /tmp/cell.ks -w kspw
 -i "CN=Test, L=London, C=GB" -s 4096 -x 90
New keystore created and written to /tmp/cell.ks.