Use the certificates command of the cell management tool to replace SSL certificates for the HTTP and Console Proxy endpoints.

The certificates command of the cell management tool automates the process of replacing existing certificates with new ones stored in a JCEKS keystore. Use the certificates command to replace self-signed certificates with signed ones or replace expiring certificates with new ones. To create a JCEKS keystore containing signed certificates, see Create a Self-Signed SSL Certificate in the vCloud Director Installation and Upgrade Guide.

To replace SSL certificates for one or both endpoints use a command with the following form:

cell-management-tool certificates options

Table 1. Cell Management Tool Options and Arguments, certificates Subcommand

Option

Argument

Description

--help (-h)

None

Provides a summary of available commands in this category.

--config (-c)

full pathname to the cell's global.properties file

Defaults to $VCLOUD_HOME/etc/global.properties.

--httpks (-j)

None

Replace the keystore file named certificates used by the http endpoint.

--consoleproxyks (-p)

None

Replace the keystore file named proxycertificates used by the console proxy endpoint.

--responses (-r)

full pathname to the cell's responses.properties file

Defaults to$VCLOUD_HOME/etc/responses.properties.

--keystore (-k)

keystore-pathname

Full pathname to a JCEKS keystore containing the signed certificates. Deprecated -s short form replaced by -k.

--keystore-password (-w)

keystore-password

Password for the JCEKS keystore referenced by the --keystore option. Replaces deprecated -kspassword and --keystorepwd options.

Replacing Certificates

You can omit the --config and --responses options unless those files were moved from their default locations. In this example, a keystore at /tmp/my-new-certs.ks has the password kspw. This example replaces the cell's existing http endpoint certificate with the one found in /tmp/my-new-certs.ks

[root@cell1 /opt/vmware/vcloud–director/bin]# ./cell-management-tool certificates -j -k /tmp/my-new-certs.ks -w kspw
Certificate replaced by user specified keystore at /tmp/new.ks.
You will need to restart the cell for changes to take effect.

Note:

You must restart the cell after you replace the certificates.