How to renew vCloud Director Certificates

How to renew vCloud Director Certificates
  1. Purchase public SSL certificates for your management and console proxy URLs.

  2. Create the CA bundle from root and intermediate CA certificates:

cat CA2.cer CA1.cer RootCA.cer > ca-bundle.crt

  1. Name the files as follows:
  • http.crt - certificate file for control
  • consoleproxy.crt - certificate file for console
  • ca-bundle.crt - CA bundle file
  • http.key - private key for control
  • consoleproxy.key - private key for console
  1. Upload certificates, key files and CA bundle via SFTP to the vCloud Director cell
  2. SSH into the vCloud Director cell and go to the directory where files have been uploaded
  3. Combine console and control certificates into PFX bundles:

openssl pkcs12 -export -in http.crt -inkey http.key -certfile ca-bundle.crt -out http.pfx -name "http"

openssl pkcs12 -export -in consoleproxy.crt -inkey consoleproxy.key -certfile ca-bundle.crt -out consoleproxy.pfx -name "consoleproxy"

  1. Import all certificates into a new keystore called certificates.ks (or pick another name):

/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass [PASSWORD OF CHOICE] -destkeystore certificates.ks -deststoretype JCEKS -srckeystore http.pfx -srcstoretype PKCS12 -srcstorepass [PFX PASSWORD}

/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass [PASSWORD OF CHOICE] -destkeystore certificates.ks -deststoretype JCEKS -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -srcstorepass [PFX PASSWORD]

  1. Check that certificates have been imported correctly:

/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass [PASSWORD OF CHOICE AS ABOVE] -keystore certificates.ks –list

  1. Stop the vCD cell, update the certificate keystore and start the vCD cell back up

cd /opt/vmware/vcloud-director/bin service vmware-vcd stop ./cell-management-tool certificates -j -p -k [PATH TO KS FILE]/certificates.ks -w [KEYSTORE PASSWORD] service vmware-vcd restart