I currently have some self signed certificates on my vCloud Director 8 installation and want to update them with new certificates. Here are the simplified steps to get this accomplished:
Firstly you need to create 2 certificates for each member of the group (cell) and import the certificates into host keystores. Each vCD has 2 IP address which allows support for 2 different SSL endpoints(http and consoleproxy). Each endpoint requires its own SSL certificate.
Requirements for cert include an X.500 distinguished name, while Subject Alternative Name is not necessary.
Replace certificate using vCD configuration script:
this process will also validate the db connection and prompt for SSL certificate and skips all other.
- SSH to vCD cell
- Stop the vCD services
- service vmware-vcd stop
- Run the configuration
- Specify full path to java keystore that holds the new certificates
- Provide keystore and certificate password
This will replace the certificates and restart the vCD services.
Certificates command of the cell management tool automates process replace certificates in JCEKS keystore.
- # cd /opt/vmware/vcloud-director/bin
- # ./cell-management-tool certificates -j -p -k /tmp/.ks -w kspw
- Restart the cell for changes to take affect.
- # service vmware-vcd restart
One thought on “vCloud Director 8: Replace certificates”
might want to add a -p to handle the console proxy as well.
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j -p -k /tmp/.ks -w kspw