Virtualisation Tips & Tricks

Renew Cloud Director Certificates

Published by

Aigars

on

Renew Cloud Director Certificates

When you deploy the VMware Cloud Director appliance, it generates self-signed certificates with a validity period of 365 days. If there are expiring or expired certificates in your environment, you can generate new self-signed certificates. You must renew the certificates for each VMware Cloud Director cell individually.

Appliance Certificates

If you are renewing the certificate for the primary node in a database high availability cluster, run the command of the cell management tool place all other nodes in maintenance mode and to prevent data loss. 

/opt/vmware/vcloud-director/bin/cell-management-tool -u administrator cell -m true
  1. Log in directly or SSH to the OS of the VMware Cloud Director appliance as root.
  2. Stop the VMware Cloud Director services, run the following command.
/opt/vmware/vcloud-director/bin/cell-management-tool -u administrator cell --shutdown

3. Generate self-signed certificates only for the embedded PostgreSQL database and the VMware Cloud Director appliance management UI.

/opt/vmware/appliance/bin/generate-appliance-certificates.sh <root password> --skip-vcd-certs

4. Restart the VMware Cloud Director service. This command automatically puts into use the newly generated certificates for the embedded PostgreSQL database and the appliance management UI. The PostgreSQL and the Nginx servers restart.

service vmware-vcd start

5. Exit nodes from maintenance mode.

/opt/vmware/vcloud-director/bin/cell-management-tool -u administrator cell -m false

Wildcard Certificate for HTTPS Communication

You can deploy the VMware Cloud Director appliance with signed wildcard certificates. You can use these certificates to secure an unlimited number of servers that are subdomains of the domain name listed in the certificate.

Cloud Director version before 10.5.1

Upload full chain .pem certificate and private key to the transfer share at /opt/vmware/vcloud-director/data/transfer/.

  1. Change the owner and the group permissions on the certificate files to vcloud.
chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.http.pem

chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.http.key

2. Verify that the owner of the certificate files has read and write permissions.

chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.http.pem
chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.http.key

3. Run the command to import the new signed certificates into the VMware Cloud Director instance.

/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/data/transfer/user.http.pem --key /opt/vmware/vcloud-director/data/transfer/user.http.key --key-password <root-password>

4. For the new signed certificates to take effect, restart the vmware-vcd service on the appliance.

/opt/vmware/vcloud-director/bin/cell-management-tool cell -i $(service vmware-vcd pid cell) -s

5. Run the command to start the service.

systemctl start vmware-vcd

Cloud Director version 10.5.1 and later

Starting with VMware Cloud Director 10.5.1, you can manage the cell HTTP certificate using the Service Provider Admin Portal and the cell management tool’s certificates command is deprecated. For these reasons, certificate management for 10.5.1 and later versions differs significantly from earlier versions.

When upgrading from version 10.5.0 and earlier to version 10.5.1 and later, VMware Cloud Director migrates the existing HTTP certificate of each cell from on-disk into the Certificate Library of the System organization. 

Starting with VMware Cloud Director 10.5.1, in addition to the certificate that VMware Cloud Director uses for the HTTPS communication of the cell, VMware Cloud Director also uses a second certificate to secure Java Management Extensions (JMX) communication. 

Before you upload the HTTP material to the Certificates Library, you must prepare the certificate chain that will be served by the cell. The file must contain a sequence of certificates that starts with your certificate followed by the intermediate certificates, and lastly, the root certificate.

  1. Import the certificate and its associated private key into the certificate library of the System organization. 

The imported certificate appears in the list of available certificates during the creation of entities that you must secure.


2. Change the certificates of a cell. Put the cells you want to edit in maintenance mode. On the Cloud Cells page, click the name of the cell of which you want to change the certificate.

3. Click Endpoints Configuration, and click Edit.

4. In the Edit Endpoint Configuration dialog box, click the edit icon next to the web server SSL certificate. Select a certificate from the VMware Cloud Director certificate library. Click Use Certificate, and click Edit.

VMware Cloud Director stops all existing cell connections and changes the certificate. The VMware Cloud Director connection server restarts with the new certificate.

Repeat those mentioned above steps for each appliance in the cluster.

Customize the Public Addresses

To fulfill the load balancer or proxy requirements, you can change the default endpoint Web addresses for the VMware Cloud Director Web Portal and VMware Cloud Director API.

Leave a Reply

Your email address will not be published. Required fields are marked *

Hello,

I’m Aigars

Welcome to Virtualisation Alley, my cozy corner of the internet dedicated to VMware. Here, I invite you to join me on a journey into virtual world. Let’s go.

Let’s connect

Recent posts