Table of Contents

NOTE: This process is for vCD 10.1, do not use this for 10.3. Instead use this article instead.

Summary

For this article we are using the same certificate for http, consoleproxy, and the VAMI. You do not have to replace the self signed certificate that runs on the VAMI (port 5480) which is also know as VMware Cloud Director Appliance Management UI unless you specifically need to. For most compliance work it is recommended to have proper certificates in-place so this article is written with that intention.

Official VMware documentation

VMware has an official process for creating and importing SSL certificates within vCloud Director 10.3. That information is located at the link Renew the VMware Cloud Director Appliance Certificates.

My procedure

My procedure follows very similar to the information shown above but has a few changes. For example, in my company I’m not able to generate and submit my CSR and instead I am simply provided with a key and certificate file. I have to take these two files, also locate and download the certificate authority (CA) bundle. I then upload these raw text files to the VCD appliance and create PEM (raw text certificate file) with them and then convert it to a PFX file to import into vCloud Director.

Prerequisites

NOTE This portion of this work is non-disruptive if followed precisely.

  1. Create the following as part of the backout/rollback plan:
    1. Create a clone of VCD VM.
    2. Create a snapshot of the VCD VM.

Create the certificate files and generate appropriate files

  1. SSH into the VCD VM and gain ‘shell’ access. We need to create three new files for the certificate, key, and root ca bundle. This will result in a PEM file being created for each object. For this you can use either ‘touch’ to create the file and ‘echo’ in each line into the file. Alternative you can use your favorite text editor and copy/paste the information into the new files.
  2. Create the ‘key’ PEM file, this is actual key needed to make the certificate usable.
    touch /home/cert-2022.key
    echo '-----BEGIN RSA PRIVATE KEY-----' >> /home/cert-2022.key
    echo 'INSERT-PRVIATE-KEY-HERE' >> /home/cert-2022.key
    ...(additional lines removed for article)
    echo 'INSERT-PRVIATE-KEY-HERE' >> /home/cert-2022.key
    echo '-----END RSA PRIVATE KEY-----' >> /home/cert-2022.key
    
  3. Create the ‘certificate’ PEM file, this is actual certificate that was obtained from the CA.
    touch /home/cert-2022.crt
    echo '-----BEGIN CERTIFICATE-----' >> /home/cert-2022.crt
    echo 'INSERT-CERTIFICATE-HERE' >> /home/cert-2022.crt
    ...(additional lines removed for article)
    echo 'INSERT-CERTIFICATE-HERE' >> /home/cert-2022.crt
    echo '-----END CERTIFICATE-----' >> /home/cert-2022.crt
    
  4. Create the certificate authority bundle. If your CA has an intermediate certificate then you will also need to add it to this file.
    touch /home/cabundle-2022.ca
    echo '-----BEGIN CERTIFICATE-----' >> /home/cabundle-2022.ca
    echo 'INSERT-CERTIFICATE-HERE' >> /home/cabundle-2022.ca
    ...
    echo 'INSERT-CERTIFICATE-HERE' >> /home/cabundle-2022.ca
    echo 'U1P8Xh1CDguM+ZEoew==' >> /home/cabundle-2022.ca
    echo '-----END CERTIFICATE-----' >> /home/cabundle-2022.ca
    
  5. Since VCD is not able to use PEM files we need to create a new pfx file. When done you will need to provide a passphrase, it is recommended you save this information in a password utility tool. The resulting file will be called ‘ssl-2022.pfx’
    openssl pkcs12 -export -out  /home/ssl-2022.pfx  -inkey /home/cert-2022.key -in /home/cert-2022.crt -certfile /home/cabundle-2022.ca
    

Apply the new certificate to VCD primary portal

  1. We want to create a temporary working file for the certificates, this will allow for Cloud Director services to remain online for as long as possible.
    cp /opt/vmware/vcloud-director/certificates.ks /opt/vmware/vcloud-director/certificates-2022.ks
    
  2. Change directory to the keytool.
    cd /opt/vmware/vcloud-director/jre/bin/
    
  3. Now lets replace the https certificate. NOTE: Replace P@SSWORD with the appropriate passphrase.
    1. Use the keytool to import the pfx file into the certificates store.
      ./keytool -trustcacerts -storetype JCEKS -storepass P@SSWORD -importkeystore -srckeystore  /home/ssl-2022.pfx -destkeystore /opt/vmware/vcloud-director/certificates-2022.ks -srcstoretype pkcs12
      
    2. The actual alias of the service for the URL is http, so first we need to remove the old http alias.
      ./keytool -delete -alias http -keystore /opt/vmware/vcloud-director/certificates-2022.ks -storetype JCEKS -storepass P@SSWORD
      
    3. Now we want to rename alias 1 to http.
      ./keytool -storetype JCEKS -storepass P@SSWORD -changealias -alias 1 -destalias http -keystore /opt/vmware/vcloud-director/certificates-2022.ks
      
    4. List out all alias to ensure our new one replaced the old http. View the dates to confirm it was indeed updated.
      ./keytool -storetype JCEKS -storepass P@SSWORD -keystore /opt/vmware/vcloud-director/certificates-2022.ks -list
      
  4. Now lets replace the console proxy certificate. NOTE: Replace P@SSWORD with the appropriate password found in passwordsafe/CORE.
    1. Use the keytool to import the pfx file into the certificates store.
      ./keytool -trustcacerts -storetype JCEKS -storepass P@SSWORD -importkeystore -srckeystore  /home/ssl-2022.pfx -destkeystore /opt/vmware/vcloud-director/certificates-2022.ks -srcstoretype pkcs12
      
    2. The actual alias of the service for the console is consoleproxy, so first we need to remove the old http alias.
      ./keytool -delete -alias consoleproxy -keystore /opt/vmware/vcloud-director/certificates-2022.ks -storetype JCEKS -storepass P@SSWORD
      
    3. Now we want to rename alias 1 to consoleproxy.
      ./keytool -storetype JCEKS -storepass P@SSWORD -changealias -alias 1 -destalias consoleproxy -keystore /opt/vmware/vcloud-director/certificates-2022.ks
      
    4. List out all alias to ensure our new one replaced the old consoleproxy. View the dates to confirm it was indeed updated.
      ./keytool -storetype JCEKS -storepass P@SSWORD -keystore /opt/vmware/vcloud-director/certificates-2022.ks -list
      
  5. In case there is a failure, lets create a backup of the original certificates.ks
    cp /opt/vmware/vcloud-director/certificates.ks /opt/vmware/vcloud-director/certificates-2021.bak
    
  6. Now quiesce the Cloud Director Cell. NOTE: You will need to provide the password for your VCD cell.
    /opt/vmware/vcloud-director/bin/cell-management-tool -u administrator cell -q true
    
  7. Now shutdown the Cloud Director Cell.
    /opt/vmware/vcloud-director/bin/cell-management-tool -u administrator cell -shutdown
    

    NOTE: From this point forward this work is disruptive.

  8. Move the newly created certificate store into place.
    mv /opt/vmware/vcloud-director/certificates-2022.ks /opt/vmware/vcloud-director/certificates.ks
    
  9. Update the owner of the certificates.ks to Cloud Director.
    chown vcloud:vcloud /opt/vmware/vcloud-director/certificates.ks
    
  10. Reconfigure Cloud Director to use the new certificate store. Answer “Y” when asked if you want to start services.
    /opt/vmware/vcloud-director/bin/configure
    
  11. Wait a few minutes for all services to start, probably 2-5 minutes and browse to the standard URL for Cloud Director and confirm the new certificate is working.

Apply the new certificate to the VAMI

NOTE: This process assumes you used the above method to create a certificate for the the primary provider and tenant portals. If you used another method then you will need to modify some of these steps slightly.

REF: Replace a Self-Signed Embedded PostgreSQL and VMware Cloud Director Appliance Management UI Certificate

  1. Change directories to where the PostgresDB and VAMI cert is kept at.
    cd /opt/vmware/appliance/etc/ssl
    
  2. Rename the current self-signed certificate - we are keeping them for a backup in case this has a problem.
    mv vcd_ova.crt vcd_ova.crt.org
    mv vcd_ova.csr vcd_ova.csr.org
    mv vcd_ova.key vcd_ova.key.org
    
  3. Since we already have a valid cert we will re-use those PEM files for the cert and key. First we will combine the crt and then the root CA bundle (order is important here!) and create the crt new file.
    cat /home/cert-2022.crt /home/cabundle-2022.ca > /opt/vmware/appliance/etc/ssl/vcd_ova.crt
    
  4. Next we will copy over (and rename while doing so) the key file.
    cp /home/cert-2022.key /opt/vmware/appliance/etc/ssl/vcd_ova.key
    
  5. Now we need to change group ownership of the files.
    chown root:users vcd_ova.crt
    chown root:users vcd_ova.key
    
  6. Now we must change the permissions of the files.
    chmod 640 vcd_ova.crt
    chmod 640 vcd_ova.key
    
  7. Finally we restart the appropriate services.
    systemctl restart nginx.service && systemctl restart vcd_ova_ui.service
    systemctl restart vpostgres.service
    

Final Steps

  1. Test all endpoints to ensure the new certificate is working as expected. If it is then proceed to the next steps.
  2. Delete the snapshot on the VM after 2 business days.
  3. Allow the clone to exist for a week, after which delete.