Table of Contents


For this article we are using the same certificate for http, consoleproxy, and the VAMI. You do not have to replace the self signed certificate that runs on the VAMI (port 5480) which is also know as VMware Cloud Director Appliance Management UI unless you specifically need to. For most compliance work it is recommended to have proper certificates in-place so this article is written with that intention.

Official VMware documentation

Import Private Keys and CA-Signed SSL Certificates to the VMware Cloud Director Appliance.

Replace a Self-Signed Embedded PostgreSQL and VMware Cloud Director Appliance Management UI Certificate.

My procedure

My procedure follows very similar to the information shown above but has a few changes. For example, in my company I’m not able to generate and submit my CSR and instead I am simply provided with a key and certificate file. I have to take these two files, also locate and download the certificate authority (CA) bundle. I then upload these raw text files to the VCD appliance and create PEM (raw text certificate file) with them and then convert it to a PFX file to import into vCloud Director.

Update vCD http and console proxy SSL certificate.

  1. We need to confirm our existing location for our certificates.
    cat /opt/vmware/vcloud-director/etc/
  2. Look for the following file locations (there are four files) as we will be replacing these files with new ones. If your path is different than below then please update the commands in this document accordingly.
    user.certificate.path = /opt/vmware/vcloud-director/user.http.pem
    user.key.path = /opt/vmware/vcloud-director/user.http.key
    user.consoleproxy.certificate.path = /opt/vmware/vcloud-director/user.consoleproxy.pem
    user.consoleproxy.key.path = /opt/vmware/vcloud-director/user.consoleproxy.key
  3. Rename the old files.
    mv /opt/vmware/vcloud-director/user.http.pem /opt/vmware/vcloud-director/user.http.pem.2022
    mv /opt/vmware/vcloud-director/user.http.key /opt/vmware/vcloud-director/user.http.key.2022
    mv /opt/vmware/vcloud-director/user.consoleproxy.pem /opt/vmware/vcloud-director/user.consoleproxy.pem.2022
    mv /opt/vmware/vcloud-director/user.consoleproxy.key /opt/vmware/vcloud-director/user.consoleproxy.key.2022

    Now we will create a new pem file of the certificate itself plus any intermediate and root CAs needed. The order is extremely important within this file and is very consistent across the industry. Each certificate calls for a parent cert, each parent cert needs to be provided until we get to the real ‘top’ parent certificate, known as the root CA. Layout in the file should be certificate → intermediate certificate → (any other intermediate certs in the chain) → root CA certificate. Edit the file and paste in the certificate + intermediate + root CA.

    vi /opt/vmware/vcloud-director/user.http.pem
  4. Create the new key file.
    vi /opt/vmware/vcloud-director/user.http.key
  5. Since the same cert is used for consoleproxy as we used for http, we will simply copy over the one we just created for consoleproxy.
    cp /opt/vmware/vcloud-director/user.http.key /opt/vmware/vcloud-director/user.consoleproxy.key
    cp /opt/vmware/vcloud-director/user.http.pem /opt/vmware/vcloud-director/user.consoleproxy.pem
  6. Change ownership of the files.
    chown vcloud:vcloud /opt/vmware/vcloud-director/user.http.key 
    chown vcloud:vcloud /opt/vmware/vcloud-director/user.http.pem 
    chown vcloud:vcloud /opt/vmware/vcloud-director/user.consoleproxy.key
    chown vcloud:vcloud /opt/vmware/vcloud-director/user.consoleproxy.pem
  7. Import these new items. (Update P@ssword to match your keystore PW)
    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/user.http.pem --key /opt/vmware/vcloud-director/user.http.key --key-password P@ssword
    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /opt/vmware/vcloud-director/user.consoleproxy.pem --key /opt/vmware/vcloud-director/user.consoleproxy.key --key-password P@ssword
  8. Now quiesce the Cloud Director Cell. You will need to provide the appropriate password.
    /opt/vmware/vcloud-director/bin/cell-management-tool -u administrator cell -q true
  9. Now shutdown the Cloud Director Cell. You will need to provide the appropriate password.
    /opt/vmware/vcloud-director/bin/cell-management-tool -u administrator cell -shutdown
  10. Finally we restart the appropriate services.
    systemctl restart vmware-vcd.service

Update vCD VAMI and Postgres SSL certificate.

This process assumes you used the above method to create a certificate for the the primary provider and tenant portals. If you used another method then you will need to modify some of these steps slightly.

  1. Change directories to where the PostgresDB and VAMI cert is kept at.
    cd /opt/vmware/appliance/etc/ssl
  2. Rename the current self-signed certificate - we are keeping them for a backup in case this has a problem.
    mv vcd_ova.crt vcd_ova.crt.bak-2022
    mv vcd_ova.key vcd_ova.key.bak-2022
  3. Since we already have a valid cert we will re-use those PEM files for the cert and key.
    cp /opt/vmware/vcloud-director/user.http.pem /opt/vmware/appliance/etc/ssl/vcd_ova.crt
    cp /opt/vmware/vcloud-director/user.http.key /opt/vmware/appliance/etc/ssl/vcd_ova.key
  4. Now we need to change group ownership of the files.
    chown root:users vcd_ova.crt
    chown root:users vcd_ova.key
  5. Now we must change the permissions of the files.
    chmod 640 vcd_ova.crt
    chmod 640 vcd_ova.key
  6. Finally we restart the appropriate services.
    systemctl restart nginx.service && systemctl restart vcd_ova_ui.service
    systemctl restart vpostgres.service