Instructions on how to replace certificates for VMware Cloud Director 10.5.1 and above via the provider UI
VMware Cloud Director 10.5.1 and above
Self Signed:
Create a Private key and a CSR:
openssl genrsa -out example.com.key 2048; openssl req -new -key example.com.key -out example.com.csr
Create the SAN config file
touch v3.ext
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName = DNS:example.com, DNS:*.example.com, DNS: node1.example.com. DNS: Node2.example.com, DNS: Node3.example.com
issuerAltName = issuer:copy
Generate Self signed certificate:
openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 360 -sha256 -extfile v3.ext
CA/Enterprise CA or a signed certificate authority (Digi etc.)
Create a Private key and a CSR:
openssl genrsa -out example.com.key 2048 openssl req -new -key example.com.key -out example.com.csr
Share the CSR with the Certificate authority, ensure the CA adds in SAN when signing the certificate
EG of a CA provider:
Preparing the certificate
Note: For a self signed certificate, you will only have the certificate only. (no intermediate/root)
Note: ensure the certificate chain does not have a cert with sha-1 algorithm
Eg:
Import the certificate to VMware Cloud Director
Apply Certificate to cell nodes
openssl s_client -showcerts node1.example.com:443
Updating certificates via the provider UI is only available starting VCD 10.5.1 and above.
Note: For Multi-cell / Load-balanced environment