Replace VMware Cloud Director Public/https Certificate
search cancel

Replace VMware Cloud Director Public/https Certificate

book

Article ID: 379244

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

Instructions on how to replace certificates for VMware Cloud Director 10.5.1 and above via the provider UI

Environment

VMware Cloud Director 10.5.1 and above

Resolution

Self Signed:

  1. Create a Private key and a CSR:

    • openssl genrsa -out example.com.key 2048; openssl req -new -key example.com.key -out example.com.csr
  2. Create the SAN config file

    • touch v3.ext
    • Populate it with the below contents: (replace *.example.com and example.com with the actual dns names. if there are additional SAN, add extra ", dns: FQDN" for every host name that should show up in SAN.
    • subjectKeyIdentifier   = hash
      authorityKeyIdentifier = keyid:always,issuer:always
      basicConstraints       = CA:TRUE
      keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
      subjectAltName         = DNS:example.com, DNS:*.example.com, DNS: node1.example.com. DNS: Node2.example.com, DNS: Node3.example.com
      issuerAltName          = issuer:copy
    •  
  3. Generate Self signed certificate:

    • openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 360 -sha256 -extfile v3.ext

CA/Enterprise CA or a signed certificate authority (Digi etc.)

  1. Create a Private key and a CSR:

    • openssl genrsa -out example.com.key 2048 openssl req -new -key example.com.key -out example.com.csr
  2. Share the CSR with the Certificate authority, ensure the CA adds in SAN when signing the certificate
    EG of a CA provider:



Preparing the certificate

  1. Create a PEM file and dump the contents of the certificate in the following order:
    1. Signed certificate
    2. intermediate
    3. root

Note: For a self signed certificate, you will only have the certificate only. (no intermediate/root)
Note: ensure the certificate chain does not have a cert with sha-1 algorithm

Eg:

Import the certificate to VMware Cloud Director 

  1. log in to the VMware Cloud Director  provider > Administration > certificate management > certificate library > import > import the cert .

Apply Certificate to cell nodes

  1. On the provider UI, Navigate to resources > Cloud Cells > Click on the cloud cell (one at a time).


  2. Click on endpoint Configuration > Edit.


  3. Click on the pencil icon next to ''web server" "SSL certificate" to edit. 


  4. Select the certificate that was imported in the previous step. and then click on "Use Certificate".



  5. Wait for 3-5 min for the web service to restart and then connect to the node directly (using openssl to validate if the node is presenting the new certs).
    openssl s_client -showcerts node1.example.com:443

  6. Repeat "Apply Certificate to cell nodes" on other cells.

Additional Information

Updating certificates via the provider UI is only available starting VCD 10.5.1 and above. 

Note: For Multi-cell / Load-balanced environment

  • If the SSL configuration on the Load-balancer is set to SSL terminated, then you would need to update the certificate on the respective virtual server of the load-balancer to update the public/ web certificate held by the VIP.
  • If the SSL configuration on the Load-balancer is set to SSL passthrough, then the certificate update on the load-balancer would not be required.