In VMware Cloud Director (VCD) Appliance environments, the VAMI interface (port 5480) may display an expired certificate even after the cell's HTTP and Console Proxy certificates have been updated.

Symptoms:

• Browsing to https://<VCD_FQDN>:5480 shows a certificate warning.

• Checking /opt/vmware/appliance/etc/ssl shows timestamps/expiry dates for certificates that do not match the updated environment certificates.

10.3.3

The VAMI (Appliance Management) service uses a specific local directory for its SSL certificates which is not always automatically updated when using the cell-management-tool or manual updates to the cell's global.properties certificate paths.

1. Log in to the VCD Appliance as root via SSH.

2. Locate the current, valid certificates. (Refer to the paths defined in /opt/vmware/vcloud-director/etc/global.properties).

3. Backup the existing VAMI certificates: 

   cp /opt/vmware/appliance/etc/ssl/vami.crt /opt/vmware/appliance/etc/ssl/vami.crt.bak cp /opt/vmware/appliance/etc/ssl/vami.key /opt/vmware/appliance/etc/ssl/vami.key.bak

4. Copy the new certificates into the VAMI directory: 

   cp /path/to/new_cert.crt /opt/vmware/appliance/etc/ssl/vami.crt cp /path/to/new_key.key /opt/vmware/appliance/etc/ssl/vami.key

5. Restart the appliance services: 

   systemctl restart vcloud-vami-proxy service vmware-vcd restart

6. Repeat steps on remaining cells

The permissions for these files are 640 (while copying the file it should not touch the permissions on target)