Replace expired SSL certificates in VMware Cloud Director 10.3.x
search cancel

Replace expired SSL certificates in VMware Cloud Director 10.3.x

book

Article ID: 437212

calendar_today

Updated On:

Products

VMware Cloud Director VMware Telco Cloud Infrastructure

Issue/Introduction

The SSL certificates for the VMware Cloud Director (VCD) HTTP and Console Proxy endpoints have expired or are nearing expiration. The certificates must be replaced to ensure uninterrupted secure access to the VCD portal and tenant consoles.

Environment

VCD:10.3.3

TCI:2.2

Cause

Standard SSL certificate lifecycle expiration.

Resolution

VMware Cloud Director 10.3 and later utilizes PEM format certificates and private keys directly, deprecating the use of JCEKS keystores.

Prerequisites:

  1. A valid, unencrypted Private Key in PEM format (e.g., key.pem).

  2. A valid, full Certificate Chain in PEM format (e.g., cert.pem). The chain must include the server certificate, intermediate CA certificate(s), and the root CA certificate, in that order.

Execution Steps: Perform the following steps on each cell in the VMware Cloud Director server group.

  1. Transfer the cert.pem and key.pem files to the VCD cell (e.g., to the /tmp directory).

  2. Log in to the VCD cell appliance via SSH as the root user.

  3. Modify the ownership and permissions of the certificate and key files to ensure the vcloud user can read them:

    chown vcloud:vcloud /tmp/cert.pem /tmp/key.pem
chmod 0750 /tmp/cert.pem /tmp/key.pem

  4. Run the Cell Management Tool to replace the HTTP endpoint certificate:

    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /tmp/cert.pem --key /tmp/key.pem

  5. Run the Cell Management Tool to replace the Console Proxy endpoint certificate (if sharing the same certificate, use the same files; if using a different certificate, point to the respective files):

    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /tmp/cert.pem --key /tmp/key.pem

  6. Restart the VMware Cloud Director service to apply the new certificates:

    systemctl restart vmware-vcd

  7. Monitor the cell.log to confirm the service starts successfully:

    tail -f /opt/vmware/vcloud-director/logs/cell.log

    Wait for the log to display: Application Initialization: 'com.vmware.vcloud.ui.vcloud-ui' ... 100% indicating startup completion.

Powered by Wolken Software