VMware Cloud Director 10.5.1

VMware Cloud Director 10.6.x

Generating Self Signed Certificate:

1. Create a Private key and a CSR:

   openssl genrsa -out example.com.key 2048; openssl req -new -key example.com.key -out example.com.csr

   

2. Create the SAN config file

   touch v3.ext

3.  Populate it with the below contents: (replace *.example.com and example.com with the actual dns names. if there are additional SAN, add extra ", dns: FQDN" for every host name that should show up in SAN.

   subjectKeyIdentifier   = hash
   authorityKeyIdentifier = keyid:always,issuer:always
   basicConstraints       = CA:TRUE
   keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
   subjectAltName         = DNS:example.com, DNS:*.example.com, DNS: node1.example.com. DNS: Node2.example.com, DNS: Node3.example.com
   issuerAltName          = issuer:copy

4. Generate Self signed certificate:

   openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 360 -sha256 -extfile v3.ext

1. Create a Private key and a CSR:

   openssl genrsa -out example.com.key 2048; openssl req -new -key example.com.key -out example.com.csr

2. Share the CSR with the Certificate authority, ensure the CA adds in SAN when signing the certificate

3. Example of a CA Provider:
   

Preparing the certificate

1. Create a PEM file and dump the contents of the certificate in the following order:
   1. Signed server certificate
   2. Intermediate Certificate
   3. Root CA Certificate 

        Note: For a self signed certificate, you will only have the certificate only. (no intermediate/root)
        Note: ensure the certificate chain does not have a cert with sha-1 algorithm

Example:

Import the certificate to VMware Cloud Director 

1. Log in to the VMware Cloud Director Provider portal, then navigate to Administration → Certificate Management → Certificate Library → Import, and proceed to import the certificate.
2. Fill in Certificate Name, Select the File, Enter the Passphrase if configured and Import. 
   

Apply Certificate to VCD cells:

1. From the provider UI, go to Resources → Cloud Cells, and select each cloud cell one at a time.
   
   
   
2. Open Endpoint Configuration and click Edit.
   
   
   
3. Click the pencil (edit) icon next to Web Server → SSL Certificate to modify it.
   
   
   
4. Select the certificate that was imported in the previous step. and then click on "Use Certificate".
   
   
   
5. Wait for 3-5 min for the web service to restart and then connect to the node directly (using openssl to validate if the node is presenting the new certs).

   openssl s_client -showcerts node1.example.com:443

6. Repeat "Apply Certificate to cell nodes" on other cells.
   
   Updating certificates via the provider UI is only available starting VCD 10.5.1 and above
   
   Note: For Multi-cell / Load-balanced environment
   • If the Load Balancer is configured for SSL termination, update the certificate on the corresponding virtual server so that the VIP presents the correct public/web certificate.
   • If the Load Balancer is configured for SSL passthrough, no certificate update is required on the Load Balancer.