Since my last article on how to update Cloud Director SSL certificates, there has been a major change. No more binary java truststore – jaaay.
Cloud Director has changed over too, what I think, is a better and more normal way of storing the private and public keys, which is in PEM format. From release notes, the change actually happened in 10.2, but the certificate path changed again in 10.3. If you are in doubt of where the certificate path is then look inside global.properties
VMware’s own documentation state that we can now just swap the .pem files, use the cell-management tool to import and restart the cell.
What we will do and what is needed
- Get a new public signed certificate
- Either in PEM format as .key and .pem(certificate including intermediate)
- Or in PFX so it can be exported
- Backup existing certificates
- Replace existing certificates with your new certificate
- Run VCD tool to import and define the private key encryption password
- Restart cell(s)
If you have a pfx you can use this article to extract the key and cert. If you already have the two files, .key end .pem then you can proceed.
We will follow VMware documentation and create a backup of the existing files.
cp /opt/vmware/vcloud-director/etc/user.http.pem /opt/vmware/vcloud-director/etc/user.http.pem.original
cp /opt/vmware/vcloud-director/etc/user.http.key /opt/vmware/vcloud-director/etc/user.http.key.original
cp /opt/vmware/vcloud-director/etc/user.consoleproxy.pem /opt/vmware/vcloud-director/etc/user.consoleproxy.pem.original
cp /opt/vmware/vcloud-director/etc/user.consoleproxy.key /opt/vmware/vcloud-director/etc/user.consoleproxy.key.original
Now we can wither SCP in our key and certificate or edit and replace the content of the files on the server by copying and pasting in content from the files you have. Whatever you find to be the easiest.
Forgot your root password for the Cloud Director appliance, off cause not. But anyway, here is a link to reset it....
After the “user.http.pem/key” and “user.consoleproxy.pem/key” files have been updated with the new certificate data we can tell Cloud Dictor to update its config with the commands below. This is done to update the encryption password for the private key.
If you don’t care about security you can also update without –key-password, then off cause your private key will need to be in an unencrypted format in the .key files.
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.consoleproxy.pem --key /opt/vmware/vcloud-director/etc/user.consoleproxy.key --key-password PASSWD
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password PASSWD
If everything works out it will tell you the certificates have been updated and you need to restart VCD for it to take effect.
SSL configuration has been updated. You will need to restart the cell for changes to take effect.
Now safely shut down your cell(s) with the command below. this will ensure that VCD is the first shutdown when all tasks are done.
/opt/vmware/vcloud-director/bin/cell-management-tool cell -i $(service vmware-vcd pid cell) -s
Start again with the command below
systemctl start vmware-vcd
VMware has made it much easier to change a certificate in Cloud Director. The new way of storing certificates is a warm welcome change.
I did see a few different placements for the .key and .pem files depending on versions or if the cells have been created with raw Linux or an appliance, but you can always look in the conflig file placed in the same folder as the certificates.