Replacing Certificates in vCloud Director 9.5

As a vCloud Director admin changing certificates has always been an interesting topic and there are so many different methods out there to do it. I thought I would share another way to change a self-signed or expired SSL certificate over to a newly purchased certificate using a program called Portecle. You can find a link to download the application here

Before you start its always a good idea to take a snapshot of the vCloud cells and a backup of the database!

Step 1 – Stop the services on each cell by running service vmware-vcd stop. Then export the Certificates.ks file from the vCloud director cell. In a multi-cell environment it will be located on the transfer store. You can use winscp to copy the file from the cell or complete the work directly from the redhat or centos desktop.

The path is /opt/vmware/vcloud-director/data/transfer/certificates.ks

Step 2 – Launch Portecle then select File then Open Keystore File and select certificates.ks.

Step 3 – Enter the password for the Keystore file and click Ok

You will then see the http and console proxy certs in the keystore that you are looking to replace.

Step 4 – Delete the existing http entry and click Tools, then Import Key Pair.

Step 5 – Select your pfx certificate and enter the password.

Step 6 – It should then display the key pair for import, click Ok.

Step 7 – Enter an alias for the key pair, type in http and click Ok.

Step 8 – Enter a Password for the key pair and click Ok.

Step 9 -Delete the existing consoleproxy entry and click Tools, then Import Key Pair.

Step 10 -Select your pfx certificate and enter the password.

Step 11 – It should then display the key pair for import, click Ok.

Step 12 – Enter an alias for the key pair, type in consoleproxy and click Ok.

Step 13 – Enter a Password for the key pair and click Ok.

Step 14 – Save the certificates.ks file.

Step 15 – Copy certificates.ks back to the vcloud director cell and place in the same location it was copied from. Being a multi-cell environment it is located on the shared transfer store.

In our case  /opt/vmware/vcloud-director/data/transfer/certificates.ks

Step 16 – Run the following command to update the http cert from the vcloud director/bin directory ./cell-management-tool certificates -j -k /opt/vmware/vcloud-director/data/transfer/certificates.ks -w password

Changing the new-certificates.ks for your certificates.ks file name and adding your password.

Step 17 – Then run the following command to update the consoleproxy cert from the vcloud director/bin directory ./cell-management-tool certificates -p -k /opt/vmware/vcloud-director/data/transfer/certificates.ks -w password

Changing the new-certificates.ks for your certificates.ks file name and adding your password.

Step 18 – Complete on both cells and start the services using service vmware-vcd start

Step 19 – Log back into the vCloud Director Portal (https://vclouddirectorurl/cloud) and go to Administration then Public Addresses. Update the certificate chain for the API, Tenant Portal and Web Console. The easiest way is to convert your existing certificate to a pem file, open with wordpad and remove the private key. Then paste the remaining chain into the 3 locations listed above.

I hope this helps some of you out there when it comes time to swap out your vCloud certs!

LINKEDIN

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *

LINKEDIN