Firstly you need to create 2 certificates for each member of the group (cell) and import the certificates into host keystores. Each vCD has 2 IP address which allows support for 2 different SSL endpoints(http and consoleproxy). Each endpoint requires its own SSL certificate.
Requirements for cert include an X.500 distinguished name, while Subject Alternative Name is not necessary.
Replace certificate using vCD configuration script: (this does not work in 8.10 anymore)
this process will also validate the db connection and prompt for SSL certificate and skips all other.
Before doing any work, take a snapshot of your VCD Cells and backup your database.
- SSH to vCD cell
- Stop the vCD services
- service vmware-vcd stop
- Run the configuration
- Specify full path to java keystore that holds the new certificates
- Provide keystore and certificate password
This will replace the certificates and restart the vCD services.
Certificates command of the cell management tool automates process replace certificates in JCEKS keystore.
- # cd /opt/vmware/vcloud-director/bin
- # ./cell-management-tool certificates -j -k /tmp/<certificate-file-name>.ks -w keystorepassword
- Restart the cell for changes to take affect.
- # service vmware-vcd restart