Renew SSL Certificate for vCloud Director 10.4

Hello There,

I would like to give credit for this article to my colleague Muhannad S. Aljaghthami who worked on this task and gave us full insight on how to do.

Now lets talk about replacing an expired/ about to expire SSL certificate for the vCloud Director application which is hosted on internet.

Prerequisites:

• Digicert Certificate utility for windows. 
• Putty/Mobaxterm application for SSH to vCD cells.
• Winscp to transfer the files to vCD cells.
• SSH access should be validated on vCD Cells
• Backup tool to take a backup of vCD cells.
  

Versions & products used while writing this article:

• vCloud Director 10.4
• NSX AVI 22.1.1

Step by step procedure:

• Initiated a CSR request using Digicert utility for windows and shared the CSR with the team who manages the SSL certificates. 
• Post submission of CSR,we received the root & SSL certificate for our vCloud Director URL.
• Using the Digicert utility, we have extracted the pfx file and key file, sample screenshot below.

 

 

Note: We have extracted the pfx and key file from the same machine from where we have generated a CSR, possibly there could be another way, but again it was matter of choice.

• Once we had the pfx and key files extracted out of vCD certificate, we were ready to start working on the real game of replacing the certificates.
• Logged into vCD cell and created a folder using WinSCP tool.
• Uploaded the pfx file to the newly created folder on the VCD cell.
• We need to convert the certificate to a PKCS12 file using below command

     openssl pkcs12 -in name.pfx -nocerts -out user.http.key

                Note: Use the pfx name which is available with you.

•  Now we need to create a certificate chain

openssl pkcs12 -in name.pfx -clcerts -nokeys -out user.http.pem

            Note: Use the pfx name which is available with you.

• Now we need to concatenate the user.http.pem filr from /opt/vmware/vcloud-director/etc and certificate.crt (Concatenate is preferred and recommended).
• Navigate to /opt/vmware/vcloud-director/etc using WinSCP and take backup of user.http.pem & user.http.key to local machine.
• Now delete the existing user.http.pem & yser.http.key file from /opt/vmware/vcloud-director/etc and upload new user.http.key and the concatenated user.http.pem to the same location.
• Update the permissions of the key and pem files to vcloud by clicking on properties of the files via Winscp.
• Once done, run the below commad.

/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password password-here

• Copy the same files (pem & key) from cell01 and to other 2 cells and run above command.
  

vCloud UI :

 

No that we have concluded the certificate replacement on the vCD cells, our next phase is updating the certificate on vCloud Director Provider.

 

 Here, we need to replace the certificate file user.http.pem which we used in cells.

If you are not using NSX AVI, you can ask your WAF team to replace the certificate if they have wildcard/ you can share the certificate of VCD with them.

If you have NSX AVI inplace:

Login to NSX AVI

Click on create and then choose application

Once create, we need to provide name and select type as import and then click on validate to validate the certificate.

 Once done with above steps, please run the below commands in sequence on all the cells but one cell at a time.

 

    /opt/vmware/vcloud-director/bin/cell-management-tool cell -i $(service vmware-vcd pid cell) -s

 

    systemctl start vmware-vcd

To check the status of the vCD, you can run below command.

     systemctl status vmware-vcd

 

*****Thats it, we have finished replacing the certificate on VMware infrastructure layer. *****