If your running vCloud Director with self signed certificates, the validity of the certificates will be 90 days by default. After 90 days you have to refresh your certificates and maybe it’s also a good idea the extend the validity of the certificates.
You can refresh your certificates by recreating the certificates in your keystore, or create a new keystore and link this new keystore to your vCloud Director installation.
I prefer the first option, which will be explained in this article. For all certificate related actions, use the keytool application that was installed with vCloud Director. The keytool application can be found in: /opt/vmware/vcloud-director/jre/bin. Let’s list the available certificates in the keystore. Note: I’m running the command in the /opt/vmware/vcloud-director/jre/bin directory:
./keytool -keystore certificates.ks -storetype JCEKS -storepass p@ssword -list
Note: It’s better to remove the “-storepass p@ssword” in this command, because your password will show up in the command-line history. Keytool will just ask for the keystore password. An other option is to run “history -c” to clear your command line history.
Refreshing your self signed certficates means remove the old ones, and generate new ones. First remove the old certificates:
./keytool -keystore certificates.ks -storetype JCEKS -delete -alias http
./keytool -keystore certificates.ks -storetype JCEKS -delete -alias consoleproxy
And now generate new ones:
./keytool -keystore certificates.ks -storetype JCEKS -genkey -keyalg RSA -alias http -validity 365
./keytool -keystore certificates.ks -storetype JCEKS -genkey -keyalg RSA -alias consoleproxy -validity 365
Now we have new certifcates in the keystore. The validity of these new certificates is 365 days, because of the -validity switch :). The next step is to inform vCloud Director about the new certificates. The way to do this is:
- Stop the vCloud Director cell (How? Check this article)
- Reconfigure your vCloud Director installation
- Start the vCloud Director cell, using the new certificate
After stopping the vCloud Director cell, the next step is to reconfigure the cell so vCloud Director will pick up the new certificates. It’s important that the keystore (containing the new certificates) is in the same location as during the original installation. If this is not the case the configure script will ask for a the new location of your keystore. We’re using the responses.properties file for the reconfig, which will help us preserving the original configuration (the only change are the new certificates). The magic here is:
/opt/vmware/vcloud-director/bin/configure -r ../etc/responses.properties
The next step is to start vcd again with service vmware-vcd start, or “/etc/init.d/vmware-vcd start”.
You can monitor the startup process (which will take a while) with:
tail -f /opt/vmware/vcloud-director/logs/cell.log
That’s it! Everything should be working. Check your browser to confirm that you’re using new certificates!
More information about generating certificates is available in VMware KB article 1026309.