vCloud Director 8.10 – Renew SSL Certificates A-Z

Today I had to renew SSL certificates for a vCD 8.10 cell which had expired.

I could not find a comprehensive guide explaining the exact steps so this post covers everything required to replace expiring / expired certificates with new ones.


  • Replace anything in BOLD CAPS with your custom configuration
  • Some directories listed in the commands are default, you may have to change them for your environment
  • Test the commands before using them in production
  • Copy and paste the commands into notepad before pasting into vCD to remove any formatting


  • Take a snapshot of your vCD solution to ensure that you have a good rollback option
  • Copy your existing keystore to a new file
    • cp /opt/vmware/vcloud-director/jre/bin/certificates.ks /opt/vmware/vcloud-director/jre/bin/certificates-new.ks
  • List the certificates in the keystore
    • /opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass PASSWORD -keystore /opt/vmware/vcloud-director/jre/bin/certificates-new.ks -list
  • Delete the expired http and consoleproxy certificates from the new keystore. Note that the root and intermediate certificates may not have expired so you can leave these in place
    • /opt/vmware/vcloud-director/jre/bin/keytool -delete -alias http -keystore /opt/vmware/vcloud-director/jre/bin/certificates-new.ks -storetype JCEKS -storepass PASSWORD
    • /opt/vmware/vcloud-director/jre/bin/keytool -delete -alias consoleproxy -keystore /opt/vmware/vcloud-director/jre/bin/certificates-new.ks -storetype JCEKS -storepass PASSWORD
  • Generate new unsigned certificates for both http and consoleproxy
    • /opt/vmware/vcloud-director/jre/bin/keytool -keystore /opt/vmware/vcloud-director/jre/bin/certificates-new.ks -alias http -storepass PASSWORD -keypass PASSWORD -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 365  -dname “CN=XYZ, OU=XYZ, O=XYZ, L=XYZ, S=XYZ, C=XYZ” -ext “san=ip:XYZ
    • /opt/vmware/vcloud-director/jre/bin/keytool -keystore /opt/vmware/vcloud-director/jre/bin/certificates-new.ks -alias consoleproxy-storepass PASSWORD -keypass PASSWORD -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 365  -dname “CN=XYZ, OU=XYZ, O=XYZ, L=XYZ, S=XYZ, C=XYZ” -ext “san=ip:XYZ
  • Now generate the CSRs (Certificate Signing Requests)
    • /opt/vmware/vcloud-director/jre/bin/keytool -keystore /opt/vmware/vcloud-director/jre/bin/certificates-new.ks -storetype JCEKS -storepass PASSWORD -certreq -alias http -file http.csr
    • /opt/vmware/vcloud-director/jre/bin/keytool -keystore /opt/vmware/vcloud-director/jre/bin/certificates-new.ks -storetype JCEKS -storepass PASSWORD -certreq -alias consoleproxy -file consoleproxy.csr
  • Download the CSRs from vCD to your machine with winscp or similar and upload the certificates to your certificate authority and have them signed. Use Tomcat if you have an option to sign for a certain webserver type
  • Download the signed certificated in .cer format and upload to the vCD cell with winscp or similar
  • Load the new certificates into the keystore
    • /opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass PASSWORD -keystore /opt/vmware/vcloud-director/jre/bin/certificates-new.ks -import -alias http -file http.cer
    • /opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass PASSWORD -keystore /opt/vmware/vcloud-director/jre/bin/certificates-new.ks -import -alias consoleproxy -file consoleproxy.cer
  • List the certificates in the keystore to ensure they are all loaded correctly. Ensure that the root and intermediate certificates are there too if required
  • /opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass PASSWORD -keystore /opt/vmware/vcloud-director/jre/bin/certificates-new.ks -list

Now for the disruptive part

  • Stop the vcd instance
    • service vmware-vcd stop
  • Take a backup of the existing keystore
    • cp /opt/vmware/vcloud-director/jre/bin/certificates.ks /opt/vmware/vcloud-director/jre/bin/certificates-backup-DATE.ks
  • Overwrite the existing keystore with the one we loaded the new certificates into earlier
    • cp /opt/vmware/vcloud-director/jre/bin/certificates-new.ks /opt/vmware/vcloud-director/jre/bin/certificates.ks
  • Remove the temporary keystore we created earlier
    • rm /opt/vmware/vcloud-director/jre/bin/certificates-new.ks
  • Run the configure command. There should be no configuration required
    • /opt/vmware/vcloud-director/bin/configure
  • If the vCD serices do not start, start them now
    • service vmware-vcd start
  • Wait a couple of minutes and launch the vCD URL in your web browser.
  • The certificate listed should be the new one
  • Once you have confirmed normal working order, remove the snapshot created earlier


Should you need to rollback to the old certificates:

  • Stop the vCD services
  • Copy the keystore back to the original location
  • Run the configure utility
  • Start the vCD services


Leave a Response

This site uses Akismet to reduce spam. Learn how your comment data is processed.