Renew SSL Certificates in vCloud Director

Firstly you wil need to renew your certificates via your chosen CA. I will not delve into the instructions in the post but essentially you will need to create a .csr (my.csr) using a private key (myprivate.key) and password. 

You should receive the root & intermediate files along with the certificate (my.crt). Copy these to the /home directory

1) Copy keystore for editing

# cp /etc/certificates.ks /home/certificate.ks

2) Create wildcard certificates

# openssl pkcs12 -export -in my.crt -inkey myprivate.key -name http -passout pass:{certificate password} -out http.pfx
# openssl pkcs12 -export -in my.crt -inkey myprivate.key -name consoleproxy -passout pass:{certificate password} -out consoleproxy.pfx

3) Import CA Chain

# /opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -keystore /home/certificate.ks -importcert -alias root -file root.cer
# /opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -keystore /home/certificate.ks -importcert -alias intermediate -file intermediate.cer


4) Import end user certificates into keystore

# /opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -srckeystore http.pfx -srcstoretype PKCS12 -destkeystore /home/certificate.ks -deststoretype JCEKS -deststorepass {keystore password} -srcalias http -destalias http 
# /opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -destkeystore /home/certificate.ks -deststoretype JCEKS -deststorepass {keystore password} -srcalias consoleproxy -destalias consoleproxy

Note: you should get an option to overwrite current certificates


5) Check certificates in keystore

# /opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -list -v -keystore /home/certificate.ks

6) Copy keystore back to original location

# cp /home/certificate.ks /etc/certificates.ks

7) Shutdown cell

# /opt/vmware/vcloud-director/bin/cell-management-tool cell -u administrator --shutdown

8) Re-configure VCD cell & start VCD process

# /opt/vmware/vcloud-director/bin/configure



Welcome to the vCloud Director configuration utility.

You will be prompted to enter a number of parameters that are necessary to
configure and start the vCloud Director service.
The HTTP service and remote console proxy IP addresses have already been set, skipping.
Connecting to the database: jdbc:oracle:thin:@
DB credentials read successfully.
Database configuration complete.
vCloud Director configuration is now complete.
Once the vCloud Director server has been started you will be able to
access the first-time setup wizard at this URL:


Would you like to start the vCloud Director service now? If you choose not
to start it now, you can manually start it at any time using this command:
service vmware-vcd start


Start it now? [y/n] y


Starting vmware-vcd-watchdog:                              [  OK  ]
Starting vmware-vcd-cell                                   [  OK  ]
The vCD service will be started automatically on boot.  To disable this,
use the following command: chkconfig –del vmware-vcd

10) Copy /home/certificate.ks to other cell and follow same process from 6) downwards