Extending The Life of Your VMware vCloud Director Appliance and Changing Certificates

vCloudDirectorVMware is distributing a limited usage vCloud Director virtual appliance to facilitate and support evaluation of the product.  I wanted to stand it up in my lab as a test-bed and to get to know the product better, but after checking into it, it’s not just the eval licenses that will expire.  The http certificates will also expire within 60 days of the certificates being generated since it uses the Java ‘keytool’ utility and it’s configured to.  As a VMware partner and I have access to licenses to extend the life of the appliance but due to my environment, I cannot work with expired certificates.

First things first, make sure you have your updated license keys.  At a minimum, you need the license keys for vCloud Director and vShield Manager for vCloud Director.  The licenses given with the evaluation download are 60 day licenses.  Please also read the Evaluation Guide (attached here for v. 1.5: VMware vCloud™ Director Evaluator’s Guide).  The Eval Guide contains everything you need to know including all of the default passwords.

1. Update vShield Manager license: Using the vCenter Licensing interface, you can update / change out your vShield Manager license.

vCenter License Screen

You can do this by selecting “Manage vSphere Licenses”.

2. Update vCloud Director license.  Within vCloud Director’s web interface, go to Administration > License, and update your license there.

vCD Licensing Screen

3. Update SSL Certificates.  You can also use this to change the CN or Common Name of the certificates that vCloud Director is using vs. using the localhost.localdom hostname.  This will help get rid of warnings that browsers continually prompt you with.

Log into the vCloud Director VM using the VMs console or SSH in.  This will allow you to use the JDK that is installed as part of the vCD install.  Navigate to “/opt/vmware/vcloud-director/jre/bin” and use the following commands to generate new certificates:

./keytool –keystore /certificatesNew.ks –storetype JCEKS –storepass [insert password here] –genkey –keyalg RSA –alias http –validity 1800


./keytool –keystore /certificatesNew.ks –storetype JCEKS –storepass [insert password here] –genkey –keyalg RSA –alias consoleproxy –validity 1800

In each case, after entering the command, you’ll be presented with a screen that asks you for information.  When asked for ‘first and last name’, that will be the CN for the certificate that you want to issue, i.e. vcd.yourdomain.local or vcdproxy.yourdomain.local.

The validity tag sets the certificates to expire in 5 years (1800 days).  Of course by then, we’ll be on a new version, but why deal with certificate expiration if you don’t have to.

If you’re in the directory, attempting to use keytool and keep receiving ‘command not found’, make sure that you use ‘./’ in front of the command.

You can also use a browser like Firefox to download and install a copy of the certificates into the Trusted CA store on your local machine or a firewall such as Microsoft Forefront Threat Management Gateway (TMG) so that you do not receive warnings and can forward https requests.

Next you’ll have to stop the vCloud Director service and configure vCD to use the new certificates.  Use the following commands to stop the service and enter the vCloud Director configuration screen respectively:

service vmware-vcd stop

When in the configuration screen, point to the new keystore (‘/certificatesNew.ks’)and type in your password.  The service should check the keystore, reconnect to the database, and restart the vmware-vcd service for you.

Hope this helps someone out.  What an amazing product.  Thanks VMware!

[ad#Google Adsense-1]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s