With VMware Cloud Director 10.3, the SSL certificates of the HTTP and the console proxy endpoints are not stored in a PKCS12/JCEKS formatted keystore anymore, but in PEM format only.
So the simplified process is as follows (after creating a backup of the old certificate and key files):
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/data/transfer/user.http.pem --key /opt/vmware/vcloud-director/data/transfer/user.http.key
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem --key /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key
Afterwards the cell must be restarted, e.g. using service vmware-vcd restart. The procedure must be performed on all available cells in a cell group.
To customize the VMware Cloud Director URLs we must also edit the Web Portal endpoints in the Service Provider Admin Portal under Administration > Settings > Public Addresses.
There we enter our VMware Cloud Director public URL for HTTPS (secure) connections and click Replace Certificate File to upload the certificates that establish the trust chain for that endpoint. The certificate chain must match the certificate used by the service endpoint, which is the certificate we’ve uploaded to each VMware Cloud Director cell before.
Pro tip: The key must be provided in a separate file, not included in the certificate PEM file. The certificate file must have the following schema:
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: DomainName.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: CA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----