Cloud VMware

Installing Wildcard Signed SSL certificates in vCloud Director 9.1

This article provides procedures to import a wildcard certificate to VMware vCloud Director.

Each vCloud Director server requires two SSL certificates, one for the HTTP service and one for the console proxy service, in a Java keystore file. You can use certificates signed by a trusted certification authority, or self-signed certificates. Signed certificates provide the highest level of trust.

Certificates for both endpoints must include an X.500 distinguished name. Many certificate authorities recommend including an X.509 Subject Alternative Name extension in certificates they grant. vCloud Director does not require certificates to include a Subject Alternative Name.

Note:
Remember to take snapshot of vCD cell and backup DB case you need to roll back changes
Procedure
  • Upload wildcard certificate bundle to vCD Cell
    To import wildcard signed SSL certificates into vCloud Director, you must convert the certificate to a PKCS12 file (if not already in this format) and then update the vCloud Director cell.
#openssl pkcs12 -export -out Filenametocreate.pfx -inkey uploaded_cert.key -in uploaded_wildcard_cert.crt -certfile uploaded_wildcard_rootcert.cabundle
Note:Enter disired password when requested
  • Change to vcloud directory where keytool is deployed to use provided keytool version
#cd /opt/vmware/vcloud-director/jre/bin
  • Import the first combined key and cert file to the keystore file.
#keytool -trustcacerts -storetype JCEKS -importkeystore -srckeystore Bundlecertificate.pfx -destkeystore certificates.ks -srcstoretype pkcs12
Note:Enter password when requested
  • Obtain the alias name by listing the contents within the keystore.
#keytool -keystore certificates.ks -storetype JCEKS –list
Note:By default alias will be 1
  • Change alias to http
#keytool -storetype JCEKS -changealias -alias 1 -destalias http -keystore certificates.ks
  • Import the first combined key and cert file to the keystore file.
#keytool -trustcacerts -storetype JCEKS -importkeystore -srckeystore Bundlecertificate.pfx -destkeystore certificates.ks -srcstoretype pkcs12
Note:Enter password when requested
  • Obtain the alias name by listing the contents within the keystore.
#keytool -keystore certificates.ks -storetype JCEKS –list
Note:By default alias will be 1
  • Change alias to consoleproxy.
#keytool -storetype JCEKS -changealias -alias 1 -destalias consoleproxy -keystore certificates.ks
  • Replace certificate in vCloud Director cell for each endpoint. After each command line is run the cell management tool should return message below

    “Certificate replaced by user specified keystore at /opt/vmware/vcloud-director/etc/certificates.ks. You will need to restart the cell for changes to take effect.”

Certificates tool usage

usage: cell-management-tool certificates [options]

-c,--config <arg>                  path to global.properties resource file

-h,--help                          print this message

-j,--httpks                        replace the keystore file named

'certificates' for use by the http server

-k,--keystore <arg>                SSL certificate keystore

-kspassword,--keystorepwd <arg>    SSL certificate keystore password (This

option is deprecated in favor of

--keystore-password.)

-p,--consoleproxyks                replace the keystore file named 'proxycertificates' for use by the console proxy

-r,--responses <arg>               path responses file

-s <arg>                           SSL certificate keystore (This option is deprecated in favor of --keystore.)

-w,--keystore-password <arg>       SSL certificate keystore password
  • For http endpoint
#./cell-management-tool certificates -j -k certificates.ks -w 'kspassword'
  • For consoleproxy endpoint
#./cell-management-tool certificates -p -k certificates.ks -w 'kspassword'
  • Stop vCloud Director services
#./cell-management-tool cell -u username -s
  • Start vCloud Director cell
#service vmware-vcd start
  • Monitor cell inicialization
#tail -f /opt/vmware/vcloud-director/logs/cell.log
Key messages to look:
Successfully configured HTTP SSL Connector from certificate store: /opt/vmware/vcloud-director/etc/certificates
Successfully configured Console Proxy SSL Connector from certificate store: /opt/vmware/vcloud-director/etc/proxycertificate

Successfully initialized system cryptography
Cell startup completed in 1m 45s
  • Browse your vCloud Director URL and check certificates are trusted