VMware vCloud Director – Change SSL certificates

Ludovic Rivallain calendar Jul 24, 2018  · 2 min read  ·
Share on: linkedin copy
vmware vcloud director certificate vcd keytool

Overview

The following procedure is a self-reminder of How-To replace the certificates of a VMware vCloud Director deployment.

Prepare informations

Here is a configuration sample for a single cell deployment. Change settings according to your needs:

If you are using multi-cells deployment, I stronlgy recommend you to extend informations in the -ext "san=dns:..." parameter of the certificate creation to include each cell DNS and IP and the VIP FQDN at least.

 1DOMAIN="lri.lcl"
 2
 3# API and HTTP host info
 4HTTP_HOSTNAME='vuptime-vcd'
 5HTTP_IP='10.10.110.3'
 6HTTP_FQDN="$HTTP_HOSTNAME.$DOMAIN"
 7
 8# Console proxy host info
 9CONSOLE_PROXY_HOSTNAME='vuptime-vcd-vmrc'
10CONSOLE_PROXY_IP='10.10.110.4'
11CONSOLE_PROXY_FQDN="$CONSOLE_PROXY_HOSTNAME.$DOMAIN"
12
13# Others certificates information
14VALIDITY=365
15CERT_DNAME_INFO="OU=vUptime-IO, O=Example Corp, L=Rennes, S=Britain, C=FR"
16CA_CERT_PATH="/tmp/ca-root.cert"
17
18# Keytool informations
19KEYTOOL_BIN="$VCLOUD_JAVA_HOME/bin/keytool"
20KS_PATH="$VCLOUD_HOME/data/transfer/certificates.ks"
21KS_PASSWORD='VMware1!'

Create unsigned certificates

 1$KEYTOOL_BIN \
 2    -keystore $KS_PATH \
 3    -alias http  \
 4    -storepass $KS_PASSWORD \
 5    -keypass $KS_PASSWORD \
 6    -storetype JCEKS \
 7    -genkeypair \
 8    -keyalg RSA \
 9    -keysize 2048 \
10    -validity $VALIDITY \
11    -dname "CN=$HTTP_FQDN, $CERT_DNAME_INFO" \
12    -ext "san=dns:$HTTP_FQDN,dns:$HTTP_HOSTNAME,ip:$HTTP_IP"
13
14$KEYTOOL_BIN \
15    -keystore $KS_PATH \
16    -alias consoleproxy \
17    -storepass $KS_PASSWORD \
18    -keypass $KS_PASSWORD \
19    -storetype JCEKS \
20    -keyalg RSA \
21    -genkeypair \
22    -keysize 2048 \
23    -validity $VALIDITY \
24    -dname "CN=$CONSOLE_PROXY_FQDN, $CERT_DNAME_INFO" \
25    -ext "san=dns:$CONSOLE_PROXY_FQDN,dns:$CONSOLE_PROXY_HOSTNAME,ip:$CONSOLE_PROXY_IP"

Create certificate requests for CA-signing

 1$KEYTOOL_BIN \
 2    -keystore $KS_PATH \
 3    -storetype JCEKS \
 4    -storepass $KS_PASSWORD \
 5    -certreq \
 6    -alias http \
 7    -file $HTTP_FQDN.csr \
 8    -ext "san=dns:$HTTP_FQDN,dns:$HTTP_HOSTNAME,ip:$HTTP_IP"
 9
10$KEYTOOL_BIN \
11    -keystore $KS_PATH \
12    -storetype JCEKS \
13    -storepass $KS_PASSWORD \
14    -certreq \
15    -alias consoleproxy \
16    -file $CONSOLE_PROXY_FQDN.csr \
17    -ext "san=dns:$CONSOLE_PROXY_FQDN,dns:$CONSOLE_PROXY_HOSTNAME,ip:$CONSOLE_PROXY_IP"

Send CSR files to your (internal/external) CA for signing, and copy them to cell:

  • ca-root.crt: the CA certificate
  • vuptime-vcd.lri.lcl.crt: HTTP certificate
  • vuptime-vcd-vmrc.lri.lcl.crt: ConsoleProxy certificate

Import signed certificates in the keystore

First, we import the CA certificate:

1$KEYTOOL_BIN \
2    -keystore $KS_PATH \
3    -storetype JCEKS \
4    -storepass $KS_PASSWORD \
5    -import \
6    -alias root \
7    -file $CA_CERT_PATH

Then the 2 applications certificates:

 1$KEYTOOL_BIN \
 2    -keystore $KS_PATH \
 3    -storetype JCEKS \
 4    -storepass $KS_PASSWORD \
 5    -import \
 6    -alias http \
 7    -file $HTTP_FQDN.crt
 8
 9$KEYTOOL_BIN \
10    -keystore $KS_PATH \
11    -storetype JCEKS \
12    -storepass $KS_PASSWORD \
13    -import \
14    -alias consoleproxy \
15    -file $CONSOLE_PROXY_FQDN.crt

1$KEYTOOL_BIN \
2    -storetype JCEKS \
3    -storepass $KS_PASSWORD \
4    -keystore $KS_PATH \
5    -list

Apply certificates to the services

1chown vcloud: $KS_PATH # Set owner of the keystore to vcloud user
2$VCLOUD_HOME/bin/cell-management-tool certificates -j -k $KS_PATH -w $KS_PASSWORD
3service vmware-vcd restart