VMware vCloud Director – Change SSL certificates
Overview
The following procedure is a self-reminder of How-To replace the certificates of a VMware vCloud Director deployment.
Prepare informations
Here is a configuration sample for a single cell deployment. Change settings according to your needs:
If you are using multi-cells deployment, I stronlgy recommend you to extend informations in the
-ext "san=dns:..."parameter of the certificate creation to include each cell DNS and IP and the VIP FQDN at least.
1DOMAIN="lri.lcl"
2
3# API and HTTP host info
4HTTP_HOSTNAME='vuptime-vcd'
5HTTP_IP='10.10.110.3'
6HTTP_FQDN="$HTTP_HOSTNAME.$DOMAIN"
7
8# Console proxy host info
9CONSOLE_PROXY_HOSTNAME='vuptime-vcd-vmrc'
10CONSOLE_PROXY_IP='10.10.110.4'
11CONSOLE_PROXY_FQDN="$CONSOLE_PROXY_HOSTNAME.$DOMAIN"
12
13# Others certificates information
14VALIDITY=365
15CERT_DNAME_INFO="OU=vUptime-IO, O=Example Corp, L=Rennes, S=Britain, C=FR"
16CA_CERT_PATH="/tmp/ca-root.cert"
17
18# Keytool informations
19KEYTOOL_BIN="$VCLOUD_JAVA_HOME/bin/keytool"
20KS_PATH="$VCLOUD_HOME/data/transfer/certificates.ks"
21KS_PASSWORD='VMware1!'
Create unsigned certificates
1$KEYTOOL_BIN \
2 -keystore $KS_PATH \
3 -alias http \
4 -storepass $KS_PASSWORD \
5 -keypass $KS_PASSWORD \
6 -storetype JCEKS \
7 -genkeypair \
8 -keyalg RSA \
9 -keysize 2048 \
10 -validity $VALIDITY \
11 -dname "CN=$HTTP_FQDN, $CERT_DNAME_INFO" \
12 -ext "san=dns:$HTTP_FQDN,dns:$HTTP_HOSTNAME,ip:$HTTP_IP"
13
14$KEYTOOL_BIN \
15 -keystore $KS_PATH \
16 -alias consoleproxy \
17 -storepass $KS_PASSWORD \
18 -keypass $KS_PASSWORD \
19 -storetype JCEKS \
20 -keyalg RSA \
21 -genkeypair \
22 -keysize 2048 \
23 -validity $VALIDITY \
24 -dname "CN=$CONSOLE_PROXY_FQDN, $CERT_DNAME_INFO" \
25 -ext "san=dns:$CONSOLE_PROXY_FQDN,dns:$CONSOLE_PROXY_HOSTNAME,ip:$CONSOLE_PROXY_IP"
Create certificate requests for CA-signing
1$KEYTOOL_BIN \
2 -keystore $KS_PATH \
3 -storetype JCEKS \
4 -storepass $KS_PASSWORD \
5 -certreq \
6 -alias http \
7 -file $HTTP_FQDN.csr \
8 -ext "san=dns:$HTTP_FQDN,dns:$HTTP_HOSTNAME,ip:$HTTP_IP"
9
10$KEYTOOL_BIN \
11 -keystore $KS_PATH \
12 -storetype JCEKS \
13 -storepass $KS_PASSWORD \
14 -certreq \
15 -alias consoleproxy \
16 -file $CONSOLE_PROXY_FQDN.csr \
17 -ext "san=dns:$CONSOLE_PROXY_FQDN,dns:$CONSOLE_PROXY_HOSTNAME,ip:$CONSOLE_PROXY_IP"
Send CSR files to your (internal/external) CA for signing, and copy them to cell:
ca-root.crt: the CA certificatevuptime-vcd.lri.lcl.crt: HTTP certificatevuptime-vcd-vmrc.lri.lcl.crt: ConsoleProxy certificate
Import signed certificates in the keystore
First, we import the CA certificate:
1$KEYTOOL_BIN \
2 -keystore $KS_PATH \
3 -storetype JCEKS \
4 -storepass $KS_PASSWORD \
5 -import \
6 -alias root \
7 -file $CA_CERT_PATH
Then the 2 applications certificates:
1$KEYTOOL_BIN \
2 -keystore $KS_PATH \
3 -storetype JCEKS \
4 -storepass $KS_PASSWORD \
5 -import \
6 -alias http \
7 -file $HTTP_FQDN.crt
8
9$KEYTOOL_BIN \
10 -keystore $KS_PATH \
11 -storetype JCEKS \
12 -storepass $KS_PASSWORD \
13 -import \
14 -alias consoleproxy \
15 -file $CONSOLE_PROXY_FQDN.crt
1$KEYTOOL_BIN \
2 -storetype JCEKS \
3 -storepass $KS_PASSWORD \
4 -keystore $KS_PATH \
5 -list
Apply certificates to the services
1chown vcloud: $KS_PATH # Set owner of the keystore to vcloud user
2$VCLOUD_HOME/bin/cell-management-tool certificates -j -k $KS_PATH -w $KS_PASSWORD
3service vmware-vcd restart
comments powered by Disqus