Generating SSL certificates for VMware vCloud Director 1.x / 5.x

VMware vCloud requires one SSL certificate for each network interface on the host. Each server host in a VMware vCloud Director cluster must have two IP addresses (one for the HTTP service and one for the console proxy service) and must be capable of establishing an SSL connection at each.

Notes:

  • You can use signed certificates (signed by a trusted certification authority) or self-signed certificates.
  • To create the SSL certificates, you need to use the keytool shipped with the VMware vCloud Director software. By default for version 1.0.x this is located in the /opt/vmware/cloud-director/jre/bin/ and for version 1.5.x and above it is located in /opt/vmware/vcloud-director/jre/bin/ directory.  It can be executed by running the command ./keytool.
  • Use Java version 1.6. To confirm the version of Java, run the command:
    # java –version
    If the output indicates you are using a version other than 1.6, you need to run the Java binaries from the /opt/vmware/cloud-director/jre/bin/ or /opt/vmware/vcloud-director/jre/bin/ folder.

Creating and importing signed SSL certificates

To create and import signed SSL certificates:

  1. Create the certificate.
    • To create an untrusted certificate for the HTTP service host, run the command:
      ./keytool -keystore certificates.ks -storetype JCEKS -storepass passwd –genkey -keyalg RSA -keysize 2048 -alias http
    • To create a certificate signing request for the HTTP service, run the command:
      ./keytool -keystore certificates.ks -storetype JCEKS -storepass passwd –certreq -alias http -file http.csr -keysize 2048
      Note: This command creates a certificate signing request in the file http.csr.
    • To create an untrusted certificate for the console proxy service host, run the command:
      ./keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey –keyalg RSA -keysize 2048 -alias consoleproxy
    • To create a certificate signing request for the console proxy service, run the command:
      ./keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -certreq –alias consoleproxy -file consoleproxy.csr -keysize 2048
      Note: This command creates a certificate signing request in the file consoleproxy.csr.
  2. Send the certificate signing requests to your Certification Authority. You receive the SSL Certificates in an email.
  3. When you receive the signed certificates, import them into the keystore.
    • To import the Certification Authority’s root certificate into the keystore file, run the command:
      ./keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -importcert –alias root -file root.cer
    • To import the Certification Authority’s intermediate certificates into the keystore file, run the command:
      ./keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -importcert –alias intermediate -file intermediate.cer
    • To import the host-specific certificate for the HTTP service, run the command:
      ./keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -importcert –alias http -file http.cer
    • To import the host-specific certificate for the console proxy service, run the command:
      ./keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -importcert –alias consoleproxy -file consoleproxy.cer
  4. Verify that all the certificates have been imported, list the contents of the keystore file with the command:
    ./keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list
Creating and importing self-signed SSL certificates

To create and import self-signed SSL certificates:

  1. Create an untrusted certificate for the HTTP service host with the command:
    ./keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey –keyalg RSA -keysize 2048 -alias http 
  2. Enter the fully qualified domain name of the HTTP service host when prompted for your first name and last name.
  3. Create an untrusted certificate for the console proxy service host with the command:
    ./keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey –keyalg RSA -keysize 2048 -alias consoleproxy
  4. Verify that all the certificates have been imported, list the contents of the keystore file with the command:
    ./keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list

Notes:

  • By default, certificates are valid only for 3 months. To increase the duration, add the switch-validity number_of_days when creating your certificate.
  • After creating the certificates, you must run the/opt/vmware/vcloud-director/bin/configure script. This script prompts you for the SSL certificates. After you enter the required passwords, the vCloud Director service starts.

Source Vmware KB

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>