Replacing vCD SSL Certificates in a Multi Cell Environment

After a long wait I finally got chance to work on vCloud Director ssl certificates. This was the only component in my lab which was still using self-signed certs and that encouraged me to do something new in lab.

A note on vCD SSL certificates

vCloud Director like any other VMware product needs a certificate to be installed on the device that it uses for communication with the other products. By default vCD uses a self-signed certificate. If you have a certificate authority in your environment then you can get the certs created in advance before installing vCloud director and save your self from pain of messing with certificates at later stages.

vCD has 2 IP address which allows support for 2 different SSL endpoints (http and consoleproxy). Each endpoint requires its own SSL certificate. vCloud Director uses a java keystore to read its SSL certificates from.  In a Multi-cell environment you need to create 2 certificates for each cell and import the certificates into vcd java keystore.

There are 2 options for SSL certificates, self-signed and CA signed.

In my lab I am running 2 cells for vCloud Director high-availability and also I have my own CA server. So I am going to use CA signed certificates.

VMware KB-1026309 details the steps of creating certificates and replacing them.

High level steps for replacing vCD certificates can be summarized as below:

  • Create untrusted certificates with JAVA keytool command.
  • Send certificates to your Certificate Authority and obtain signed certificates.
  • Import the Certificate Authority root certificate.
  • Import httpd and consoleproxy signed certificates.
  • Stop vCD Cell service
  • Invoke vCD configuration script

Lets jump into lab and perform this

Location of keytool command is : /opt/vmware/vcloud-director/jre/bin

1: Generate Self-Signed Certs

[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXX -genkey -keyalg RSA -keysize 2048 -alias http

Provide the necessary info as shown below:

Repeat the step for generating console proxy certificate

[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXX -genkey -keyalg RSA -keysize 2048 -alias consoleproxy

2: Generate CSR’s

[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXXXXXX -certreq -alias http -file http.csr -keysize 2048 -validity 9999

[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXXXXXX -certreq -alias consoleproxy -file consoleproxy.csr -keysize 2048 -validity 9999

3: Verify Certs fingerprint 

[root@vcd-a bin]#./keytool -storetype JCEKS -storepass XXXXX -keystore vcd.ks -list

Now there will be two csr files created in the bin directory. Send these csr’s to your CA and obtain the signed certificates in .cer format. Also you need your CA root certificate. Once you have obtained the needed certificate files proceed with next steps.

4: Import certificates

[root@vcd-a bin]# ./keytool -alias root -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -importcert -file Root64.cer

On firing above command, you wills see output as below

[root@vcd-a bin]# ./keytool -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -importcert -alias http -file http.cer
Certificate reply was installed in keystore

[root@vcd-a bin]# ./keytool -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -importcert -alias consoleproxy -file consoleproxy.cer
Certificate reply was installed in keystore

Move the existing keystore file to some other location and copy the latest keystore file from bin directory (as we created our files here) to the /opt/vmware/vcloud-director folder

[root@vcd-a bin]# mv /opt/vmware/vcloud-director/vcd.ks /root/

[root@vcd-a bin]# cp vcd.ks /opt/vmware/vcloud-director

5: Stop vCD Cell service

[root@vcd-a bin]# service vmware-vcd stop

Stopping vmware-vcd-watchdog: [ OK ]
Stopping vmware-vcd-cell: [ OK ]

6: Invoke vCD configuration script

[root@vcd-a bin]# /opt/vmware/vcloud-director/bin/configure

And that it. Now logout all existing vCD web session and re-open vCD URL and you will no longer see the annoying untrusted certificate warning message.

Now for first cell job is done. For other cell repeat step 1-5. The only difference is there in step 6 where you invoke configuration script as shown below:

[root@vcd-b bin]# /opt/vmware/vcloud-director/bin/configure -r /opt/vmware/vcloud-director/responses.properties

After running through above steps, I verified that my second cell also have signed certs

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable

Leave a ReplyCancel reply