After a long wait I finally got chance to work on vCloud Director ssl certificates. This was the only component in my lab which was still using self-signed certs and that encouraged me to do something new in lab.
A note on vCD SSL certificates
vCloud Director like any other VMware product needs a certificate to be installed on the device that it uses for communication with the other products. By default vCD uses a self-signed certificate. If you have a certificate authority in your environment then you can get the certs created in advance before installing vCloud director and save your self from pain of messing with certificates at later stages.
vCD has 2 IP address which allows support for 2 different SSL endpoints (http and consoleproxy). Each endpoint requires its own SSL certificate. vCloud Director uses a java keystore to read its SSL certificates from. In a Multi-cell environment you need to create 2 certificates for each cell and import the certificates into vcd java keystore.
There are 2 options for SSL certificates, self-signed and CA signed.
In my lab I am running 2 cells for vCloud Director high-availability and also I have my own CA server. So I am going to use CA signed certificates.
VMware KB-1026309 details the steps of creating certificates and replacing them.
High level steps for replacing vCD certificates can be summarized as below:
- Create untrusted certificates with JAVA keytool command.
- Send certificates to your Certificate Authority and obtain signed certificates.
- Import the Certificate Authority root certificate.
- Import httpd and consoleproxy signed certificates.
- Stop vCD Cell service
- Invoke vCD configuration script
Lets jump into lab and perform this
Location of keytool command is : /opt/vmware/vcloud-director/jre/bin
1: Generate Self-Signed Certs
[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXX -genkey -keyalg RSA -keysize 2048 -alias http
Provide the necessary info as shown below:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
What is your first and last name? [Unknown]: vcd-b.alex.local What is the name of your organizational unit? [Unknown]: Cloud What is the name of your organization? [Unknown]: Alex.Co What is the name of your City or Locality? [Unknown]: Bangalore What is the name of your State or Province? [Unknown]: Karnataka What is the two-letter country code for this unit? [Unknown]: IN Is CN=vcd-b.alex.local, OU=Cloud, O=Alex.Co, L=Bangalore, ST=Karnataka, C=IN correct? [no]: yes Enter key password for <consoleproxy> (RETURN if same as keystore password): |
Repeat the step for generating console proxy certificate
[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXX -genkey -keyalg RSA -keysize 2048 -alias consoleproxy
2: Generate CSR’s
[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXXXXXX -certreq -alias http -file http.csr -keysize 2048 -validity 9999
[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXXXXXX -certreq -alias consoleproxy -file consoleproxy.csr -keysize 2048 -validity 9999
3: Verify Certs fingerprint
[root@vcd-a bin]#./keytool -storetype JCEKS -storepass XXXXX -keystore vcd.ks -list
1 2 3 4 5 6 7 8 9 10 11 12 13 |
Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 3 entries consoleproxy, Jun 20, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 01:5A:86:9B:B9:F7:CB:3F:36:60:09:FA:ED:04:3E:65:58:C5:08:8E root, Jun 20, 2017, trustedCertEntry, Certificate fingerprint (SHA1): 84:7B:5C:2D:65:0A:C8:3E:76:AD:96:23:42:9B:E3:D7:4C:83:6B:CB http, Jun 20, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 49:82:81:22:E5:F2:BA:B6:CB:CA:1A:35:8A:29:A3:F5:5A:D0:4D:7A |
Now there will be two csr files created in the bin directory. Send these csr’s to your CA and obtain the signed certificates in .cer format. Also you need your CA root certificate. Once you have obtained the needed certificate files proceed with next steps.
4: Import certificates
[root@vcd-a bin]# ./keytool -alias root -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -importcert -file Root64.cer
On firing above command, you wills see output as below
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
Owner: CN=CASRV01-CA, DC=alex, DC=local Issuer: CN=CASRV01-CA, DC=alex, DC=local Serial number: 379322e692faa1af4dd54387d6400ff1 Valid from: Mon Jun 13 15:00:41 IST 2016 until: Sun Jun 13 15:10:38 IST 2021 Certificate fingerprints: MD5: 7E:63:CB:3E:A0:4F:93:A9:8F:EF:D4:1E:18:84:CA:48 SHA1: 84:7B:5C:2D:65:0A:C8:3E:76:AD:96:23:42:9B:E3:D7:4C:83:6B:CB SHA256: B0:4C:20:88:09:99:DB:27:85:17:53:07:B6:58:35:3B:7B:D2:A0:3C:CA:5F:74:F9:7C:0F:42:AD:13:95:F7:BE Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false 0000: 02 01 00 ... #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] #4: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 80 B8 5E 71 89 EA 13 6E 07 62 B9 C5 E4 4C E3 8C ..^q...n.b...L.. 0010: 07 48 9D 74 .H.t ] ] Trust this certificate? [no]: yes Certificate was added to keystore |
[root@vcd-a bin]# ./keytool -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -importcert -alias http -file http.cer
Certificate reply was installed in keystore
[root@vcd-a bin]# ./keytool -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -importcert -alias consoleproxy -file consoleproxy.cer
Certificate reply was installed in keystore
Move the existing keystore file to some other location and copy the latest keystore file from bin directory (as we created our files here) to the /opt/vmware/vcloud-director folder
[root@vcd-a bin]# mv /opt/vmware/vcloud-director/vcd.ks /root/
[root@vcd-a bin]# cp vcd.ks /opt/vmware/vcloud-director
5: Stop vCD Cell service
[root@vcd-a bin]# service vmware-vcd stop
Stopping vmware-vcd-watchdog: [ OK ]
Stopping vmware-vcd-cell: [ OK ]
6: Invoke vCD configuration script
[root@vcd-a bin]# /opt/vmware/vcloud-director/bin/configure
And that it. Now logout all existing vCD web session and re-open vCD URL and you will no longer see the annoying untrusted certificate warning message.
Now for first cell job is done. For other cell repeat step 1-5. The only difference is there in step 6 where you invoke configuration script as shown below:
[root@vcd-b bin]# /opt/vmware/vcloud-director/bin/configure -r /opt/vmware/vcloud-director/responses.properties
After running through above steps, I verified that my second cell also have signed certs
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable