After a long wait I finally got chance to work on vCloud Director ssl certificates. This was the only component in my lab which was still using self-signed certs and that encouraged me to do something new in lab.
A note on vCD SSL certificates
vCloud Director like any other VMware product needs a certificate to be installed on the device that it uses for communication with the other products. By default vCD uses a self-signed certificate. If you have a certificate authority in your environment then you can get the certs created in advance before installing vCloud director and save your self from pain of messing with certificates at later stages.
vCD has 2 IP address which allows support for 2 different SSL endpoints (http and consoleproxy). Each endpoint requires its own SSL certificate. vCloud Director uses a java keystore to read its SSL certificates from. In a Multi-cell environment you need to create 2 certificates for each cell and import the certificates into vcd java keystore.
There are 2 options for SSL certificates, self-signed and CA signed.
In my lab I am running 2 cells for vCloud Director high-availability and also I have my own CA server. So I am going to use CA signed certificates.
VMware KB-1026309 details the steps of creating certificates and replacing them.
High level steps for replacing vCD certificates can be summarized as below:
- Create untrusted certificates with JAVA keytool command.
- Send certificates to your Certificate Authority and obtain signed certificates.
- Import the Certificate Authority root certificate.
- Import httpd and consoleproxy signed certificates.
- Stop vCD Cell service
- Invoke vCD configuration script
Lets jump into lab and perform this
Location of keytool command is : /opt/vmware/vcloud-director/jre/bin
1: Generate Self-Signed Certs
[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXXXXXX -genkey -keyalg RSA -keysize 2048 -alias http
The above command will aks you info like below. Provide the necessary info:
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=vcd-b.alex.local, OU=Cloud, O=Alex.Co, L=Bangalore, ST=Karnataka, C=IN correct?
Enter key password for <consoleproxy>
(RETURN if same as keystore password):
[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXXXXXX -genkey -keyalg RSA -keysize 2048 -alias consoleproxy
2: Generate CSR’s
[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXXXXXX -certreq -alias http -file http.csr -keysize 2048 -validity 9999
[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXXXXXX -certreq -alias consoleproxy -file consoleproxy.csr -keysize 2048 -validity 9999
3: Verify Certs fingerprint
[root@vcd-a bin]#./keytool -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -list
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 3 entries
consoleproxy, Jun 20, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 01:5A:86:9B:B9:F7:CB:3F:36:60:09:FA:ED:04:3E:65:58:C5:08:8E
root, Jun 20, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 84:7B:5C:2D:65:0A:C8:3E:76:AD:96:23:42:9B:E3:D7:4C:83:6B:CB
http, Jun 20, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 49:82:81:22:E5:F2:BA:B6:CB:CA:1A:35:8A:29:A3:F5:5A:D0:4D:7A
Now there will be two csr files created in the bin directory. Send these csr’s to your CA and obtain the signed certificates in .cer format. Also you need your CA root certificate. Once you have obtained the needed certificate files proceed with next steps.
4: Import certificates
[root@vcd-a bin]# ./keytool -alias root -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -importcert -file Root64.cer
On firing above comamnd, you wills see output as below
Owner: CN=CASRV01-CA, DC=alex, DC=local
Issuer: CN=CASRV01-CA, DC=alex, DC=local
Serial number: 379322e692faa1af4dd54387d6400ff1
Valid from: Mon Jun 13 15:00:41 IST 2016 until: Sun Jun 13 15:10:38 IST 2021
Signature algorithm name: SHA256withRSA
#1: ObjectId: 220.127.116.11.4.1.311.21.1 Criticality=false
0000: 02 01 00 …
#2: ObjectId: 18.104.22.168 Criticality=true
#3: ObjectId: 22.214.171.124 Criticality=false
#4: ObjectId: 126.96.36.199 Criticality=false
0000: 80 B8 5E 71 89 EA 13 6E 07 62 B9 C5 E4 4C E3 8C ..^q…n.b…L..
0010: 07 48 9D 74 .H.t
Trust this certificate? [no]: yes
Certificate was added to keystore
[root@vcd-a bin]# ./keytool -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -importcert -alias http -file http.cer
Certificate reply was installed in keystore
[root@vcd-a bin]# ./keytool -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -importcert -alias consoleproxy -file consoleproxy.cer
Certificate reply was installed in keystore
Move the existing keystore file to some other location and copy the lastest keystore file from bin directory (as we created our files here) to the /opt/vmware/vcloud-director folder
[root@vcd-a bin]# mv /opt/vmware/vcloud-director/vcd.ks /root/
[root@vcd-a bin]# cp vcd.ks /opt/vmware/vcloud-director
5: Stop vCD Cell service
[root@vcd-a bin]# service vmware-vcd stop
Stopping vmware-vcd-watchdog: [ OK ]
Stopping vmware-vcd-cell: [ OK ]
6: Invoke vCD configuration script
[root@vcd-a bin]# /opt/vmware/vcloud-director/bin/configure
And thats it. Now logout all existing vCD web session and re-open vCD URL and you will no longer see the annoying untrusted certificate warning message.
Now for first cell job is done. For other cell repeat step 1-5. The only difference is there in step 6 where you invoke configuration script as shown below:
[root@vcd-b bin]# /opt/vmware/vcloud-director/bin/configure -r /opt/vmware/vcloud-director/responses.properties
After running through above steps, I verified that my second cell also have signed certs
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable