Replacing vCD SSL Certificates in a Multi Cell Environment

After a long wait I finally got chance to work on vCloud Director ssl certificates. This was the only component in my lab which was still using self-signed certs and that encouraged me to do something new in lab.

A note on vCD SSL certificates

vCloud Director like any other VMware product needs a certificate to be installed on the device that it uses for communication with the other products. By default vCD uses a self-signed certificate. If you have a certificate authority in your environment then you can get the certs created in advance before installing vCloud director and save your self from pain of messing with certificates at later stages.

vCD has 2 IP address which allows support for 2 different SSL endpoints (http and consoleproxy). Each endpoint requires its own SSL certificate. vCloud Director uses a java keystore to read its SSL certificates from.  In a Multi-cell environment you need to create 2 certificates for each cell and import the certificates into vcd java keystore.

There are 2 options for SSL certificates, self-signed and CA signed.

In my lab I am running 2 cells for vCloud Director high-availability and also I have my own CA server. So I am going to use CA signed certificates.

VMware KB-1026309 details the steps of creating certificates and replacing them.

High level steps for replacing vCD certificates can be summarized as below:

  • Create untrusted certificates with JAVA keytool command.
  • Send certificates to your Certificate Authority and obtain signed certificates.
  • Import the Certificate Authority root certificate.
  • Import httpd and consoleproxy signed certificates.
  • Stop vCD Cell service
  • Invoke vCD configuration script

Lets jump into lab and perform this

Location of keytool command is : /opt/vmware/vcloud-director/jre/bin

1: Generate Self-Signed Certs

[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXXXXXX -genkey -keyalg RSA -keysize 2048 -alias http

The above command will aks you info like below. Provide the necessary info:

What is your first and last name?
[Unknown]: vcd-b.alex.local
What is the name of your organizational unit?
[Unknown]: Cloud
What is the name of your organization?
[Unknown]: Alex.Co
What is the name of your City or Locality?
[Unknown]: Bangalore
What is the name of your State or Province?
[Unknown]: Karnataka
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=vcd-b.alex.local, OU=Cloud, O=Alex.Co, L=Bangalore, ST=Karnataka, C=IN correct?
[no]: yes

Enter key password for <consoleproxy>
(RETURN if same as keystore password):

[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXXXXXX -genkey -keyalg RSA -keysize 2048 -alias consoleproxy

2: Generate CSR’s

[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXXXXXX -certreq -alias http -file http.csr -keysize 2048 -validity 9999

[root@vcd-a bin]#./keytool -keystore vcd.ks -storetype JCEKS -storepass XXXXXXXXX -certreq -alias consoleproxy -file consoleproxy.csr -keysize 2048 -validity 9999

3: Verify Certs fingerprint 

[root@vcd-a bin]#./keytool -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -list

Keystore type: JCEKS
Keystore provider: SunJCE

Your keystore contains 3 entries

consoleproxy, Jun 20, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 01:5A:86:9B:B9:F7:CB:3F:36:60:09:FA:ED:04:3E:65:58:C5:08:8E

root, Jun 20, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 84:7B:5C:2D:65:0A:C8:3E:76:AD:96:23:42:9B:E3:D7:4C:83:6B:CB

http, Jun 20, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 49:82:81:22:E5:F2:BA:B6:CB:CA:1A:35:8A:29:A3:F5:5A:D0:4D:7A

Now there will be two csr files created in the bin directory. Send these csr’s to your CA and obtain the signed certificates in .cer format. Also you need your CA root certificate. Once you have obtained the needed certificate files proceed with next steps.

4: Import certificates

[root@vcd-a bin]# ./keytool -alias root -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -importcert -file Root64.cer

On firing above comamnd, you wills see output as below

Owner: CN=CASRV01-CA, DC=alex, DC=local
Issuer: CN=CASRV01-CA, DC=alex, DC=local
Serial number: 379322e692faa1af4dd54387d6400ff1
Valid from: Mon Jun 13 15:00:41 IST 2016 until: Sun Jun 13 15:10:38 IST 2021
Certificate fingerprints:
MD5: 7E:63:CB:3E:A0:4F:93:A9:8F:EF:D4:1E:18:84:CA:48
SHA1: 84:7B:5C:2D:65:0A:C8:3E:76:AD:96:23:42:9B:E3:D7:4C:83:6B:CB
SHA256: B0:4C:20:88:09:99:DB:27:85:17:53:07:B6:58:35:3B:7B:D2:A0:3C:CA:5F:74:F9:7C:0F:42:AD:13:95:F7:BE
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00 …

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 80 B8 5E 71 89 EA 13 6E 07 62 B9 C5 E4 4C E3 8C ..^q…n.b…L..
0010: 07 48 9D 74 .H.t
]
]

Trust this certificate? [no]: yes
Certificate was added to keystore

[root@vcd-a bin]# ./keytool -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -importcert -alias http -file http.cer
Certificate reply was installed in keystore

[root@vcd-a bin]# ./keytool -storetype JCEKS -storepass XXXXXXXXX -keystore vcd.ks -importcert -alias consoleproxy -file consoleproxy.cer
Certificate reply was installed in keystore

Move the existing keystore file to some other location and copy the lastest keystore file from bin directory (as we created our files here) to the /opt/vmware/vcloud-director folder

[root@vcd-a bin]# mv /opt/vmware/vcloud-director/vcd.ks /root/

[root@vcd-a bin]# cp vcd.ks /opt/vmware/vcloud-director

5: Stop vCD Cell service

[root@vcd-a bin]# service vmware-vcd stop

Stopping vmware-vcd-watchdog: [ OK ]
Stopping vmware-vcd-cell: [ OK ]

6: Invoke vCD configuration script

[root@vcd-a bin]# /opt/vmware/vcloud-director/bin/configure

And thats it. Now logout all existing vCD web session and re-open vCD URL and you will no longer see the annoying untrusted certificate warning message.

vcd-a.PNG

Now for first cell job is done. For other cell repeat step 1-5. The only difference is there in step 6 where you invoke configuration script as shown below:

[root@vcd-b bin]# /opt/vmware/vcloud-director/bin/configure -r /opt/vmware/vcloud-director/responses.properties

After running through above steps, I verified that my second cell also have signed certs

vcd-b.PNG

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)