Thursday, February 14

vCloud Director 5.1.1 properly signed certificates - step-by-step

First, have an own root certificate :) - see my old post on this.
Then, generate a branch of new certs with signing requests on the vCloud Director.
The trick is: there are at least 2 "keytool" commands on a vCD server, one from the OS default (God knows what version) and one from the vCD installation, that should be used by us. Please note, that the "keystore" command version changes with vCD versions (as JRE version changes with it too), and of course the command syntaxes change too...
So, generate 2 certificates and their signing requests on the vCD node:
  • /etc/init.d/vmware-vcd stop
  • cd /opt/vmware/vcloud-director
  • jre/bin/keytool -keystore certificates.ks -storetype JCEKS -storepass mypasswd -genkey -keyalg RSA -alias http -validity 3650
  • jre/bin/keytool -certreq -keystore certificates.ks -storetype JCEKS -storepass mypasswd -alias http -file http.csr
  • jre/bin/keytool -keystore certificates.ks -storetype JCEKS -storepass mypasswd -genkey -keyalg RSA -alias consoleproxy -validity 3650
  • jre/bin/keytool -certreq -keystore certificates.ks -storetype JCEKS -storepass mypasswd -alias consoleproxy -file consoleproxy.csr
The "alias" names are mandatory to the 2 vCD IPs. When keystore asks "What is your first and last name?" the answer should be the IP addresses resolvable FQDN - 2 different FQDNs for the 2 IPs.
Now, copy the 2 .csr files over your signing machine, where the root certificate AND it's key file resides.
Sign the 2 signing requests, thus generating signed certificates.
  • openssl x509 -req -in http.csr -CA myroot.crt -CAkey rui.key -CAcreateserial -out http.crt -days 3650
  • openssl x509 -req -in consoleproxy.csr -CA myroot.crt -CAkey rui.key -CAcreateserial -out consoleproxy.crt -days 3650
Now, copy over the 2 newly generated certificates and the root certificate (not it's key!) to the vCD node.
Then, we should import the root certificate and the 2 signed certificated into the keystore:
  • cd /opt/vmware/vcloud-director
  • jre/bin/keytool -importcert -storetype JCEKS -storepass mypasswd -keystore certificates.ks -file myroot.crt -alias root
  • jre/bin/keytool -importcert -storetype JCEKS -storepass mypasswd -keystore certificates.ks -file http.crt -alias http
  • jre/bin/keytool -importcert -storetype JCEKS -storepass mypasswd -keystore certificates.ks -file consoleproxy.crt -alias consoleproxy
  • You can check if the keystore is all right (should be) with: jre/bin/keytool -storetype JCEKS -storepass mypasswd -keystore certificates.ks -list
  • Then, reconfigure vCD: /opt/vmware/vcloud-director/bin/configure - the store now should be at /opt/vmware/vcloud-director/certificates.ks
  • And finally, start the service: /etc/init.d/vmware-vcd start
This should be all!
Posted by at
Labels: , , , , ,

2 comments:

  1. AnonymousOctober 29, 2013 at 4:47 AM

    Hi

    Good article. Curious around the format of the certificate created by your CA. I have a .cer file that has been provided, but not 100% sure how I can convert this to .crt so I can import into my cell server.

    Cheers
    David

    ReplyDelete
  2. DavidOctober 29, 2013 at 4:57 AM

    Hi

    File formats around the wrong way in my question. I have .crt files, but cannot seem to import them into vCD. When I import I get the error "keytool error: java.security.cert.CertificateException: java.io.EOFException: Detect premature EOF".

    I have imported the root.ca and intermediate root file with no issues also.

    Any suggestions?

    Thanks
    David

    ReplyDelete

Subscribe to: Post Comments (Atom)