First, have an own root certificate :) - see
my old post on this.
Then, generate a branch of new certs with signing requests on the vCloud Director.
The trick is: there are at least 2 "keytool" commands on a vCD server, one from the OS default (God knows what version) and one from the vCD installation, that should be used by us. Please note, that the "keystore" command version changes with vCD versions (as JRE version changes with it too), and of course the command syntaxes change too...
So, generate 2 certificates and their signing requests on the vCD node:
- /etc/init.d/vmware-vcd stop
- cd /opt/vmware/vcloud-director
- jre/bin/keytool -keystore certificates.ks -storetype JCEKS -storepass mypasswd -genkey -keyalg RSA -alias http -validity 3650
- jre/bin/keytool -certreq -keystore certificates.ks -storetype JCEKS -storepass mypasswd -alias http -file http.csr
- jre/bin/keytool -keystore certificates.ks -storetype JCEKS -storepass mypasswd -genkey -keyalg RSA -alias consoleproxy -validity 3650
- jre/bin/keytool -certreq -keystore certificates.ks -storetype JCEKS -storepass mypasswd -alias consoleproxy -file consoleproxy.csr
The "alias" names are mandatory to the 2 vCD IPs. When keystore asks "What is your first and last name?" the answer should be the IP addresses resolvable FQDN - 2 different FQDNs for the 2 IPs.
Now, copy the 2 .csr files over your signing machine, where the root certificate AND it's key file resides.
Sign the 2 signing requests, thus generating signed certificates.
- openssl x509 -req -in http.csr -CA myroot.crt -CAkey rui.key -CAcreateserial -out http.crt -days 3650
- openssl x509 -req -in consoleproxy.csr -CA myroot.crt -CAkey rui.key -CAcreateserial -out consoleproxy.crt -days 3650
Now, copy over the 2 newly generated certificates and the root certificate (not it's key!) to the vCD node.
Then, we should import the root certificate and the 2 signed certificated into the keystore:
- cd /opt/vmware/vcloud-director
- jre/bin/keytool -importcert -storetype JCEKS -storepass mypasswd -keystore certificates.ks -file myroot.crt -alias root
- jre/bin/keytool -importcert -storetype JCEKS -storepass mypasswd -keystore certificates.ks -file http.crt -alias http
- jre/bin/keytool -importcert -storetype JCEKS -storepass mypasswd -keystore certificates.ks -file consoleproxy.crt -alias consoleproxy
- You can check if the keystore is all right (should be) with: jre/bin/keytool -storetype JCEKS -storepass mypasswd -keystore certificates.ks -list
- Then, reconfigure vCD: /opt/vmware/vcloud-director/bin/configure - the store now should be at /opt/vmware/vcloud-director/certificates.ks
- And finally, start the service: /etc/init.d/vmware-vcd start
This should be all!