Create and replace the vCloud director with self-signed certificates

vCloud director looks for 2 certificates within the configured keystore. One for http and the other is consoleproxy.

The below keytool create commands create a keystore with the certificate for specified alias, keystore type, keystore name, keystore password, validity, Org information and SAN field details.

Keytool location

Step 0 : cd /opt/vmware/vcloud-director/jre/bin

Step 1 : Command to create certificate for http : 

./keytool -keystore /opt/vmware/certificates.ks -alias http -storepass passwd -keypass passwd -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 730 -dname "CN=vcd91.vCloud.local, OU=GSS, O=VMware, L=Bengaluru, S=Karnataka, C=IN" -ext "san=dns:vcd91.vCenter.local,dns:vcd91,ip:"

  • Here the command creates the keystore named certificates.ks in the /opt/vmware directory 
  • The alias is http 
  • Validity of 2 years 
  • password is passwd 

Step 2 : Command to create certificate for consoleproxy : 

./keytool -keystore /opt/vmware/certificates.ks -alias consoleproxy -storepass passwd -keypass passwd -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 730 -dname "CN=vcd91-con.vCloud.local, OU=GSS, O=VMware, L=Bengaluru, S=Karnataka, C=IN" -ext "san=dns:vcd91-con.vCenter.local,dns:vcd91-con,ip:"

  • Since the certifiates.ks already exists, it just imports the certificate but this time for consoleproxy. As you can see that the alias parameter has consoleproxy as the input 
  • the SAN field and dname would be the console IP & fqdn information 

Step 3 (Optional) : To check the certificates in the newly created keystore : 

After the above commands, you can use the below command to check whats loaded into the keystore.

./keytool --storetype JCEKS --storepass passwd --keystore /opt/vmware/certificates.ks --list

Step 4 : Configure the cell to use the new certificates in the keystore : 
./cell-management-tool certificates -j -p -k /opt/vmware/certificates.ks -w passwd

-j :   Replace the keystore file named certificates used by the http endpoint.
-p :   Replace the keystore file named proxycertificates used by the console proxy endpoint.
-k :   Full pathname to a JCEKS keystore containing the signed certificates. Deprecated -sshort form                replaced by -k.
-w :  Password for the JCEKS keystore referenced by the --keystore option. Replaces deprecated -                  kspassword and --keystorepwd options.

Reference article :

The certificate will look like this 

Hope this helps :) 


Popular posts from this blog

vCloud director 9.7 appliance deployment step by step guide

How to Install and Uninstall Guest agent for vRA Windows machines

VM console fails to connect - vCloud director 9.7