Create and replace the vCloud director with self-signed certificates
vCloud director looks for 2 certificates within the configured keystore. One for http and the other is consoleproxy.
The below keytool create commands create a keystore with the certificate for specified alias, keystore type, keystore name, keystore password, validity, Org information and SAN field details.
Step 0 : cd /opt/vmware/vcloud-director/jre/bin
Step 1 : Command to create certificate for http :
./keytool -keystore /opt/vmware/certificates.ks -alias http -storepass passwd -keypass passwd -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 730 -dname "CN=vcd91.vCloud.local, OU=GSS, O=VMware, L=Bengaluru, S=Karnataka, C=IN" -ext "san=dns:vcd91.vCenter.local,dns:vcd91,ip:10.109.28.100"
- Here the command creates the keystore named certificates.ks in the /opt/vmware directory
- The alias is http
- Validity of 2 years
- password is passwd
Step 2 : Command to create certificate for consoleproxy :
./keytool -keystore /opt/vmware/certificates.ks -alias consoleproxy -storepass passwd -keypass passwd -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 730 -dname "CN=vcd91-con.vCloud.local, OU=GSS, O=VMware, L=Bengaluru, S=Karnataka, C=IN" -ext "san=dns:vcd91-con.vCenter.local,dns:vcd91-con,ip:10.109.28.101"
- Since the certifiates.ks already exists, it just imports the certificate but this time for consoleproxy. As you can see that the alias parameter has consoleproxy as the input
- the SAN field and dname would be the console IP & fqdn information
Step 3 (Optional) : To check the certificates in the newly created keystore :
After the above commands, you can use the below command to check whats loaded into the keystore.
./keytool --storetype JCEKS --storepass passwd --keystore /opt/vmware/certificates.ks --list
Step 4 : Configure the cell to use the new certificates in the keystore :
./cell-management-tool certificates -j -p -k /opt/vmware/certificates.ks -w passwd
-j : Replace the keystore file named used by the http endpoint.
-p : Replace the keystore file named used by the console proxy endpoint.
-k : Full pathname to a JCEKS keystore containing the signed certificates. Deprecated short form replaced by .
-w : Password for the JCEKS keystore referenced by the option. Replaces deprecated and options.
Reference article :
The certificate will look like this
Hope this helps :)