Create and replace the vCloud director with self-signed certificates
vCloud director looks for 2 certificates within the configured keystore. One for http and the other is consoleproxy.
The below keytool create commands create a keystore with the certificate for specified alias, keystore type, keystore name, keystore password, validity, Org information and SAN field details.
Keytool location
/opt/vmware/vcloud-director/jre/bin
Step 0 : cd /opt/vmware/vcloud-director/jre/bin
Step 1 : Command to create certificate for http :
./keytool -keystore /opt/vmware/certificates.ks -alias http -storepass passwd -keypass passwd -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 730 -dname "CN=vcd91.vCloud.local, OU=GSS, O=VMware, L=Bengaluru, S=Karnataka, C=IN" -ext "san=dns:vcd91.vCenter.local,dns:vcd91,ip:10.109.28.100"
- Here the command creates the keystore named certificates.ks in the /opt/vmware directory
- The alias is http
- Validity of 2 years
- password is passwd
Step 2 : Command to create certificate for consoleproxy :
./keytool -keystore /opt/vmware/certificates.ks -alias consoleproxy -storepass passwd -keypass passwd -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 730 -dname "CN=vcd91-con.vCloud.local, OU=GSS, O=VMware, L=Bengaluru, S=Karnataka, C=IN" -ext "san=dns:vcd91-con.vCenter.local,dns:vcd91-con,ip:10.109.28.101"
- Since the certifiates.ks already exists, it just imports the certificate but this time for consoleproxy. As you can see that the alias parameter has consoleproxy as the input
- the SAN field and dname would be the console IP & fqdn information
Step 3 (Optional) : To check the certificates in the newly created keystore :
After the above commands, you can use the below command to check whats loaded into the keystore.
./keytool --storetype JCEKS --storepass passwd --keystore /opt/vmware/certificates.ks --list
Step 4 : Configure the cell to use the new certificates in the keystore :
./cell-management-tool certificates -j -p -k /opt/vmware/certificates.ks -w passwd
Here,
-j : Replace the keystore file named certificates used by the http endpoint.
-p : Replace the keystore file named proxycertificates used by the console proxy endpoint.
-k : Full pathname to a JCEKS keystore containing the signed certificates. Deprecated -sshort form replaced by -k.
-w : Password for the JCEKS keystore referenced by the --keystore option. Replaces deprecated - kspassword and --keystorepwd options.
Reference article :
https://docs.vmware.com/en/vCloud-Director/9.5/com.vmware.vcloud.admin.doc/GUID-349882AE-1864-4BCE-BECA-F9EAF785AA06.html
The certificate will look like this
Hope this helps :)
Comments
Post a Comment