Create and replace the vCloud director with self-signed certificates

vCloud director looks for 2 certificates within the configured keystore. One for http and the other is consoleproxy.

The below keytool create commands create a keystore with the certificate for specified alias, keystore type, keystore name, keystore password, validity, Org information and SAN field details.

Keytool location

Step 0 : cd /opt/vmware/vcloud-director/jre/bin

Step 1 : Command to create certificate for http : 

./keytool -keystore /opt/vmware/certificates.ks -alias http -storepass passwd -keypass passwd -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 730 -dname "CN=vcd91.vCloud.local, OU=GSS, O=VMware, L=Bengaluru, S=Karnataka, C=IN" -ext "san=dns:vcd91.vCenter.local,dns:vcd91,ip:"

  • Here the command creates the keystore named certificates.ks in the /opt/vmware directory 
  • The alias is http 
  • Validity of 2 years 
  • password is passwd 

Step 2 : Command to create certificate for consoleproxy : 

./keytool -keystore /opt/vmware/certificates.ks -alias consoleproxy -storepass passwd -keypass passwd -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 730 -dname "CN=vcd91-con.vCloud.local, OU=GSS, O=VMware, L=Bengaluru, S=Karnataka, C=IN" -ext "san=dns:vcd91-con.vCenter.local,dns:vcd91-con,ip:"

  • Since the certifiates.ks already exists, it just imports the certificate but this time for consoleproxy. As you can see that the alias parameter has consoleproxy as the input 
  • the SAN field and dname would be the console IP & fqdn information 

Step 3 (Optional) : To check the certificates in the newly created keystore : 

After the above commands, you can use the below command to check whats loaded into the keystore.

./keytool --storetype JCEKS --storepass passwd --keystore /opt/vmware/certificates.ks --list

Step 4 : Configure the cell to use the new certificates in the keystore : 
./cell-management-tool certificates -j -p -k /opt/vmware/certificates.ks -w passwd

-j :   Replace the keystore file named certificates used by the http endpoint.
-p :   Replace the keystore file named proxycertificates used by the console proxy endpoint.
-k :   Full pathname to a JCEKS keystore containing the signed certificates. Deprecated -sshort form                replaced by -k.
-w :  Password for the JCEKS keystore referenced by the --keystore option. Replaces deprecated -                  kspassword and --keystorepwd options.

Reference article :

The certificate will look like this 

Hope this helps :) 


Popular posts from this blog

vCloud director 9.7 appliance deployment step by step guide

How to Install and Uninstall Guest agent for vRA Windows machines

Unable to change Provider VDC virtual hardware support beyond version 10