VCD Cell SSL Certificates
The communication between the end-user and vCloud Director cell (either GUI or API) is encrypted and by default self-signed certificates are used. The certificate replacement procedure is explained in the documentation in a few simple steps. The problem I have encountered during big vCloud deployments is that enterprise security teams have specific procedures how to create and distribute certificates which is different from those described in the documentation.
The default procedure is following:
- create untrusted certificates (private and public key) with JAVA keytool command (this must be done for vCloud Director GUI and console proxy)
- create certificate signing requests
- send the certificate signing requests to your Certification Authority
- import the Certificate Authority root certificate
- import signed certificates
In my case the certificates were created for me by the security team and I have received the private key in a .key file. On top of that the Certification Authority which signed the certificates was intermediate and was signed by two others. The chain was following: public Root CA -> intermediate CA1 -> intermediate CA2 -> VCD certificate.
vCloud Director JAVA keytool command does not allow private key import. Also the whole trusted chain for the certificate must be built so all the intermediate certificates are presented to the client browsers and the vCloud Director certificate can be validated. This has been achieved with the following procedure:
- Concatenate all CA certificates to create the whole chain:
cat CA2.cer CA1.cer RootCA.cer > chain.crt - With openssl create PKCS12 keystore with the private key, certificate chain and proper alias (first for the GUI):
openssl.exe pkcs12 -export -in http.crt -inkey http.key -CAfile chain.crt -name http -passout pass:<password> -out http.pfx -chain - Repeat for the console proxy:
openssl.exe pkcs12 -export -in consoleproxy.crt -inkey consoleproxy.key -CAfile chain.crt -name consoleproxy -passout pass:<password> -out consoleproxy.pfx –chain - Now we can import the two PKCS12 keystores into JAVA JCKS keystore with keytool:
/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass <password> -destkeystore certificates.ks -deststoretype JCEKS -srckeystore http.pfx -srcstoretype PKCS12 -srcstorepass <password>
/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass <password> -destkeystore certificates.ks -deststoretype JCEKS -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -srcstorepass <password>
- We can check if the import was successful:
/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass <password> -keystore certificates.ks –list - Now we can import the new certificates to the vCloud Director cell. To do that we need first to stop it:
service vmware-vcd stop
Note this will interrupt all running VCD jobs. In order to do graceful shutdown followhttp://kb.vmware.com/kb/1033575
- Rerun configuration tool and point to the certificates.ks keystore created in steps 2 and 3. This will import the certificates.
/opt/vmware/vcloud-director/bin/configure
- Repeat for the other VCD cells
Special Thanks to Tom Fojta for this blog post.