Table of Contents
Official VMware documentation
VMware has an official process for creating and importing SSL certificates within vCloud Director 9.0. That information is located at the link below, this documentation holds true for 9.0/9.5 and should still be relevant for 9.7. https://docs.vmware.com/en/vCloud-Director/9.0/com.vmware.vcloud.install.doc/GUID-89437328-EE0A-40D3-A939-EB8DD70DC1E3.html
My procedure.
My procedure follows very similar to the information shown above but has a few changes. For example, in my company I’m not able to generate and submit my CSR and instead I am simply provided with a key and certificate file. I have to take these two files, also locate and download the certificate authority (CA) bundle, and then convert it to a PFX file to import into vCloud Director.
- Create a snapshot of the vCloud Director VM before proceeding, you can also create a clone of the VM for a completely backup if you have the space.
NOTE This portion of this work is non-disruptive if followed precisely.
- If you were provided a PFX file with full CA bundle then you can skip this step. However, if you were provided only the key and certificate then you will need to create a pfx file. PFX file contains the certificate key (cert.key) the certificate itself (cert.crt) and the root ca bundle (cabundle.ca). You will be asked to provide a passphrase, this information should be noted and saved within a password vault for future use.
- Log into the vCloud Director VM as root.
- Using your favorite text editor create a new file for the key, certificate and CA bundle.
vi /home/cert.key
Paste in the key that was generated.
vi /home/cert.kart
Paste in the certificate that was generated.
vi /home/cabundle.ca
Paste in the CA bundle that you were provided or downloaded from your certificate authority.
- Now we need to assemble a pfx file from these three files we just created. NOTE: This assumes openssl tool is already installed, if it is not then run either yum install openssl or apt-get install openssl so similar depending on your OS and dependencies.
openssl pkcs12 -export -out /home/cert-new.pfx -inkey /home/cert.key -in /home/cert.crt -certfile /home/cabundle.ca
- We want to create a temporary working file for the certificates, this will allow for vCloud services to remain online for as long as possible.
cp /opt/vmware/vcloud-director/certificates.ks /opt/vmware/vcloud-director/certificates-new.ks
- Now we want to use the keytool to import the pfx file into the certificates store. You will want to change “PASSWORD” for the appropriate password of your keystore.
keytool -trustcacerts -storetype JCEKS -storepass PASSWORD -importkeystore -srckeystore /home/cert-new.pfx -destkeystore /opt/vmware/vcloud-director/certificates-new.ks -srcstoretype pkcs12
- Now we want to list out to ensure this new object is listed. We are specifically looking for the line showing http, typically it be shown as “1” in the list.
keytool -storetype JCEKS -storepass PASSWORD -keystore /opt/vmware/vcloud-director/certificates-new.ks -list
- The actual alias of the service for the URL is http, so first we need to remove the old http alias.
keytool -delete -alias http -keystore /opt/vmware/vcloud-director/certificates-new.ks -storetype JCEKS -storepass PASSWORD
- Now we want to rename alias 1 to http.
keytool -storetype JCEKS -storepass PASSWORD -changealias -alias 1 -destalias http -keystore /opt/vmware/vcloud-director/certificates-new.ks
- Once again list out all alias to ensure our new one replaced the old http. Compare the dates with the previous output to confirm it was indeed updated.
keytool -storetype JCEKS -storepass PASSWORD -keystore /opt/vmware/vcloud-director/certificates-new.ks -list
- In case there is a failure, lets create a backup of the original certificates.ks
cp /opt/vmware/vcloud-director/certificates.ks /opt/vmware/vcloud-director/certificates.bak
- Now quiesce the vCloud Director Cell.
NOTE: From this point forward this work is disruptive.
/opt/vmware/vcloud-director/bin/cell-management-tool -u administrator -p PASSWORD cell -q true
- Check the status of the vCloud Director Cell. Job count show read 0 and both services should be ‘false’.
/opt/vmware/vcloud-director/bin/cell-management-tool -u administrator -p PASSWORD cell -status
- Now shutdown the vCloud Director Cell.
/opt/vmware/vcloud-director/bin/cell-management-tool -u administrator -p PASSWORD cell -shutdown
- Move the newly created certificate store into place.
mv /opt/vmware/vcloud-director/certificates-new.ks /opt/vmware/vcloud-director/certificates.ks
- Reconifgure vCloud Director to use the new certificate store. Answer “Y” when asked if you want to start services.
/opt/vmware/vcloud-director/bin/configure
- Wait a few minutes for all services to start, probably 2-5 minutes. You can verify they have fully started by running the following.
/opt/vmware/vcloud-director/bin/cell-management-tool -u administrator -p PASSWORD cell -status
- Browse to the standard URL for vCloud Director and confirm the new certificate is working. If the process failed please look at the Rollback Process below.
- Delete the snapshot on the VM.
- Allow the clone to exist for a week, if all is working well then delete the clone.
Rollback Options
Due to the way we worked our process we actually have mutliple rollback options, Rollback option 1 is no more disruptive than what you have already done and as we get further down the list it gets more disruptive in nature. Fortunately if the process is followed correctly then one of these options should be completed successfully.
Rollback option 1
- Check the current status of VCD services on your machine:
/opt/vmware/vcloud-director/bin/cell-management-tool -u administrator -p PASSWORD cell -status
- Hault VCD from executing futher commands and complete any current changes in its queue: NOTE: This might take a while to complete.
/opt/vmware/vcloud-director/bin/cell-management-tool -u administrator -p PASSWORD cell -quiesce true
- Check the status of VCD “Is Active” status, after the -quiesce command runs it should be ‘false’
/opt/vmware/vcloud-director/bin/cell-management-tool -u administrator -p PASSWORD cell -status
- Shutdown the VCD services:
/opt/vmware/vcloud-director/bin/cell-management-tool -u administrator -p PASSWORD cell -shutdown
- Move the modified keystore back to ‘new’ file.
mv /opt/vmware/vcloud-director/certificates.ks /opt/vmware/vcloud-director/certificates-new.ks
- Restore the original keystore
cp /opt/vmware/vcloud-director/certificates.bak /opt/vmware/vcloud-director/certificates.ks
- Running the configure command to configure the new certificate.
/opt/vmware/vcloud-director/bin/configure
- If the vCD serices do not start, start them now
service vmware-vcd start
- Allow the services to fully come online and then browse to your vCloud Director GUI and confirm the https certificate is the new one.
Rollback option 2
- Assuming option 1 did not work then restore the snapshot created at the beginning of this exercise.
Rollback option 3
- Assuming option 2 did not work then restore the clone that was created at the beginning of this exercise.