vCloud Director uses a java keystore to read its SSL certificates from. This makes it a bit more complicated to use an existing certificate and private key set. Took me a while to figure out, so I’m sharing.

In this example I created /opt/vmware/keystore for the certificate files. The ssl-key.pem and ssl-cert.pem are the existing certificate files. Furthermore, I used ‘passed’ as the keystore and alias password. (needed for the vCD configuration)

Firstly, we need to convert the key and certificate to a DER format:

[[email protected] keystore]# export PATH=$PATH:/opt/vmware/vcloud-director/jre/bin
[[email protected] keystore]# openssl pkcs8 -topk8 -nocrypt -in ssl-key.pem -inform PEM -out ssl-key.der -outform DER
[[email protected] keystore]# openssl x509 -in ssl-cert.pem -inform PEM -out ssl-cert.der -outform DER

Credits go out to http://www.agentbob.info/agentbob/79-AB.html for the next part, the following combines the key and certificate into a new keystore:

[[email protected] keystore]# wget http://lostdomain.org/etc/ImportKey.class
[[email protected] keystore]# java ImportKey ssl-key.der ssl-cert.der
Using keystore-file : /root/keystore.ImportKey
One certificate, no chain.
Key and certificate stored.
Alias:importkey  Password:importkey

We’ve now created a new keystore with an existing private key and certificate. Check to verify!

[[email protected] ~]# keytool -storetype JCEKS -storepass importkey -keystore keystore.ImportKey -list

Keystore type: JCEKS
Keystore provider: SunJCE

Your keystore contains 1 entry

importkey, Aug 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): C0:5E:7B:B8:AB:30:89:5B:4A:7D:5F:2F:F4:00:CD:F4

Ok, now we copy the importkey alias to the required aliases for vCD:

[[email protected] ~]# keytool -keyclone -storetype JCEKS -storepass importkey -alias importkey -dest consoleproxy -keystore keystore.ImportKey
Enter key password for
(RETURN if same as for )
Re-enter new password:
[[email protected] ~]# keytool -keyclone -storetype JCEKS -storepass importkey -alias importkey -dest http -keystore keystore.ImportKey
Enter key password for
(RETURN if same as for )
Re-enter new password:

Get rid of the ‘importkey’ alias and change the keystore password:

[[email protected] ~]# keytool -delete -storetype JCEKS -storepass importkey -alias importkey -keystore keystore.ImportKey
[[email protected] ~]# keytool -storepasswd -new passwd -keystore keystore.ImportKey

Now check to verify the aliases inside the keystore:

[[email protected] ~]# keytool -storetype JCEKS -storepass importkey -keystore keystore.ImportKey -list   

Keystore type: JCEKS
Keystore provider: SunJCE

Your keystore contains 2 entries

consoleproxy, Aug 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): C0:5E:7B:B8:AB:30:89:5B:4A:7D:5F:2F:F4:00:CD:F4
http, Aug 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): C0:5E:7B:B8:AB:30:89:5B:4A:7D:5F:2F:F4:00:CD:F4

Ok, so now we have a keystore file with our key and certificate in it. Now to update vCD:

[[email protected] ~]# /etc/init.d/vmware-vcd stop
Stopping vmware-vcd-watchdog:                              [  OK  ]
Stopping vmware-vcd-cell:                             [  OK  ]
[[email protected] ~]# mv keystore.ImportKey certificates.ks
[[email protected] ~]# /opt/vmware/vcloud-director/bin/configure
Welcome to the vCloud Director configuration utility.

..snip..

Please enter the path to the Java keystore containing your SSL certificates and
private keys: /opt/vmware/keystore/certificates.ks
Please enter the password for the keystore:

..snap..

Would you like to start the vCloud Director service now? If you choose not
to start it now, you can manually start it at any time using this command:
service vmware-vcd start

Start it now? [y/n] y

Starting vmware-vcd-watchdog:                              [  OK  ]
Starting vmware-vcd-cell                                   [  OK  ]

The vCD service will be started automatically on boot.  To disable this,
use the following command: chkconfig --del vmware-vcd

[[email protected] ~]#

And peaches.



Share the wealth!