Wednesday, 24 August 2011 22:00
Written by Martijn
vCloud Director uses a java keystore to read its SSL certificates from. This makes it a bit more complicated to use an existing certificate and private key set. Took me a while to figure out, so I’m sharing.
In this example I created /opt/vmware/keystore for the certificate files. The ssl-key.pem and ssl-cert.pem are the existing certificate files. Furthermore, I used ‘passed’ as the keystore and alias password. (needed for the vCD configuration)
Firstly, we need to convert the key and certificate to a DER format:
[root@vcd.lostdomain.org keystore]# export PATH=$PATH:/opt/vmware/vcloud-director/jre/bin
[root@vcd.lostdomain.org keystore]# openssl pkcs8 -topk8 -nocrypt -in ssl-key.pem -inform PEM -out ssl-key.der -outform DER
[root@vcd.lostdomain.org keystore]# openssl x509 -in ssl-cert.pem -inform PEM -out ssl-cert.der -outform DER
Credits go out to http://www.agentbob.info/agentbob/79-AB.html for the next part, the following combines the key and certificate into a new keystore:
[root@vcd.lostdomain.org keystore]# wget http://lostdomain.org/etc/ImportKey.class
[root@vcd.lostdomain.org keystore]# java ImportKey proserve-key.der proserve-cert.der
Using keystore-file : /root/keystore.ImportKey
One certificate, no chain.
Key and certificate stored.
Alias:importkey Password:importkey
We’ve now created a new keystore with an existing private key and certificate. Check to verify!
[root@vcd.lostdomain.org ~]# keytool -storetype JCEKS -storepass importkey -keystore keystore.ImportKey -list
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 1 entry
importkey, Aug 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): C0:5E:7B:B8:AB:30:89:5B:4A:7D:5F:2F:F4:00:CD:F4
Ok, now we copy the importkey alias to the required aliases for vCD:
[root@vcd.lostdomain.org ~]# keytool -keyclone -storetype JCEKS -storepass importkey -alias importkey -dest consoleproxy -keystore keystore.ImportKey
Enter key password for
(RETURN if same as for )
Re-enter new password:
[root@vcd.lostdomain.org ~]# keytool -keyclone -storetype JCEKS -storepass importkey -alias importkey -dest http -keystore keystore.ImportKey
Enter key password for
(RETURN if same as for )
Re-enter new password:
Get rid of the ‘importkey’ alias and change the keystore password:
[root@vcd.lostdomain.org ~]# keytool -delete -storetype JCEKS -storepass importkey -alias importkey -keystore keystore.ImportKey
[root@vcd.lostdomain.org ~]# keytool -storepasswd -new passwd -keystore keystore.ImportKey
Now check to verify the aliases inside the keystore:
[root@vcd.lostdomain.org ~]# keytool -storetype JCEKS -storepass importkey -keystore keystore.ImportKey -list
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 2 entries
consoleproxy, Aug 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): C0:5E:7B:B8:AB:30:89:5B:4A:7D:5F:2F:F4:00:CD:F4
http, Aug 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): C0:5E:7B:B8:AB:30:89:5B:4A:7D:5F:2F:F4:00:CD:F4
Ok, so now we have a keystore file with our key and certificate in it. Now to update vCD:
[root@vcd.lostdomain.org ~]# /etc/init.d/vmware-vcd stop
Stopping vmware-vcd-watchdog: [ OK ]
Stopping vmware-vcd-cell: [ OK ]
[root@vcd.lostdomain.org ~]# mv keystore.ImportKey certificates.ks
[root@vcd.lostdomain.org ~]# /opt/vmware/vcloud-director/bin/configure
Welcome to the vCloud Director configuration utility.
..snip..
Please enter the path to the Java keystore containing your SSL certificates and
private keys: /opt/vmware/keystore/certificates.ks
Please enter the password for the keystore:
..snap..
Would you like to start the vCloud Director service now? If you choose not
to start it now, you can manually start it at any time using this command:
service vmware-vcd start
Start it now? [y/n] y
Starting vmware-vcd-watchdog: [ OK ]
Starting vmware-vcd-cell [ OK ]
The vCD service will be started automatically on boot. To disable this,
use the following command: chkconfig --del vmware-vcd
[root@vcd.lostdomain.org ~]#
And peaches.
Home 
Games 
Projects 
Tools 
