When you’re like me, you just go ahead and install stuff without taking the time to read if the software you’re installing can be upgraded later. Dive head first.

Often with beta software, an upgrade path to a release build is lacking or problematic. Same goes for vCloud Director 1.5 beta to the release build of 1.5. When I upgraded to the release build, I did so without ‘Unpreparing’ the ESXi hosts that were being used by vCloud Director. That causes some problems when you want to link a new vCloud Director to these ESXi hosts, as the vCloud Agent is still on the hosts. You have to remove that agent manually before you can link them with the new vCloud Director again. Here’s how:

ESXi 5.0

esxcli software vib remove -n vcloud-agent

ESXi/ESX 4.x

/opt/vmware/uninstallers/vslad-uninstall.sh

vCloud Director uses a java keystore to read its SSL certificates from. This makes it a bit more complicated to use an existing certificate and private key set. Took me a while to figure out, so I’m sharing. In this example I created /opt/vmware/keystore for the certificate files. The ssl-key.pem and ssl-cert.pem are the existing certificate files. Furthermore, I used ‘passed’ as the keystore and alias password. (needed for the vCD configuration) Firstly, we need to convert the key and certificate to a DER format:

[root@vcd.lostdomain.org keystore]# export PATH=$PATH:/opt/vmware/vcloud-director/jre/bin
[root@vcd.lostdomain.org keystore]# openssl pkcs8 -topk8 -nocrypt -in ssl-key.pem -inform PEM -out ssl-key.der -outform DER
[root@vcd.lostdomain.org keystore]# openssl x509 -in ssl-cert.pem -inform PEM -out ssl-cert.der -outform DER

Credits go out to http://www.agentbob.info/agentbob/79-AB.html for the next part, the following combines the key and certificate into a new keystore:

[root@vcd.lostdomain.org keystore]# wget http://lostdomain.org/etc/ImportKey.class
[root@vcd.lostdomain.org keystore]# java ImportKey proserve-key.der proserve-cert.der
Using keystore-file : /root/keystore.ImportKey
One certificate, no chain.
Key and certificate stored.
Alias:importkey  Password:importkey

We’ve now created a new keystore with an existing private key and certificate. Check to verify!

[root@vcd.lostdomain.org ~]# keytool -storetype JCEKS -storepass importkey -keystore keystore.ImportKey -list

Keystore type: JCEKS
Keystore provider: SunJCE

Your keystore contains 1 entry

importkey, Aug 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): C0:5E:7B:B8:AB:30:89:5B:4A:7D:5F:2F:F4:00:CD:F4

Ok, now we copy the importkey alias to the required aliases for vCD:

[root@vcd.lostdomain.org ~]# keytool -keyclone -storetype JCEKS -storepass importkey -alias importkey -dest consoleproxy -keystore keystore.ImportKey
Enter key password for
(RETURN if same as for )
Re-enter new password:
[root@vcd.lostdomain.org ~]# keytool -keyclone -storetype JCEKS -storepass importkey -alias importkey -dest http -keystore keystore.ImportKey
Enter key password for
(RETURN if same as for )
Re-enter new password:

Get rid of the ‘importkey’ alias and change the keystore password:

[root@vcd.lostdomain.org ~]# keytool -delete -storetype JCEKS -storepass importkey -alias importkey -keystore keystore.ImportKey
[root@vcd.lostdomain.org ~]# keytool -storepasswd -new passwd -keystore keystore.ImportKey

Now check to verify the aliases inside the keystore:

[root@vcd.lostdomain.org ~]# keytool -storetype JCEKS -storepass importkey -keystore keystore.ImportKey -list   

Keystore type: JCEKS
Keystore provider: SunJCE

Your keystore contains 2 entries

consoleproxy, Aug 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): C0:5E:7B:B8:AB:30:89:5B:4A:7D:5F:2F:F4:00:CD:F4
http, Aug 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): C0:5E:7B:B8:AB:30:89:5B:4A:7D:5F:2F:F4:00:CD:F4

Ok, so now we have a keystore file with our key and certificate in it. Now to update vCD:

[root@vcd.lostdomain.org ~]# /etc/init.d/vmware-vcd stop
Stopping vmware-vcd-watchdog:                              [  OK  ]
Stopping vmware-vcd-cell:                             [  OK  ]
[root@vcd.lostdomain.org ~]# mv keystore.ImportKey certificates.ks
[root@vcd.lostdomain.org ~]# /opt/vmware/vcloud-director/bin/configure
Welcome to the vCloud Director configuration utility.

..snip..

Please enter the path to the Java keystore containing your SSL certificates and
private keys: /opt/vmware/keystore/certificates.ks
Please enter the password for the keystore:

..snap..

Would you like to start the vCloud Director service now? If you choose not
to start it now, you can manually start it at any time using this command:
service vmware-vcd start

Start it now? [y/n] y

Starting vmware-vcd-watchdog:                              [  OK  ]
Starting vmware-vcd-cell                                   [  OK  ]

The vCD service will be started automatically on boot.  To disable this,
use the following command: chkconfig --del vmware-vcd

[root@vcd.lostdomain.org ~]#

And peaches.