vCloud Director uses a java keystore to read its SSL certificates from. This makes it a bit more complicated to use an existing certificate and private key set. Took me a while to figure out, so I’m sharing.
In this example I created /opt/vmware/keystore for the certificate files. The ssl-key.pem and ssl-cert.pem are the existing certificate files. Furthermore, I used ‘passed’ as the keystore and alias password. (needed for the vCD configuration)
Firstly, we need to convert the key and certificate to a DER format:
[[email protected] keystore]# export PATH=$PATH:/opt/vmware/vcloud-director/jre/bin [[email protected] keystore]# openssl pkcs8 -topk8 -nocrypt -in ssl-key.pem -inform PEM -out ssl-key.der -outform DER [[email protected] keystore]# openssl x509 -in ssl-cert.pem -inform PEM -out ssl-cert.der -outform DER
Credits go out to http://www.agentbob.info/agentbob/79-AB.html for the next part, the following combines the key and certificate into a new keystore:
[[email protected] keystore]# wget http://lostdomain.org/etc/ImportKey.class [[email protected] keystore]# java ImportKey ssl-key.der ssl-cert.der Using keystore-file : /root/keystore.ImportKey One certificate, no chain. Key and certificate stored. Alias:importkey Password:importkey
We’ve now created a new keystore with an existing private key and certificate. Check to verify!
[[email protected] ~]# keytool -storetype JCEKS -storepass importkey -keystore keystore.ImportKey -list Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 1 entry importkey, Aug 24, 2011, PrivateKeyEntry, Certificate fingerprint (MD5): C0:5E:7B:B8:AB:30:89:5B:4A:7D:5F:2F:F4:00:CD:F4
Ok, now we copy the importkey alias to the required aliases for vCD:
[[email protected] ~]# keytool -keyclone -storetype JCEKS -storepass importkey -alias importkey -dest consoleproxy -keystore keystore.ImportKey Enter key password for (RETURN if same as for ) Re-enter new password: [[email protected] ~]# keytool -keyclone -storetype JCEKS -storepass importkey -alias importkey -dest http -keystore keystore.ImportKey Enter key password for (RETURN if same as for ) Re-enter new password:
Get rid of the ‘importkey’ alias and change the keystore password:
[[email protected] ~]# keytool -delete -storetype JCEKS -storepass importkey -alias importkey -keystore keystore.ImportKey [[email protected] ~]# keytool -storepasswd -new passwd -keystore keystore.ImportKey
Now check to verify the aliases inside the keystore:
[[email protected] ~]# keytool -storetype JCEKS -storepass importkey -keystore keystore.ImportKey -list Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 2 entries consoleproxy, Aug 24, 2011, PrivateKeyEntry, Certificate fingerprint (MD5): C0:5E:7B:B8:AB:30:89:5B:4A:7D:5F:2F:F4:00:CD:F4 http, Aug 24, 2011, PrivateKeyEntry, Certificate fingerprint (MD5): C0:5E:7B:B8:AB:30:89:5B:4A:7D:5F:2F:F4:00:CD:F4
Ok, so now we have a keystore file with our key and certificate in it. Now to update vCD:
[[email protected] ~]# /etc/init.d/vmware-vcd stop Stopping vmware-vcd-watchdog: [ OK ] Stopping vmware-vcd-cell: [ OK ] [[email protected] ~]# mv keystore.ImportKey certificates.ks [[email protected] ~]# /opt/vmware/vcloud-director/bin/configure Welcome to the vCloud Director configuration utility. ..snip.. Please enter the path to the Java keystore containing your SSL certificates and private keys: /opt/vmware/keystore/certificates.ks Please enter the password for the keystore: ..snap.. Would you like to start the vCloud Director service now? If you choose not to start it now, you can manually start it at any time using this command: service vmware-vcd start Start it now? [y/n] y Starting vmware-vcd-watchdog: [ OK ] Starting vmware-vcd-cell [ OK ] The vCD service will be started automatically on boot. To disable this, use the following command: chkconfig --del vmware-vcd [[email protected] ~]#
And peaches.
Leave a Reply