During a vCloud Director (vCD) version 5.5 implementation the other week we started out with using self signed certificates for the vCD cells and a company external (purchased) wildcard certificate for the load balancer facing the internet.
I have used this setup (not wildcard certificates) quite a few times for e.g. vCD version 1.5 & 5.1 and basically the customer makes the decision about what certificates to use. I can only advice my customers to use non self signed certificates.
However, since vCD 5.5 the firewall and vCD cells certificates must match. If they don’t you will get a SSL fingerprint mismatch error when trying to upload a file to vCD (to the transfer area).
To avoid this you have to configure the same certificate (the purchased wildcard one in my case) for the vCD cell/cells and the load balancer.
Below are the steps i took to configure the vCD cells to use the purchased certificate. I used the keytool binary found in the directory /usr/java/jre1.6.0_31/bin/ in the virtual machine (VM) running CentOS where the vCD cell is installed.
1. Get the private key from the certificate.pfx file:
- openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
- Copy the private key from the certificate.cer file to a new file called private.key
2. Create pfx including alias for http and console proxy.
- openssl pkcs12 -export -in certificate.cer -inkey private.key -name http -passout pass:passwd -out http.pfx
- openssl pkcs12 -export -in certificate.cer -inkey private.eky -name consoleproxy -passout pass:passwd -out consoleproxy.pfx
3. Import the two above created pfx files
- ./keytool -importkeystore -srckeystore /opt/certificates/http.pfx -srcstoretype PKCS12 -destkeystore /opt/keystore/cloudcerts.ks -deststoretype JCEKS -deststorepass passwd -srcalias http -destalias http -srcstorepass passwd
- ./keytool -importkeystore -srckeystore /opt/certificates/consoleproxy.pfx -srcstoretype PKCS12 -destkeystore /opt/keystore/cloudcerts.ks -deststoretype JCEKS -deststorepass password -srcalias consoleproxy -destalias consoleproxy -srcstorepass password
4. Import intermediate certificate to keystore.
- ./keytool -importcert -alias intermediate -file /opt/certificaates/intermediate.crt -storetype JCEKS -keystore /opt/keystore/cloudcerts.ks -storepass passwd
5. Import root certificate to keystore.
- /keytool -importcert -alias root -file /opt/certificates/RootCA.crt -storetype JCEKS -keystore /opt/keystore/cloudcerts.ks -storepass passwd
6. Copy the keystone /opt/keystore/cloudcerts.ks to the second vCD cell
7. Activate the new certificate on both vCD cells.
- service vmware-vcd stop
- /opt/vmware/vcloud-director/bin/configure -> point to the cloudcerts.ks file -> used the password passwd
- Start the vCD cell
- Verify the vCD cell starts ok by tailing the cell log.
- tail -f /opt/vmware/vcloud-director/logs/cell.log
You can verify the keystoore by running the following command.
- ./keytool -list -keystore /opt/keystore/cloudcerts.ks -storetype JCEKS -storepass passwd
When completed you can successfully upload file to vCD.
1 pings