Part 6 – Generate CA-Signed SSL Certificates on vCD 10.X

In this blog, we will set up SSL on our vCD.

Replacing Certificates will need to be done across the vCD ( Primary – Standby etc ) so there will be an outage expected as services will need to be rebooted.

Blog Series

• Deploy vCloud Director 10.X
• Adding HA to vCD 10.X Configuration
• Switch Standby vCD Node to Primary
• Generate CA-Signed SSL Certificates on vCD 10.X
• Unregister a Failed or Unreachable Standby Node
• vCloud Director User Interface not Accessible
• Reset Lost or forgotten vCD 10.x Root Password
• Upgrade vcD from 10.0 to 10.2
• One Page View of all vCD 10.X commands

Follow the blog section “vCD Maintenance” to quiesce vCD cells in the below article to drain all VM’s before you replace certificates

Before we set up SSL, we will browse our vCD URL as shown

There are 2 ways to set up certificates with the vCloud Director

1- Use a self-signed certificate

2- Create a CSR and submit the request to our CA Server

Creating and importing certificates signed by a certificate authority (CA) provides the highest
level of trust for SSL communications and helps you secure the connections within your cloud

Generating a CSR and submitting the request to a Certificate Authority

Each vCloud Director server requires two SSL certificates to secure communications between
clients and servers because it must support two different SSL endpoints –

1- for HTTPS

2 – Console proxy communications.

We will require three certificate files in total

http.csr file.

consoleproxy.csr file.

root.csr

Step 1: Open an SSH session of vCD cell and make a copy of the certificates.ks file.

Certificates.ks file has information of all SSL certificates generated and their private keys.

cp /opt/vmware/vcloud-director/certificates.ks /root/certificates.ks.original

Lets Navigate to /opt/vmware/vcloud-director

Create public and private key pairs for the HTTPS service and for the Console proxy service

The command creates or updates a Keystore at certificates with the password that you
specified.

/opt/vmware/vcloud-director/bin/cell-management-tool generate-certs -j -p -o /opt/vmware/vcloud-director/certificates.ks -w 'VMware1!VMware3!'

Create certificate signing requests (CSR) for the HTTPS service and for the console proxy service

Create a certificate signing request in the http.csr file.

 cd /opt/vmware/vcloud-director

./keytool -keystore /opt/vmware/vcloud-director/certificates.ks -storetype JCEKS -storepass 'VMware1!VMware3!' -certreq -alias http -file http.csr -ext "san=dns:vcd-cell-01.ash.local,dns:vcd,ip:172.16.11.31"

Create a certificate signing request in the consoleproxy.csr file.

./keytool -keystore /opt/vmware/vcloud-director/certificates.ks -storetype JCEKS -storepass 'VMware1!VMware3!' -certreq -alias consoleproxy -file consoleproxy.csr -ext "san=dns:vcd-cell-01.ash.local,dns:vcd,ip:172.16.11.31"

I’m going to use Filezilla to download the http.csr and consoleproxy.csr files from the vCloud Director server to my Windows server to send the certificate signing requests to my Certificate Authority.

I’ll open my CA web enrollment web page, where I will click on Request a certificate

Select advanced certificate request

Open the file http.csr in notepad and copy all the contents as shown and Choose template as webserver

Select DER encoded followed by clicking on Download certificate and save as http.cer

I have repeated the same for my consoleproxy.csr file as well.

We will now need the Root CA certificate

Generate the root CA Certificate

Open Certification Authority -right-click on your server and select properties.

Select Certificate 0 -> Click View certificate –> click Copy to File and Click Next

Use the wizard to export the file as a DER file

Name the file as root.cer

So these are the files we now need

I’m going to use Filezilla to copy these three files back to my vCD

http.csr file.

consoleproxy.csr file.

root.csr

Run the commands to import the signed certificates into the JCEKS keystore.

Import all the signed certificates http.csr file. consoleproxy.csr file. root.csr into JCEKS keystore

The commands overwrite the certificates.ks file with the newly acquired CA-signed
versions of the certificates.

./keytool -import -storetype JCEKS -storepass 'VMware1!VMware3!' -keystore /opt/vmware/vcloud-director/certificates.ks -alias root -file root.cer

./keytool -import -storetype JCEKS -storepass 'VMware1!VMware3!' -keystore /opt/vmware/vcloud-director/certificates.ks -alias http -file http.cer

./keytool -import -storetype JCEKS -storepass 'VMware1!VMware3!' -keystore /opt/vmware/vcloud-director/certificates.ks -alias consoleproxy -file consoleproxy.cer

To check if the certificates are imported, run the command to list the contents of the keystore file.

/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass ‘VMware1!VMware3!’ -keystore /opt/vmware/vcloud-director/certificates.ks -list

Run the command to import the certificates into the vCloud Director instance.

/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j -p –keystore /opt/vmware/
vcloud-director/certificates.ks –keystore-password ‘VMware1!VMware3!’

For the new signed certificates to take effect, restart the vmware-vcd service on the vCloud
Director appliance.

service vmware-vcd restart

Verify Status of vCD

sudo -i -u postgres /opt/vmware/vpostgres/current/bin/repmgr cluster show

sudo -i -u postgres /opt/vmware/vpostgres/current/bin/repmgr -f /opt/vmware/vpostgres/current/etc/repmgr.conf cluster matrix

To view and update the valid IP addresses and DNS entries for the vCloud Director cells in your vCloud Director environment

You can use the manage-config subcommand of the cell management tool.

/opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n webapp.allowed.origins -l

Access the web UI