Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Generating SSL certificates for VMware vCloud Director (1026309)

Purpose

This article provides information on creating SSL certificates for VMware vCloud Director.

Resolution

VMware vCloud requires one SSL certificate for each network interface on the host. Each server host in a VMware vCloud Director cluster must have two IP addresses (one for the HTTP service and one for the console proxy service) and must be capable of establishing an SSL connection at each.

Notes:
  • You can use signed certificates (signed by a trusted certification authority) or self-signed certificates.
  • To create the SSL certificates, you need to use the keytool shipped with the VMware vCloud Director software. By default for version 1.0.x this is located in the /opt/vmware/cloud-director/jre/bin/ and for version 1.5.x and above it is located in  /opt/vmware/vcloud-director/jre/bin/ directory.  It can be executed by running the command ./keytool.
  • Use Java version 1.6. To confirm the version of Java, run the command:

    # java –version

    If the output indicates you are using a version other than 1.6, you need to run the Java binaries from the /opt/vmware/cloud-director/jre/bin/ or /opt/vmware/vcloud-director/jre/bin/ folder.
 
Creating and importing signed SSL certificates 
 
To create and import signed SSL certificates:
  1. Create the certificate.
    • To create an untrusted certificate for the HTTP service host, run the command:

      keytool -keystore certificates.ks -storetype JCEKS -storepass passwd –genkey -keyalg RSA -alias http

    • To create a certificate signing request for the HTTP service, run the command:

      keytool -keystore certificates.ks -storetype JCEKS -storepass passwd –certreq -alias http -file http.csr

      NoteThis command creates a certificate signing request in the file http.csr.
    • To create an untrusted certificate for the console proxy service host, run the command:

      keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey –keyalg RSA -alias consoleproxy
    • To create a certificate signing request for the console proxy service, run the command:

      keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -certreq –alias consoleproxy -file consoleproxy.csr

      Note: This command creates a certificate signing request in the file consoleproxy.csr.

  2. Send the certificate signing requests to your Certification Authority. You receive the SSL Certificates in an email.
  3. When you receive the signed certificates, import them into the keystore.
    • To import the Certification Authority's root certificate into the keystore file, run the command:

      keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import –alias root -file root.cer

    • To import the Certification Authority's intermediate certificates into the keystore file, run the command: 

      keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import –alias intermediate -file intermediate.cer

    • To import the host-specific certificate for the HTTP service, run the command:

      keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import –alias http -file http.cer

    • To import the host-specific certificate for the console proxy service, run the command:

      keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import –alias consoleproxy -file consoleproxy.cer

  4. Verify that all the certificates have been imported, list the contents of the keystore file with the command:

    keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list

Creating and importing self-signed SSL certificates 

To create and import self-signed SSL certificates:
  1. Create an untrusted certificate for the HTTP service host with the command:

    keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey –keyalg RSA -alias http
  2. Enter the fully qualified domain name of the HTTP service host when prompted for your first name and last name.
  3. Create an untrusted certificate for the console proxy service host with the command:

    keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey –keyalg RSA -alias consoleproxy
  4. Verify that all the certificates have been imported, list the contents of the keystore file with the command:

    keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list
Notes:
  • By default, certificates are valid only for 3 months. To increase the duration, add the switch -validity number_of_days when creating your certificate.
  • After creating the certificates, you must run the /opt/vmware/vcloud-director/bin/configure script. This script prompts you for the SSL certificates. After you enter the required passwords, the vCloud Director service starts. 

Additional Information

If you are receiving errors installing the certificate, see Accessing the vCloud Director Web site fails with the error: Could not verify this certificate for unknown reasons  (1032520).

Tags

vcloud-director vcloud-director-ssl-certificates

See Also

Update History

07/11/2011 - Linked article 1032520. 03/13/2012 - Added vCD 1.5.x to product versions. 02/06/2013 - Added note to run /opt/vmware/vcloud-director/bin/configure to start the vCD service

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 7 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 7 Ratings
Actions
KB: