Search the VMware Knowledge Base (KB)
View by Article ID

Generating SSL certificates for VMware vCloud Director 1.x/5.x (1026309)

  • 19 Ratings

Purpose

This article provides information on creating SSL certificates for VMware vCloud Director.

Resolution

VMware vCloud requires one SSL certificate for each network interface on the host. Each server host in a VMware vCloud Director cluster must have two IP addresses, one for the HTTP service and one for the console proxy service and must be capable of establishing an SSL connection at each.
 
Notes:
  • Do not copy and paste these commands as it adds extra unintended characters.
  • You can use signed certificates (signed by a trusted certification authority) or self-signed certificates.
  • To create the SSL certificates, use the keytool shipped with the VMware vCloud Director software. By default, for version 1.0.x, this is located in the /opt/vmware/cloud-director/jre/bin/ directory and for version 1.5.x and later, it is located in /opt/vmware/vcloud-director/jre/bin/ directory. It is executed by running the command ./keytool.
  • If you have created a 1024 bit encrypted Certificate Signing Request (CSR) in a keystore, all subsequent CRS entries are limited to 1024 bits. To generate a 2048 bit encrypted CSR, create a new keystore file. Run this command to create a new keystore file:

    ./keytool -keystore 2048certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -keysize 2048 -alias http

  • Use Java version 1.6. Run this command to confirm the version of Java:

    # java –version

    If the output indicates you are using a version other than 1.6, run the Java binaries from the /opt/vmware/cloud-director/jre/bin/ or /opt/vmware/vcloud-director/jre/bin/ folder .
 
Creating and importing signed SSL certificates
 
To create and import signed SSL certificates:
  1. Create the certificate.
    • To create an untrusted certificate for the HTTP service host, run this command:

      ./keytool -keystore certificates.ks -storetype JCEKS -storepass passwd –genkey -keyalg RSA -keysize 2048 -alias http

    • To create a certificate signing request for the HTTP service, run this command:

      ./keytool -keystore certificates.ks -storetype JCEKS -storepass passwd –certreq -alias http -file http.csr -keysize 2048

      Note: This command creates a certificate signing request in the file http.csr .

    • To create an untrusted certificate for the console proxy service host, run this command:

      ./keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey –keyalg RSA -keysize 2048 -alias consoleproxy

    • To create a certificate signing request for the console proxy service, run this command:

      ./keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -certreq –alias consoleproxy -file consoleproxy.csr -keysize 2048

      Note: This command creates a certificate signing request in the file consoleproxy.csr.

  2. Send the certificate signing requests to your Certification Authority. You receive the SSL Certificates in an email.
  3. When you receive the signed certificates, import them into the keystore.
    • To import the root certificate of the Certification Authority into the keystore file, run this command:

      ./keytool -alias root -storetype JCEKS -storepass passwd -keystore certificates.ks -importcert -file root.cer


    • To import the intermediate certificates of the Certification Authority into the keystore file, run this command:

      ./keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -
      importcert –alias intermediate -file intermediate.cer

    • To import the host-specific certificate for the HTTP service, run this command:

      ./keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -
      importcert –alias http -file http.cer

    • To import the host-specific certificate for the console proxy service, run this command:

      ./keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -
      importcert –alias consoleproxy -file consoleproxy.cer

  4. Verify that all the certificates are imported. List the contents of the keystore file with the command:

    ./keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list

Creating and importing self-signed SSL certificates

To create and import self-signed SSL certificates:
  1. Create an untrusted certificate for the HTTP service host with the command:

    ./keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey –keyalg RSA -keysize 2048 -alias http

  2. Enter the fully qualified domain name of the HTTP service host when prompted for your first name and last name.
  3. Create an untrusted certificate for the console proxy service host with the command:

    ./keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey –keyalg RSA -keysize 2048 -alias consoleproxy

  4. Verify that all the certificates are imported. List the contents of the keystore file with the command:

    ./keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list
Notes:
  • By default, certificates are valid only for 3 months. To increase the duration, add the switch -validity number_of_days when creating your certificate.
  • After creating the certificates, run the /opt/vmware/vcloud-director/bin/configure script. This script prompts you for the SSL certificates. After you enter the required passwords, the vCloud Director service starts.
  • For more information about the Oracle's Keytool used for SSL implementation, see the Oracle Java SE article keytool - Key and Certificate Management Tool.

    Note: The preceding link was correct as of December 14, 2015. If you find the link is broken, please provide feedback and a VMware employee will update the link.

Additional Information

If you are receiving errors while installing the certificate, see Accessing the vCloud Director Web site fails with the error: Could not verify this certificate for unknown reasons  (1032520).

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

See Also

Update History

07/11/2011 - Linked article 1032520. 03/13/2012 - Added vCD 1.5.x to product versions. 02/06/2013 - Added note to run /opt/vmware/vcloud-director/bin/configure to start the vCD service.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 19 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 19 Ratings
Actions
KB: