Creating and importing CA-signed certificates provides the highest level of trust for SSL communications and helps you secure the connections within your cloud infrastructure.

Each vCloud Director server requires two SSL certificates to secure communications between clients and servers. Each vCloud Director server must support two different SSL endpoints one for HTTPS and one for console proxy communications.

The two endpoints can be separate IP addresses or a single IP address with two different ports. Each endpoint requires its own SSL certificate. You can use the same certificate for both endpoints, for example, by using a wildcard certificate.

Certificates for both endpoints must include an X.500 distinguished name and X.509 Subject Alternative Name extension.

You can use certificates signed by a trusted certificate authority(CA) or self-signed certificates.

You use the cell-management-tool to create the self-signed SSL certificates. The cell-management-tool utility is installed on the cell before the configuration agent runs and after you run the installation file. See Install vCloud Director on the First Member of a Server Group.

If you already have your own private key and CA-signed certificate files, follow the procedure described in Create CA-Signed SSL Certificate Keystore with Imported Private Keys for vCloud Director on Linux.

Important: These examples specify a 2048-bit key size, but you should evaluate your installation's security requirements before choosing an appropriate key size. Key sizes less than 1024 bits are no longer supported per NIST Special Publication 800-131A.

Prerequisites

  • Verify that you have access to a computer that has a Java version 8 or later runtime environment, so that you can use the keytool command to import the certificates. The vCloud Director installer places a copy of keytool in /opt/vmware/vcloud-director/jre/bin/keytool, but you can perform this procedure on any computer that has a Java runtime environment installed. Certificates created with a keytool from any other source are not supported for use with vCloud Director. These command-line examples assume that keytool is in the user's path.
  • Familiarize yourself with the keytool command.
  • For more details on the available options for the generate-certs command, see Generating Self-Signed Certificates for the HTTPS and Console Proxy Endpoints.
  • For more details on the available options for the certificates command, see Replacing Certificates for the HTTP and Console Proxy Endpoints.

Procedure

  1. Log in directly or by using an SSH client to the OS of the vCloud Director server cell as root.
  2. Run the command to create a public and private key pair for the HTTPS service and for the console proxy service.
    /opt/vmware/vcloud-director/bin/cell-management-tool generate-certs -j -p -o certificates.ks -w keystore_password

    The command creates or updates a keystore at certificates.ks with the specified password. Certificates are created using the command's default values. Depending on the DNS configuration of your environment, the Issuer CN is set to either the IP address or the FQDN for each service. The certificate uses the default 2048-bit key length and expires one year after creation.

    Important: The keystore file and the directory in which it is stored must be readable by the user vcloud.vcloud. The vCloud Director installer creates this user and group.
  3. Create a certificate signing request for the HTTPS service and for the console proxy service.
    Important: If you are using separate IP addresses for the HTTPS service and for the console proxy service, adjust the hostnames and IP addresses in the following commands.
    1. Create a certificate signing request in the http.csr file.
      keytool -keystore certificates.ks -storetype JCEKS -storepass keystore_password -certreq -alias http -file http.csr -ext "san=dns:vcd2.example.com,dns:vcd2,ip:10.100.101.10"
    2. Create a certificate signing request in the consoleproxy.csr file.
      keytool -keystore certificates.ks -storetype JCEKS -storepass keystore_password -certreq -alias consoleproxy -file consoleproxy.csr -ext "san=dns:vcd2.example.com,dns:vcd2,ip:10.100.101.10"
  4. Send the certificate signing requests to your Certificate Authority.
    If your certification authority requires you to specify a Web server type, use Jakarta Tomcat.
    You obtain the CA-signed certificates.
  5. Import the signed certificates into the JCEKS keystore.
    1. Import the Certificate Authority's root certificate from the root.cer file to the certificates.ks keystore file.
      keytool -import -storetype JCEKS -storepass keystore_password -keystore certificates.ks -alias root -file root_certificate_file
    2. If you received intermediate certificates, import them from the intermediate.cer file to the certificates.ks keystore file.
      keytool -import -storetype JCEKS -storepass keystore_password -keystore certificates.ks -alias intermediate -file intermediate_certificate_file
    3. Import the HTTPS service certificate.
      keytool -import -storetype JCEKS -storepass keystore_password -keystore certificates.ks -alias http -file http_certificate_file
    4. Import the console proxy service certificate.
      keytool -import -storetype JCEKS -storepass keystore_password -keystore certificates.ks -alias consoleproxy -file console_proxy_certificate_file
    The commands overwrite the certificates.ks file with the newly acquired CA-signed versions of the certificates.
  6. To check if the certificates are imported to the JCEKS keystore, run the command to list the contents of the keystore file.
    keytool -storetype JCEKS -storepass keystore_password -keystore certificates.ks -list
  7. Repeat this procedure on all vCloud Director servers in the server group.

What to do next

  • If you have not yet configured your vCloud Director instance, run the configure script to import the certificates keystore to vCloud Director. See Configure the Network and Database Connections.
    Note: If you created the certificates.ks keystore file on a computer other than the server on which you generated the list of fully qualified domain names and their associated IP addresses, copy the keystore file to that server now. You need the keystore path name when you run the configuration script.
  • If you have already installed and configured your vCloud Director instance, use the certificates command of the cell management tool to import the certificates keystore. See Replacing Certificates for the HTTP and Console Proxy Endpoints.