If you have your own private key and CA-signed certificate files, before importing the keystores to your vCloud Director environment, you must create keystore files in which to import the certificates and the private keys for both the HTTPS and the console proxy service .

Prerequisites

  • See Before You Create SSL Certificates for vCloud Director on Linux.
  • Verify that you have access to a computer that has a Java version 8 or later runtime environment, so that you can use the keytool command to import the certificates. The vCloud Director installer places a copy of keytool in /opt/vmware/vcloud-director/jre/bin/keytool, but you can perform this procedure on any computer that has a Java runtime environment installed. Certificates created with a keytool from any other source are not supported for use with vCloud Director. These command-line examples assume that keytool is in the user's path.
  • Familiarize yourself with the keytool command.
  • Download and install OpenSSL.
  • For more details on the available options for the certificates command, see Replacing Certificates for the HTTP and Console Proxy Endpoints.

Procedure

  1. If you have intermediate certificates, run the command to combine the root CA-signed certificate with the intermediate certificates and create a certificate chain.
    cat intermediate-certificate-file-1.cer intermediate-certificate-file-2.cer root-CA-certificate.cer > chain.crt
  2. Use OpenSSL to create intermediate PKCS12 keystore files for both the HTTPS and the console proxy services with the private key, the certificate chain, the respective alias, and specify a password for each keystore file.
    1. Create the keystore file for the HTTPS service.
      openssl pkcs12 -export -in http.crt -inkey http.key -CAfile chain.crt -name http -passout pass:keystore_password -out http.pfx -chain
    2. Create the keystore file for the console proxy service.
      openssl pkcs12 -export -in consoleproxy.crt -inkey consoleproxy.key -CAfile chain.crt -name consoleproxy -passout pass:keystore_password -out consoleproxy.pfx –chain
  3. Use keytool to import the PKCS12 keystores into JCЕKS keystore.
    1. Run the command to import the PKCS12 keystore for the HTTPS service.
      keytool -importkeystore -deststorepass keystore_password -destkeystore certificates.ks -deststoretype JCEKS -srckeystore http.pfx -srcstoretype PKCS12 -srcstorepass keystore_password
    2. Run the command to import the PKCS12 keystore for the console proxy service.
      keytool -importkeystore -deststorepass keystore_password -destkeystore certificates.ks -deststoretype JCEKS -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -srcstorepass keystore_password
  4. To check if the certificates are imported to the JCEKS keystore, run the command to list the contents of the keystore file.
    keytool -storetype JCEKS -storepass keystore_password -keystore certificates.ks –list
  5. Repeat this procedure on all vCloud Director cells in your environment.

What to do next

  • If you have not yet configured your vCloud Director instance, run the configure script to import the certificates keystore to vCloud Director. See Configure the Network and Database Connections.
    Note: If you created the certificates.ks keystore file on a computer other than the server on which you generated the list of fully qualified domain names and their associated IP addresses, copy the keystore file to that server. You need the keystore path name when you run the configuration script.
  • If you have already installed and configured your vCloud Director instance, use the certificates command of the cell management tool to import the certificates keystore. See Replacing Certificates for the HTTP and Console Proxy Endpoints.