Creating and importing certificates signed by a certificate authority (CA) provides the highest level of trust for SSL communications and helps you secure the connections within your cloud.

Each vCloud Director server requires two SSL certificates to secure communications between clients and servers. Each vCloud Director server must support two different SSL endpoints - for HTTPS and for console proxy communications.

In the vCloud Director appliance, these two endpoints share the same IP address or hostname, but use two distinct ports - 443 for HTTPS and 8443 for console proxy communications. Each endpoint must have its own SSL certificate. You can use the same certificate for both endpoints, for example, by using a wildcard certificate.

Certificates for both endpoints must include an X.500 distinguished name and X.509 Subject Alternative Name extension.

If you already have your own private key and CA-signed certificate files, follow the procedure described in Import Private Keys and CA-Signed SSL Certificates to the vCloud Director Appliance.

Important: Upon deployment, the vCloud Director appliance generates self-signed certificates with a 2048-bit key size. You must evaluate your installation's security requirements before choosing an appropriate key size. Key sizes less than 1024 bits are no longer supported per NIST Special Publication 800-131A.

The keystore password used in this procedure is the root user password, and it is represented as root_passwd.

Prerequisites

Familiarize yourself with the keytool command. You use keytool to import CA-signed SSL certificates to the vCloud Director appliance. vCloud Director places a copy of keytool at /opt/vmware/vcloud-director/jre/bin/keytool.

Procedure

  1. Log in directly or SSH to the vCloud Director appliance console as root.
  2. Depending on your environment needs, choose one of the following options.
    When you deploy the vCloud Director appliance, vCloud Director automatically generates self-signed certificates with a 2048-bit key size for the HTTPS service and the console proxy service.
    • If you want your Certificate Authority to sign the certificates that are generated upon deployment, skip to Step 5.
    • If you want to generate new certificates with custom options, such as a greater key size, continue to Step 3.
  3. Run the command to back up the existing certificates.ks file.
    cp /opt/vmware/vcloud-director/certificates.ks /root/certificates.ks.original
  4. Run the command to create public and private key pairs for the HTTPS service and for the console proxy service.
    /opt/vmware/vcloud-director/bin/cell-management-tool generate-certs -j -p -o /opt/vmware/vcloud-director/certificates.ks -w root_passwd

    The command creates or updates a keystore at certificates.kswith the password that you specified. Certificates are created using the command's default values. Depending on the DNS configuration of your environment, the Issuer Common Name (CN) is set to either the IP address or the FQDN for each service. The certificate uses the default 2048-bit key length and expires one year after creation.

    Important: Because of configuration restrictions in vCloud Director appliance, you must use the location /opt/vmware/vcloud-director/certificates.ks for the certificates keystore.
    Note: You use the appliance root password as the keystore password.
  5. Create certificate signing requests (CSR) for the HTTPS service and for the console proxy service.
    Important: The vCloud Director appliance shares the same IP address and hostname for both the HTTPS service and the console proxy service. Because of that, the CSR creation commands must have the same DNS and IPs for the Subject Alternative Name (SAN) extension argument.
    1. Create a certificate signing request in the http.csr file.
      keytool -keystore certificates.ks -storetype JCEKS -storepass root_password -certreq -alias http -file http.csr -ext "san=dns:vcd2.example.com,dns:vcd2,ip:10.100.101.10"
    2. Create a certificate signing request in the consoleproxy.csr file.
      keytool -keystore certificates.ks -storetype JCEKS -storepass root_password -certreq -alias consoleproxy -file consoleproxy.csr -ext "san=dns:vcd2.example.com,dns:vcd2,ip:10.100.101.10"
  6. Send the certificate signing requests to your Certificate Authority.
    If your certification authority requires you to specify a Web server type, use Jakarta Tomcat.
    You obtain the CA-signed certificates.
  7. Copy the CA-signed certificates, the CA root certificate, and any intermediate certificates to the vCloud Director appliance.
  8. Run the commands to import the signed certificates into the JCEKS keystore.
    1. Import the Certificate Authority's root certificate from the root.cer file into the certificates.ks keystore file.
      keytool -import -storetype JCEKS -storepass root_password -keystore /opt/vmware/vcloud-director/certificates.ks -alias root -file root_certificate_file
    2. If you received intermediate certificates, import them from the intermediate.cer file to the certificates.ks keystore file.
      keytool -import -storetype JCEKS -storepass root_password -keystore /opt/vmware/vcloud-director/certificates.ks -alias intermediate -file intermediate_certificate_file
    3. Import the HTTPS service certificate.
      keytool -import -storetype JCEKS -storepass root_password -keystore /opt/vmware/vcloud-director/certificates.ks -alias http -file http_certificate_file
    4. Import the console proxy service certificate.
      keytool -import -storetype JCEKS -storepass root_password -keystore /opt/vmware/vcloud-director/certificates.ks -alias consoleproxy -file console_proxy_certificate_file
    The commands overwrite the certificates.ks file with the newly acquired CA-signed versions of the certificates.
  9. To check if the certificates are imported, run the command to list the contents of the keystore file.
    keytool -storetype JCEKS -storepass root_password -keystore /opt/vmware/vcloud-director/certificates.ks -list
  10. Run the command to import the certificates into the vCloud Director instance.
    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -j -p --keystore /opt/vmware/vcloud-director/certificates.ks --keystore-password root_password
  11. For the new signed certificates to take effect, restart the vmware-vcd service on the vCloud Director appliance.
    service vmware-vcd restart

What to do next