If you have your own private key and CA-signed certificate files, before importing the keystores to your VMware Cloud Director environment, you must create keystore files in which to import the certificates and the private keys for both the HTTPS and the console proxy service.

Prerequisites

  • Familiarize yourself with the keytool command. You use keytool to import CA-signed SSL certificates to the VMware Cloud Director appliance. VMware Cloud Director places a copy of keytool at /opt/vmware/vcloud-director/jre/bin/keytool.

  • Copy your intermediate certificates, root CA certificate, CA-signed HTTPS service and Console Proxy service private keys and certificates to the appliance.

Procedure

  1. Log in directly or by using an SSH client to the VMware Cloud Director appliance console as root.
  2. If you have intermediate certificates, run the command to combine the root CA-signed certificate with the intermediate certificates and create a certificate chain.
    cat intermediate-certificate-file-1.cer intermediate-certificate-file-2.cer root-CA-certificate.cer > chain.crt
  3. Use OpenSSL to create intermediate keystore files for both the HTTPS and the console proxy services with the private key, the certificate chain, the respective alias, and specify a password for each keystore file.
    1. Create the keystore file for the HTTPS service.
      openssl pkcs12 -export -in http.crt -inkey http.key -CAfile chain.crt -name http -passout pass:keystore_password -out http.p12 -chain
    2. Create the keystore file for the console proxy service.
      openssl pkcs12 -export -in consoleproxy.crt -inkey consoleproxy.key -CAfile chain.crt -name consoleproxy -passout pass:keystore_password -out consoleproxy.p12 -chain
  4. Run the command to back up the existing certificates.ks file.
    cp /opt/vmware/vcloud-director/certificates.ks /root/certificates.ks.original
  5. Use the keytool command to import the PKCS12 keystores into the certificates.ks keystore.
    1. Import the PKCS12 keystore for the HTTPS service.
      keytool -importkeystore -deststorepass keystore_password -destkeystore /opt/vmware/vcloud-director/certificates.ks -deststoretype PKCS12 -srckeystore http.p12 -srcstoretype PKCS12 -srcstorepass keystore_password
    2. Import the PKCS12 keystore for the console proxy service.
      keytool -importkeystore -deststorepass keystore_password -destkeystore /opt/vmware/vcloud-director/certificates.ks -deststoretype PKCS12 -srckeystore consoleproxy.p12 -srcstoretype PKCS12 -srcstorepass keystore_password
  6. Verify that the import of the certificates is successful.
    keytool -storetype PKCS12 -storepass keystore_password -keystore /opt/vmware/vcloud-director/certificates.ks -list
  7. Run the command to import the signed certificates into the VMware Cloud Director instance.
    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -j -p --keystore /opt/vmware/vcloud-director/certificates.ks --keystore-password keystore_password
  8. For the CA-signed certificates to take effect, restart the vmware-vcd service on the VMware Cloud Director appliance.
    service vmware-vcd restart

What to do next