If you have your own private key and CA-signed certificate files, before importing the keystores to your VMware Cloud Director environment, you must create keystore files in which to import the certificates and the private keys for both the HTTPS and the console proxy service .

Prerequisites

  • See Before You Create SSL Certificates for VMware Cloud Director on Linux.
  • Verify that you have access to a computer that has a Java version 8 or later runtime environment, so that you can use the keytool command to import the certificates. The VMware Cloud Director installer places a copy of keytool in /opt/vmware/vcloud-director/jre/bin/keytool, but you can perform this procedure on any computer that has a Java runtime environment installed. Certificates created with a keytool from any other source are not supported for use with VMware Cloud Director. These command-line examples assume that keytool is in the user's path.
  • Familiarize yourself with the keytool command.
  • Download and install OpenSSL.
  • For more details on the available options for the certificates command, see Replacing Certificates for the HTTPS and Console Proxy Endpoints.

Procedure

  1. If you have intermediate certificates, run the command to combine the root CA-signed certificate with the intermediate certificates and create a certificate chain. 
    cat intermediate-certificate-file-1.cer intermediate-certificate-file-2.cer root-CA-certificate.cer > chain.crt
  2. Use OpenSSL to create intermediate PKCS12 keystore files for both the HTTPS and the console proxy services with the private key, the certificate chain, the respective alias, and specify a password for each keystore file.
    1. Create the keystore file for the HTTPS service. 
      openssl pkcs12 -export -in http.crt -inkey http.key -CAfile chain.crt -name http -passout pass:keystore_password -out http.p12 -chain
    2. Create the keystore file for the console proxy service. 
      openssl pkcs12 -export -in consoleproxy.crt -inkey consoleproxy.key -CAfile chain.crt -name consoleproxy -passout pass:keystore_password -out consoleproxy.p12 -chain
  3. Use keytool to import the PKCS12 keystores into the certificate.ks keystore.
    1. Run the command to import the PKCS12 keystore for the HTTPS service. 
      keytool -importkeystore -deststorepass keystore_password -destkeystore certificates.ks -deststoretype PKCS12 -srckeystore http.p12 -srcstoretype PKCS12 -srcstorepass keystore_password
    2. Run the command to import the PKCS12 keystore for the console proxy service. 
      keytool -importkeystore -deststorepass keystore_password -destkeystore certificates.ks -deststoretype PKCS12 -srckeystore consoleproxy.p12 -srcstoretype PKCS12 -srcstorepass keystore_password
  4. To check if the certificates are imported to the keystore, run the command to list the contents of the keystore file. 
    keytool -storetype PKCS12 -storepass keystore_password -keystore certificates.ks -list
  5. Repeat this procedure on all VMware Cloud Director cells in your environment.

What to do next

  • If you have not yet configured your VMware Cloud Director instance, run the configure script to import the certificates keystore to VMware Cloud Director. See Configure the Network and Database Connections.
    Note: If you created the certificates.ks keystore file on a computer other than the server on which you generated the list of fully qualified domain names and their associated IP addresses, copy the keystore file to that server. You need the keystore path name when you run the configuration script.
  • If you have already installed and configured your VMware Cloud Director instance, use the certificates command of the cell management tool to import the certificates keystore. See Replacing Certificates for the HTTPS and Console Proxy Endpoints.