Install public SSL certificates on vCloud Director 9.7

In this article I will explain how to install public SSL certificates on vCloud Director 9.7 appliances.

VMware points to this article to create and import a Signed SSL Certificate to the vCloud Director environment.
The difference here is that most of us already own a SSL certificate.
When this is the case, the mentioned article won’t be useful.

vCloud Director has two interfaces listing to your requests using different ports, therefore you need two SSL certificates.
I will not cover the installation of certificates on reverse proxies, Web Application Firewalls, etc. in this article, but should not be forgotten!

In this scenario we will use one Wildcard certificate to cover both ports.
In the drawing below you can see how the traffic reaches the diff

• eth0 will be used for HTTP/HTTPS
• eth1 will be used for Remote Console traffic

Install public SSL certificates on primary vCloud Director 9.7 cell

Before we can start installing the SSL certificate to the first cell, we need to meet the following prerequisites:

• Working vCloud Director 9.7 environment
• SSL certificate in .PFX format (and of course the password!)
• SSH access to the primary vCloud Director cell
• Putty
• WinSCP

Ok, let’s go!

• Connect to the first cell using WinSCP
• Navigate to the /tmp/ folder and upload the .PFX certificate

  

• When finished, connect via SSH to the Cell01 using your Putty client.
• Run the following commands (make sure you change the VCD_ROOT_PASSWORD placeholder!)

# Stop vCloud Director services
service vmware-vcd stop
# Add the HTTP certificate to a new created certificates.ks keystore.
/opt/vmware/vcloud-director/jre/bin/keytool -keystore /tmp/certificates.ks -storepass VCD_KEYSTORE_PASSWORD -keypass VCD_KEYSTORE_PASSWORD -storetype JCEKS -importkeystore -srckeystore /tmp/star.vblog.nl.pfx
/opt/vmware/vcloud-director/jre/bin/keytool -keystore /tmp/certificates.ks -storetype JCEKS -changealias -alias 1 -destalias http
# Add the Remote Console Proxy certificate to a new created certificates.ks keystore.
/opt/vmware/vcloud-director/jre/bin/keytool -keystore /tmp/certificates.ks -storepass VCD_KEYSTORE_PASSWORD -keypass VCD_KEYSTORE_PASSWORD -storetype JCEKS -importkeystore -srckeystore /tmp/star.vblog.nl.pfx
/opt/vmware/vcloud-director/jre/bin/keytool -keystore /tmp/certificates.ks -storetype JCEKS -changealias -alias 1 -destalias consoleproxy
# Make a back-up of the existing keystore 
cd /opt/vmware/vcloud-director
cp certificates.ks certificates.ks.OLD 
# Copy the new keystore file to the vCloud Director environment
cp /tmp/certificates.ks /opt/vmware/vcloud-director/certificates.ks
# Update rights to the keystore file
chown vcloud:vcloud /opt/vmware/vcloud-director/certificates.ks
chmod -R 600 /opt/vmware/vcloud-director/certificates.ks
# Run the vCloud Director configuration script
/opt/vmware/vcloud-director/bin/configure

• During the vCloud Director configuration script you need to enter IP’s, syslog server, etc.
• Afterwards, vCloud Director services will be started with the public SSL certificate
• Make sure your public endpoints are set correct in the vCloud Director admin portal

Install on additional vCloud Director cells

• Connect to the next vCloud Director cell: Cell02
• Run the following commands

# Stop vCloud Director services (only required if vCloud Director is already configured)
service vmware-vcd stop
# Update rights to the keystore file 
chown vcloud:vcloud /opt/vmware/vcloud-director/certificates.ks 
chmod -R 600 /opt/vmware/vcloud-director/certificates.ks
# Run the vCloud Director configuration script with response file
/opt/vmware/vcloud-director/bin/configure -r /opt/vmware/vcloud-director/data/transfer/responses.properties

• After finishing the configuration script on Cell02, the vCloud Director services will be started

More vCloud Director related articles will be posted here.