Create Wildcard Certificates for VMware Cloud Director 10.3.x
As of VMware Cloud Director 10.3.x the process on how to generate and import certificates has changed from the legacy keystore method. This blog will walkthrough how to create or replace certificates for VMware Cloud Director 10.3.x with a CA signed wildcard certificate for both HTTP and Consoleproxy.
Tested Release Version
Software | Version |
---|---|
vCD | 10.3.1 |
Prerequisites
- vCD cells deployed
- vCD root user credentials
- Basic Linux knowledge
- WinSCP client on Windows (https://winscp.net/eng/index.php)
Generate Private Key and CSR
-
SSH to the VMware Cloud Director primary appliance cell using root user credentials, either using a windows powershell or linux terminal.
1
ssh root@{{ vcd ip }}
-
Navigate to the transfer directory on the cell, by running the following command:
1
cd /opt/vmware/vcloud-director/data/transfer/
NoteIf you have previously created certificates you would normally find them in the transfer folder, or in/opt/vmware/vcloud-director/etc/
. The etc folder is the default location for certificates if self-signed certificates have been used from a greenfield deployment. Using the transfer folder is the recommended approach for multi cell environment and are using wildcard signed certificates, since these can apply to all other appliances in the VMWare Cloud Director server group, that is, standby cells and application cells. -
Copy and backup any previous configured certificates in the directory if present, by running the following commands:
1 2 3 4
cp /opt/vmware/vcloud-director/data/transfer/user.http.pem /opt/vmware/vcloud-director/data/transfer/user.http.pem.original cp /opt/vmware/vcloud-director/data/transfer/user.http.key /opt/vmware/vcloud-director/data/transfer/user.http.key.original cp /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem.original cp /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key.original
-
Create the key files for both http and consoleproxy, by running the following:
1 2
openssl genpkey -out user.http.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes256 -pass pass:'securepassphrase' cp user.http.key user.consoleproxy.key
-
Create a config file to be used with OpenSSL to create CSR, this can be achieved by updating the following command under the [req_distinguished_name] and [alt_names] sections in-line with your environment.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
cat > vcd_csr.cfg <<EOF [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = GB ST = Greater London L = London O = THMB OU = VMware CN = *.thmb.local [v3_req] subjectAltName = @alt_names [alt_names] DNS.1 = *.thmb.local EOF
-
Create the CSR using the generated key file, by running the following command:
1
openssl req -new -key user.http.key -config vcd_csr.cfg -out user.wildcard.csr -passin pass:'securepassphrase'
-
Verify the CSR generated is correct:
1
openssl req -text -noout -verify -in user.wildcard.csr
Output should look like the following:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
root@vcd01-lab6 [ /opt/vmware/vcloud-director/data/transfer ]# openssl req -text -noout -verify -in user.wildcard.csr verify OK Certificate Request: Data: Version: 0 (0x0) Subject: C=GB, ST=Greater London, L=London, O=THMB, OU=VMware, CN=*.thmb.local Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:be:e2:cd:66:47:52:d7:4d:ab:36:90:17:32:79: 98:80:7c:83:38:9c:46:7d:00:ad:e8:98:c3:91:ed: 77:95:88:36:43:e1:5f:98:58:af:00:93:ef:99:b2: 8d:76:87:ef:e6:79:20:aa:e1:82:9d:bb:70:c7:d3: 1d:c7:e2:ad:da:b5:0c:0f:e8:b7:08:67:53:4c:50: 94:79:14:74:cc:e4:63:98:e7:9f:ad:ba:e1:ef:91: 26:38:71:93:7b:54:10:e6:18:a3:7e:4d:9f:e4:c2: 1d:f7:d5:6e:91:be:b3:a2:f6:83:0a:59:95:89:58: 44:72:f5:d5:0b:37:f9:92:b4:a2:15:a6:54:38:16: 6d:e8:c7:07:81:cd:10:46:b8:f5:3e:57:ea:58:66: a5:61:fd:bc:aa:6e:08:59:75:d0:11:f4:eb:20:5f: 60:8b:51:59:ca:7e:7d:82:26:11:55:5f:16:f0:67: 4c:11:b9:f2:88:83:d2:a3:b9:54:94:48:22:67:f0: 32:b6:e9:01:cc:92:12:a3:d6:4a:64:bf:fd:dd:2a: 9c:a5:75:25:82:0e:73:62:82:cb:cf:66:58:cc:a1: b7:97:27:09:94:a7:56:e2:91:d9:f9:54:e2:47:50: c6:a1 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:*.thmb.local Signature Algorithm: sha256WithRSAEncryption 9c:44:bf:55:92:7d:f7:10:18:2d:d7:32:e2:13:10:aa:ba:91: b6:88:c8:a1:f0:74:c4:1f:8e:03:03:d6:6d:45:11:40:d1:70: cb:44:a0:7a:f7:0e:7c:8c:88:3e:90:29:d8:73:cf:b2:f9:7c: e6:8b:88:3b:fc:7c:e9:c7:38:0d:d1:60:ec:f6:b3:4c:3e:d0: 83:47:5e:24:a0:6f:8e:95:db:e4:0b:a7:e7:df:7b:6d:c2:00: 4c:9e:45:75:4c:2c:a4:4e:d0:53:f6:d4:11:18:ae:73:99:8b: 1a:71:a9:34:94:f2:55:e8:76:a1:79:92:4d:33:e3:cb:ea:d7: b4:0e:ad:ce:41:97:3e:17:0b:69:01:6c:ea:a7:43:be:bc:86: f9:40:be:a2:85:2d:7c:19:a0:53:45:73:f0:1f:d3:2e:12:f4: b2:c5:2b:2d:ab:5e:16:4e:ed:10:c0:d2:54:99:18:21:f9:83: 4a:a0:ef:d5:ed:9b:98:28:28:af:13:de:1e:4a:08:7f:d5:a5: ed:4f:a3:13:da:e3:b6:2c:64:8f:16:f1:75:a2:6d:36:1e:01: cf:0d:ba:0d:23:55:53:7a:68:66:40:f7:6a:28:2d:0c:7c:07: 8e:1d:c4:c1
Request Certificate from CA
-
Using the generated user.wildcard.csr, request the cert from your chosen Certificate Authority.
NoteThe following steps illustrate the certificate request using Microsoft CA running on windows server 2016 -
Navigate to the Microsoft Certification Authority server in your browser, type the IP address follwed by
certsrv
.For example:
https://{{ IP }}/certsrv
-
Click the Request a Certificate link.
-
Click the Advanced certificate request link.
-
Click Submit a certificate.
-
Paste the contents of your CSR file into the Saved Request text box.
-
Under Certificate Template, select Web Server from the drop down menu.
-
Click Submit.
-
Select Base 64 encoded
-
Click Download Certificate and rename the downloaded file to
wildcard_cert.cer
-
Download the CA root certificate, by navigating back to home page
https://{{ IP }}/certsrv
-
Click Download a CA Certificate
-
Under Encoding method, select Base 64
-
Click Download CA Certificate and rename the downloaded certificate file to
ca_root_cert.cer
-
Optional, if an Intermediate certificate is present, ensure this is downloaded as Base 64 and renamed to
ca_inter_cert.cer
Import CA Signed Certificate
-
Copy the
wildcard_cert.cer
,ca_root_cert.cer
andca_inter_cert.cer
(if present) files to the transfer folder at ```/opt/vmware/vcloud-director/data/transfer''' on the primary appliance cell. WinSCP can be used for the file transder method with the root user credentials. -
Create the cert chain files for http and consoleproxy using the
wildcard_cert.cer
,ca_root_cert.cer
andca_inter_cert.cer
(if present) files, by running the following command:1 2 3 4 5 6 7 8 9 10 11
cat \ /opt/vmware/vcloud-director/data/transfer/wildcard_cert.cer \ /opt/vmware/vcloud-director/data/transfer/ca_inter_cert.cer \ /opt/vmware/vcloud-director/data/transfer/ca_root_cert.cer \ > user.http.pem cat \ /opt/vmware/vcloud-director/data/transfer/wildcard_cert.cer \ /opt/vmware/vcloud-director/data/transfer/ca_inter_cert.cer \ /opt/vmware/vcloud-director/data/transfer/ca_root_cert.cer \ > user.consoleproxy.pem
-
Ensure the correct owner and group permissions are applied to the certificate files to
vcloud
, by running the following command:1 2 3 4
chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.http.pem chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.http.key chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key
-
Ensure that the owner of the certificate files has read and write permissions.
1 2 3 4
chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.http.pem chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.http.key chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key
-
Import the CA Signed Wildcard certificates to each VMware Cloud Director appliance cell, whether it is primary, standby, or standalone appliance, by running the following command:
1 2 3 4 5 6 7 8 9
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j \ --cert /opt/vmware/vcloud-director/data/transfer/user.http.pem \ --key /opt/vmware/vcloud-director/data/transfer/user.http.key \ --key-password 'securepassphrase' /opt/vmware/vcloud-director/bin/cell-management-tool certificates -p \ --cert /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem \ --key /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key \ --key-password 'securepassphrase'
-
Stop and start the VMware Cloud Director services on each appliance cell, whether it is primary, standby, or standalone appliance, by running the following command:
1 2 3 4
/opt/vmware/vcloud-director/bin/cell-management-tool cell \ -i $(service vmware-vcd pid cell) -s && \ systemctl start vmware-vcd && \ tail -f /opt/vmware/vcloud-director/logs/cell.log
NoteThe tail command indicates whether the cell has started up successfully, you canctrl+c
to cancel, after the getting the startup confirmation, example:Cell startup completed in 1m 07s