As of VMware Cloud Director 10.3.x the process on how to generate and import certificates has changed from the legacy keystore method. This blog will walkthrough how to create or replace certificates for VMware Cloud Director 10.3.x with a CA signed wildcard certificate for both HTTP and Consoleproxy.

Tested Release Version

Prerequisites

• vCD cells deployed
• vCD root user credentials
• Basic Linux knowledge
• WinSCP client on Windows (https://winscp.net/eng/index.php)

Generate Private Key and CSR

1. SSH to the VMware Cloud Director primary appliance cell using root user credentials, either using a windows powershell or linux terminal.

   1	ssh root@{{ vcd ip }}

2. Navigate to the transfer directory on the cell, by running the following command:

   1	cd /opt/vmware/vcloud-director/data/transfer/

   Note

   If you have previously created certificates you would normally find them in the transfer folder, or in /opt/vmware/vcloud-director/etc/. The etc folder is the default location for certificates if self-signed certificates have been used from a greenfield deployment. Using the transfer folder is the recommended approach for multi cell environment and are using wildcard signed certificates, since these can apply to all other appliances in the VMWare Cloud Director server group, that is, standby cells and application cells.

3. Copy and backup any previous configured certificates in the directory if present, by running the following commands:

   1 2 3 4

   cp /opt/vmware/vcloud-director/data/transfer/user.http.pem /opt/vmware/vcloud-director/data/transfer/user.http.pem.original cp /opt/vmware/vcloud-director/data/transfer/user.http.key /opt/vmware/vcloud-director/data/transfer/user.http.key.original cp /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem.original cp /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key.original

4. Create the key files for both http and consoleproxy, by running the following:

   1 2	openssl genpkey -out user.http.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes256 -pass pass:'securepassphrase' cp user.http.key user.consoleproxy.key

5. Create a config file to be used with OpenSSL to create CSR, this can be achieved by updating the following command under the [req_distinguished_name] and [alt_names] sections in-line with your environment.

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

   cat > vcd_csr.cfg <<EOF [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = GB ST = Greater London L = London O = THMB OU = VMware CN = *.thmb.local [v3_req] subjectAltName = @alt_names [alt_names] DNS.1 = *.thmb.local EOF

6. Create the CSR using the generated key file, by running the following command:

   1	openssl req -new -key user.http.key -config vcd_csr.cfg -out user.wildcard.csr -passin pass:'securepassphrase'

7. Verify the CSR generated is correct:

   1	openssl req -text -noout -verify -in user.wildcard.csr

   Output should look like the following:

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

   root@vcd01-lab6 [ /opt/vmware/vcloud-director/data/transfer ]# openssl req -text -noout -verify -in user.wildcard.csr verify OK Certificate Request: Data: Version: 0 (0x0) Subject: C=GB, ST=Greater London, L=London, O=THMB, OU=VMware, CN=*.thmb.local Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:be:e2:cd:66:47:52:d7:4d:ab:36:90:17:32:79: 98:80:7c:83:38:9c:46:7d:00:ad:e8:98:c3:91:ed: 77:95:88:36:43:e1:5f:98:58:af:00:93:ef:99:b2: 8d:76:87:ef:e6:79:20:aa:e1:82:9d:bb:70:c7:d3: 1d:c7:e2:ad:da:b5:0c:0f:e8:b7:08:67:53:4c:50: 94:79:14:74:cc:e4:63:98:e7:9f:ad:ba:e1:ef:91: 26:38:71:93:7b:54:10:e6:18:a3:7e:4d:9f:e4:c2: 1d:f7:d5:6e:91:be:b3:a2:f6:83:0a:59:95:89:58: 44:72:f5:d5:0b:37:f9:92:b4:a2:15:a6:54:38:16: 6d:e8:c7:07:81:cd:10:46:b8:f5:3e:57:ea:58:66: a5:61:fd:bc:aa:6e:08:59:75:d0:11:f4:eb:20:5f: 60:8b:51:59:ca:7e:7d:82:26:11:55:5f:16:f0:67: 4c:11:b9:f2:88:83:d2:a3:b9:54:94:48:22:67:f0: 32:b6:e9:01:cc:92:12:a3:d6:4a:64:bf:fd:dd:2a: 9c:a5:75:25:82:0e:73:62:82:cb:cf:66:58:cc:a1: b7:97:27:09:94:a7:56:e2:91:d9:f9:54:e2:47:50: c6:a1 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:*.thmb.local Signature Algorithm: sha256WithRSAEncryption 9c:44:bf:55:92:7d:f7:10:18:2d:d7:32:e2:13:10:aa:ba:91: b6:88:c8:a1:f0:74:c4:1f:8e:03:03:d6:6d:45:11:40:d1:70: cb:44:a0:7a:f7:0e:7c:8c:88:3e:90:29:d8:73:cf:b2:f9:7c: e6:8b:88:3b:fc:7c:e9:c7:38:0d:d1:60:ec:f6:b3:4c:3e:d0: 83:47:5e:24:a0:6f:8e:95:db:e4:0b:a7:e7:df:7b:6d:c2:00: 4c:9e:45:75:4c:2c:a4:4e:d0:53:f6:d4:11:18:ae:73:99:8b: 1a:71:a9:34:94:f2:55:e8:76:a1:79:92:4d:33:e3:cb:ea:d7: b4:0e:ad:ce:41:97:3e:17:0b:69:01:6c:ea:a7:43:be:bc:86: f9:40:be:a2:85:2d:7c:19:a0:53:45:73:f0:1f:d3:2e:12:f4: b2:c5:2b:2d:ab:5e:16:4e:ed:10:c0:d2:54:99:18:21:f9:83: 4a:a0:ef:d5:ed:9b:98:28:28:af:13:de:1e:4a:08:7f:d5:a5: ed:4f:a3:13:da:e3:b6:2c:64:8f:16:f1:75:a2:6d:36:1e:01: cf:0d:ba:0d:23:55:53:7a:68:66:40:f7:6a:28:2d:0c:7c:07: 8e:1d:c4:c1

Request Certificate from CA

1. Using the generated user.wildcard.csr, request the cert from your chosen Certificate Authority.

   Note

   The following steps illustrate the certificate request using Microsoft CA running on windows server 2016

2. Navigate to the Microsoft Certification Authority server in your browser, type the IP address follwed by certsrv.

   For example: https://{{ IP }}/certsrv

3. Click the Request a Certificate link.

4. Click the Advanced certificate request link.

5. Click Submit a certificate.

6. Paste the contents of your CSR file into the Saved Request text box.

7. Under Certificate Template, select Web Server from the drop down menu.

8. Click Submit.

9. Select Base 64 encoded

10. Click Download Certificate and rename the downloaded file to wildcard_cert.cer

11. Download the CA root certificate, by navigating back to home page https://{{ IP }}/certsrv

12. Click Download a CA Certificate

13. Under Encoding method, select Base 64

14. Click Download CA Certificate and rename the downloaded certificate file to ca_root_cert.cer

15. Optional, if an Intermediate certificate is present, ensure this is downloaded as Base 64 and renamed to ca_inter_cert.cer

Import CA Signed Certificate

1. Copy the wildcard_cert.cer, ca_root_cert.cer and ca_inter_cert.cer (if present) files to the transfer folder at ```/opt/vmware/vcloud-director/data/transfer''' on the primary appliance cell. WinSCP can be used for the file transder method with the root user credentials.

2. Create the cert chain files for http and consoleproxy using the wildcard_cert.cer, ca_root_cert.cer and ca_inter_cert.cer (if present) files, by running the following command:

   1 2 3 4 5 6 7 8 9 10 11

   cat \ /opt/vmware/vcloud-director/data/transfer/wildcard_cert.cer \ /opt/vmware/vcloud-director/data/transfer/ca_inter_cert.cer \ /opt/vmware/vcloud-director/data/transfer/ca_root_cert.cer \ > user.http.pem cat \ /opt/vmware/vcloud-director/data/transfer/wildcard_cert.cer \ /opt/vmware/vcloud-director/data/transfer/ca_inter_cert.cer \ /opt/vmware/vcloud-director/data/transfer/ca_root_cert.cer \ > user.consoleproxy.pem

3. Ensure the correct owner and group permissions are applied to the certificate files to vcloud, by running the following command:

   1 2 3 4

   chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.http.pem chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.http.key chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key

4. Ensure that the owner of the certificate files has read and write permissions.

   1 2 3 4

   chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.http.pem chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.http.key chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem chmod 0750 /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key

5. Import the CA Signed Wildcard certificates to each VMware Cloud Director appliance cell, whether it is primary, standby, or standalone appliance, by running the following command:

   1 2 3 4 5 6 7 8 9

   /opt/vmware/vcloud-director/bin/cell-management-tool certificates -j \ --cert /opt/vmware/vcloud-director/data/transfer/user.http.pem \ --key /opt/vmware/vcloud-director/data/transfer/user.http.key \ --key-password 'securepassphrase' /opt/vmware/vcloud-director/bin/cell-management-tool certificates -p \ --cert /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem \ --key /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key \ --key-password 'securepassphrase'

6. Stop and start the VMware Cloud Director services on each appliance cell, whether it is primary, standby, or standalone appliance, by running the following command:

   1 2 3 4

   /opt/vmware/vcloud-director/bin/cell-management-tool cell \ -i $(service vmware-vcd pid cell) -s && \ systemctl start vmware-vcd && \ tail -f /opt/vmware/vcloud-director/logs/cell.log

   Note

   The tail command indicates whether the cell has started up successfully, you can ctrl+c to cancel, after the getting the startup confirmation, example: Cell startup completed in 1m 07s